by Lesley Berkeyheiser

In healthcare, trust is everything, yet, every day, that trust is tested by an escalating wave of cyber threats. From ransomware attacks to sophisticated impersonation schemes, the risks aren’t abstract. They are here, they are active, and they are hitting small and midsized healthcare organizations hardest. In the first half of 2025 alone, more than 29 million individuals were impacted by healthcare data breaches.

This is not just about compliance. This is about protecting the people we serve. Cybersecurity is patient safety.

That message was central to a recent DirectTrust webinar, Top Ten Cybersecurity Tips for Small and Midsize Healthcare Organizations, where I emphasized that cybersecurity readiness is less about checking boxes and more about shifting culture. Still, practical steps are essential, and the tips outlined in this handout, developed in partnership with the Workgroup for Electronic Data Interchange (WEDI), offer a roadmap for getting started.

These aren’t just technical recommendations, they’re entry points to creating a culture of shared responsibility across clinical, administrative, and IT teams.

A shared responsibility

One of the biggest barriers I continue to see, even two decades after HIPAA first introduced healthcare privacy and security rules, is the divide between IT and clinical or operational departments. It’s easy to assume “that’s why we have a tech department,” as one clinician recently told me. But cybersecurity can’t be delegated. It has to be embedded in our culture, our training and our day-to-day decision-making across an entire organization.

This means knowing who your cybersecurity lead is. It means ensuring every workforce member understands their role in protecting sensitive information. And it means treating risk assessments as foundational tools, not optional exercises.

Readiness means more than tools

The reality is that bad actors aren’t lone hackers anymore. They’re sophisticated, organized, and leveraging AI to mimic CEOs, conduct deepfake video calls and infiltrate networks in ways that are harder to detect than ever before. They target outdated systems, over-permissioned accounts and organizations that haven’t invested in continuous training or endpoint monitoring.

Cybersecurity is no longer a matter of “if,” but “when.” And readiness isn’t just about having tools, it’s about having a plan that includes the following:

  • Clear communication across teams
  • Role-based access controls
  • Strong policies for mobile devices, physical ports, and software installation
  • Simulated phishing tests and secure email practices
  • Tested incident response protocols that can guide your team even during downtime

Yes, multifactor authentication (MFA) is part of this. So is patching, and knowing exactly what’s connected to your network at any given moment.

Trust through transparency

A key message from the webinar came from a story I shared about two organizations that responded very differently when facing a potential breach. One communicated immediately with their community when they suspected the issue. The other stayed silent for weeks, until it showed up in the news. Guess which one maintained trust?

Cybersecurity isn’t just about protecting data, it’s about demonstrating integrity. That’s why transparency, responsiveness and independent, third-party verification, like receiving accreditation or certification through DirectTrust, matters so deeply. These are the core components of what it means to establish and maintain trust in a connected world, and I encourage those interested to seek additional information about accreditation.

Start where you are

If you take nothing else from this discussion, take this: start where you are. Get a plan in place, know your environment, train your people, and never stop reinforcing the fact that cybersecurity is everyone’s responsibility.

To help you take that first (or next) step, I encourage you to review the aforementioned Top 10 Cybersecurity Tips handout specifically designed for healthcare organizations. Whether you’re a rural clinic or a national provider, these practical actions that are rooted in the Health and Human Services (HHS) 405(d) initiative, are a starting point for building long-term readiness.

Watch an on-demand recording of the webinar, view the presentation slides and share these materials with your teams. Every conversation about cybersecurity is an investment in safety, trust and ultimately, better care. There is no such thing as being too informed.

If you are interested in learning more about how your organization can demonstrate trust through DirectTrust Accreditation, please start here to review our programs, criteria, and benefits, or reach out to [email protected].