Experts warn hospitals’ weak cyber defenses risk patient safety

ILLINOIS, UNITED STATES — Cyberattacks targeting hospitals are growing in frequency, exposing critical vulnerabilities that directly endanger patients’ lives, experts warn. 

According to a report from Becker’s Hospital Review, from outdated systems to unvetted third-party vendors, healthcare leaders say the sector’s cybersecurity blind spots are no longer just an IT issue—they’re a matter of patient safety.

Clinical blind spots widen cybersecurity gaps

While ransomware attacks can paralyze electronic health records (EHRs), delay surgeries, and even force ambulances to divert, many of the biggest risks lie not in code, but in the day-to-day realities of clinical practice. 

“Healthcare’s major cybersecurity vulnerabilities include unprotected legacy medical devices, shadow IT from tools adopted by clinicians, weak identity management, and risks from third-party vendors — all of which directly jeopardize patient safety,” said Usman Akhtar, MD, Chief Medical Information Officer (CMIO) at Virginia Hospital Center.

According to Akhtar, these gaps persist because they straddle IT and clinical operations, leaving accountability unclear. “Clinical leaders need to prioritize cybersecurity as a matter of patient safety and care continuity,” he added.

Experts say that clinicians often adopt new digital tools or mobile apps without full vetting by IT teams, a practice that may help workflows but creates hidden risks. 

“The real risk isn’t malicious intent — it’s the quiet acceleration of convenience outpacing governance,” said Elie Razzouk, MD, CMIO for AdventHealth’s Central Florida Division.

Third-party vendors and outsourcing under scrutiny

As hospitals increasingly outsource digital operations and data management, cybersecurity risks linked to external vendors are becoming a major concern. 

John (Clay) Callison, MD, CMIO at the University of Tennessee Medical Center, warned that “clinicians often underestimate how much exposure can come from external partners that handle sensitive data.”

This reflects a growing tension in the healthcare outsourcing ecosystem: while outsourcing IT services, billing systems, and data management can help hospitals save costs and streamline operations, it also widens the attack surface for cybercriminals. 

Without rigorous oversight, even trusted vendors can become weak links in the chain.

At Sentara Health in Virginia, CMIO Joseph Evans, MD, and Chief Information Security Officer Zishan Siddiqui identified “third-party vendor risk, human error and inadequate technical defenses” as their main cybersecurity blind spots. 

They emphasized the need for clinical leaders to participate in cybersecurity drills and training to foster a “culture of security that protects both infrastructure and patient safety.”

In an industry where outsourcing and digital transformation are accelerating, experts say the message is clear: cybersecurity cannot remain siloed in IT. 

Protecting patients now depends on shared vigilance—across clinical teams, vendors, and outsourced partners alike.