Resilience Over Perfection: A Healthcare Cybersecurity Roadmap for 2026

By Shwetank Verma, Global Chief Information Security Officer

In healthcare, cybersecurity is ultimately about protecting care. Every workflow — from bedside monitoring to revenue cycle operations — now depends on digital systems and a sprawling mesh of connected devices. In this reality, the most successful organizations adopt what at Sagility calls a mindset of resilience over perfection; acknowledge that attacks and disruptions will occur, then design people, process, and platforms to anticipate, withstand, and recover without compromising patient safety or operational continuity.

Why Resilience Beats the Myth of Perfect Security

Perimeter-only defenses and one-time hardening projects can’t keep pace with today’s threat landscape. Cloud workloads scale by the hour, clinicians and staff work everywhere, and the Internet of Medical Things (IoMT) introduces thousands of specialized endpoints with uneven patch cycles. Aiming for “no incidents” creates fragile security: one missed patch or misconfigured identity can unravel the entire stack. Resilience, by contrast, accepts uncertainty and invests in visibility, containment, and rapid recovery — capabilities that determine clinical impact.

Four Pillars of Resilient Healthcare Security

1. Identity is the new clinical perimeter: Compromised credentials remain the fastest path to ransomware and data exfiltration. Enforce Zero Trust principles with strong multi-factor authentication (MFA), least-privilege access, just-in-time elevation for admins, and continuous risk-based authentication. Pair identity and access management (IAM) with behavioral analytics to spot unusual lateral movement or impossible travel. The goal: if an account is abused, it is detected early and segmented before it becomes a worldwide outage.
2. Endpoint and IoMT Protection Must Be Lightweight and Automated: Clinical devices can’t tolerate heavy agents or frequent reboots. Favor cloud-delivered, AI-driven endpoint protection that inspects behavior rather than just signatures; coverage should extend to identity as well as the device itself. Automated isolation, one-click network containment, and policy-driven response are essential for resource-constrained healthcare teams. Modern platforms that secure “thousands of devices” with a lightweight, automated approach are uniquely suited to healthcare’s realities — particularly for hard-to-patch IoMT that proliferate in healthcare.
3. If No Environment Is Secure, Focus on the Ability to Control and Contain: Microsegment clinical networks; keep IoMT, admin, guest, and research traffic separate by default. Back up electronic health records (EHRs), imaging archives, and critical operational systems with immutable storage and regular, audited restores. Maintain application allow-lists and block egress where not required. If a malware incident occurs, it should be local and recoverable, not systemic.
4. Operational Readiness — Practice the Response You Intend To Execute: Tabletop exercises with clinical leaders, legal/compliance, and communications are nonnegotiable. Define role-based protocols that determine who will shut down a device fleet, who will speak to media, how to prioritize ICU vs. outpatient systems, and how to deliver manual “downtime” procedures safely. Measure mean time to detect (MTTD), contain (MTTC), and restore (MTTR) — the core KPIs of cyber resilience.

A Pragmatic Roadmap for Healthcare

Start With an Accurate View of the Enterprise: Map your assets — endpoints, IoMT, identities, SaaS, and third-party connections. Protection begins with what you can see. Use continuous discovery for unmanaged devices and shadow SaaS; reconcile with a configuration management database (CMDB), a central system of record that stores information about an organization’s IT assets and how they relate to one another. Document data vulnerability so that risk is based on reality, not inventory folklore.

Modernize Identity Controls Before Everything Else: Implement MFA for everyone. Employ phishing-resistant methods for privileged roles, and conditional access policies tuned to clinical workflows (e.g., location-aware rules for on-prem units). Instrument user and entity behavior analytics (UEBA) to catch session hijacking and service-account abuse.

Harden Endpoints and RightSize Controls for IoMT: In the case that devices can’t run full agents, deploy network-based segmentation and passive monitoring. Identify and assess new patches that align to healthcare environments requirements. Safely install approved patches as needed. When patching isn’t possible, compensate with strict network controls and application isolation.

Build “Golden Paths” for Rapid Recovery: Document the minimum viable set of systems to safely deliver care (EHR access, meds administration, labs, imaging). Align recovery time and point objective (RTO/RPO) targets to those dependencies. Test restores quarterly; verify that backups are offline/immutable and that credential vaults and identity provider (IdP) configurations can be rebuilt without the primary network.

Neutralize Third-Party Risk: From revenue cycle partners to specialty telehealth apps, third parties expand both capability and risk. Apply contractual security requirements, tokenized or minimized data shares, and event-level logging with independent alerting. If a partner is breached, you should know through your telemetry, not via an outside media channel.

Culture: The Resilience Multiplier

Incident-response protocols alone won’t carry a hospital through an incident at 3 a.m. Resilient programs invest in human factors: concise phishing simulations for clinicians, quick-reference downtime guides at workstations, and a blameless reporting culture that surfaces weak signals early. Security must be embedded in innovation cycles — from pilots of AI documentation tools to new patient-engagement apps — so that compliance, privacy, and engineering collaborate from the start.

Metrics That Matter to the Board

Move past vanity counts (blocked attacks) and focus on timebased and outcome-based measures:

• Mean time to detect, contain, and recover
• Percent of critical assets covered by endpoint detection and response (EDR)/identity controls
• Incident‑response exercise and pass/fail criteria for restoration drills
• Third-party telemetry coverage and SLA adherence. These data points relate directly to care continuity and financial resilience, making them meaningful for executives and regulators alike.

The Way Forward

Healthcare’s digital future is bright — and inherently complex. By embracing resilience over perfection, leaders can protect patients and preserve trust while still moving boldly toward AI-enabled, data-driven care. The blueprint is clear: identity-first security, lightweight automated protection across endpoints and IoMT, microsegmentation and recovery discipline, and relentless operational practice. That is how cyber programs evolve from fragile defenses into durable advantages — exactly the approach that Sagility takes partners with payers and providers to modernize healthcare with confidence.

Discover more about Building Cyber Resilience in the Age of Innovation, insights from 11 forward-thinking cyber leaders, including Shwetank Verma.