Cyberattacks against hospitals aren’t just a possibility—they’re a certainty. That’s the blunt assessment from Mike Hamilton, field chief information security officer at Lumifi Cyber, who believes health systems may be concentrating their cybersecurity efforts in the wrong areas.
Speaking at Newsweek’s virtual panel Crisis Management: A Crash Course for Health Care Leaders on February 13, Hamilton made it clear that prevention is no longer the priority. Instead, hospitals should shift their focus toward detection and recovery.
Hospitals Are Fighting an Unwinnable Battle
“The first thing we need to acknowledge is that it’s going to happen,” Hamilton said during the panel. “You’re secure, until your ticket is punched.”
It’s not a matter of if a hospital will face a cyberattack, but when. Attackers have more resources, more sophisticated methods, and fewer restrictions than hospital IT teams. This imbalance makes it nearly impossible for health systems to prevent every breach.
Rather than sinking more money into stopping the inevitable, Hamilton argues that hospitals should strengthen their ability to detect breaches early and recover quickly. Without these capabilities, a single attack can spiral into a full-blown crisis.
Three Common Entry Points for Hackers
Hamilton identified three primary ways cybercriminals gain initial access to hospital networks:
- Social engineering: Attackers use deception—sometimes even deepfake technology—to impersonate trusted individuals and trick employees into handing over sensitive information.
- Credential abuse: Hackers test massive databases of stolen passwords, hoping to find one that works.
- Vulnerability exploitation: Attackers scan for weak points in firewalls and other security measures, slipping in before hospitals can patch them.
Each of these tactics is difficult to block entirely. That’s why Hamilton insists hospitals need a more proactive approach to incident response rather than simply trying to stop breaches from occurring in the first place.
Training and Policies That Actually Work
Hospitals can’t build a firewall against human error. Employees, no matter how well-intentioned, are often the weakest link in cybersecurity. That’s why proper training is one of the best defenses.
“There’s no firewall for gullibility. You have to train your people,” Hamilton said.
One key area? Credential policies. The traditional approach—forcing employees to use complex passwords with uppercase, lowercase, special characters, and numbers—is outdated. According to Hamilton, the strongest passwords are actually sentences, and they should only be changed once per year.
Additionally, he recommends:
- Using a password vault instead of letting employees store credentials in browsers.
- Prohibiting personal email and social media use on company devices.
- Aligning policies with the National Institute of Standards and Technology (NIST) guidelines.
Blocking personal email and social media may not be a popular decision, but Hamilton insists it’s necessary. When he was Seattle’s chief information security officer, 40 percent of compromised assets stemmed from employees using personal email on work devices.
“It makes people grouchy,” he admitted. “But the security is worth the grumbling.”
The Legal and Financial Consequences of Cyberattacks
A hospital cybersecurity breach isn’t just a technical failure—it’s also a legal and financial nightmare. In many cases, a data breach leads directly to class-action lawsuits. For hospitals already struggling with the costs of recovery, this can be a devastating blow.
Health care executives are increasingly being accused of negligence in the aftermath of cyberattacks. If leaders can’t demonstrate that they were actively involved in cybersecurity decisions—such as approving risk assessments, governance policies, and action plans—they could find themselves personally liable.
Hamilton’s advice? Keep detailed records. Executives need to be able to show proof that they took cybersecurity seriously. Having documentation of proactive security measures can provide a crucial layer of legal protection.
The Rising Cost of Cybercrime
Cybercrime isn’t slowing down—it’s exploding. A recent report from the International Monetary Fund estimated that cybercrime will cost the world $23 trillion by 2027. That’s a staggering 175 percent increase from the losses reported in 2022.
Hospitals, with their vast repositories of sensitive patient data, are prime targets. The industry simply doesn’t have the firepower to fight off every attack. That’s why Hamilton urges health systems to accept the reality:
“There’s no way you’re going to go glove to glove with those organizations, those actors, and come out on top,” he said. “Prepare for the eventual event. It’s going to happen.”
Preparation, not prevention, is the key to survival. And when the inevitable attack occurs, the hospitals that can prove they did everything right will be in the strongest position to weather the storm.
