Shifting the healthcare IT narrative from risk to resilience

When Downtime Becomes a Matter of Life and Death In healthcare, system outages aren’t just IT problems—they’re patient safety issues, compliance risks, and organizational liabilities. Whether it’s a ...

Oct 24, 2025 |RapidScale |4 Minute Read

When Downtime Becomes a Matter of Life and Death

In healthcare, system outages aren’t just IT problems—they’re patient safety issues, compliance risks, and organizational liabilities. Whether it’s a cyberattack that locks access to critical systems or an unexpected infrastructure failure that halts operations, the stakes are higher than in any other industry. 

Yet most health systems are running on a patchwork of legacy tools, fragmented governance, and under-resourced IT teams. Modernizing these environments while ensuring uninterrupted care is no longer optional—it’s a mandate. 

Recently, I moderated a roundtable with two healthcare technology leaders who know this challenge firsthand. Katie Patton, Director of Technology at Baton Rouge General Medical, and Michael Dozier, CIO at Singing River Health System, have each led their organizations through major cyber incidents. Instead of just recovering, they used those moments to build greater resilience and reduce future risk. 

You can listen to the full recording here:

 

 

 

This post shares the most valuable takeaways from that conversation—practical, field-tested strategies for healthcare CIOs, CTOs, and CISOs tasked with securing complex environments, improving compliance readiness, and ensuring care never stops. 

“ One of our biggest risks is with shadow IT. IOT devices, HVAC, biomed infusion pumps and other devices can<br />
create  entry points.</p>
<p>Your weakness might be something you don't even know that's connected to your environment. A breach can ripple straight into patient care and crash that.  </p>
<p>And we're seeing more and more attackers get creative<br />
and go down these backdoor entry points into healthcare systems that you wouldn't normally think of, of attacking.”

Three Challenges Shaping Healthcare Technology Decisions 

  1. IT and Operations are already spread too thin.
    Even large teams feel the strain of administering a legacy infrastructure that requires discrete monitoring tools, specialized expertise, and frequently, complex licensing agreements.

    Where possible, simplify your tech stack, managing out obsolete or duplicate products and processes. Rather than bringing expertise (and risk) in-house, work with a single accountable partner who can deploy, monitor and maintain key infrastructure components, including 24x7 monitoring and response across endpoints, users, and infrastructure. 

  2. Lack of System and Organizational Resilience.
    The goal of every healthcare organization is to be fully operational, all the time. 

    Building the resilience to achieve near-100% uptime is not a “one and done” activity. It comes from secure environments, prioritized runbooks with clear RTO and RPO targets, practiced recovery scenarios, and centrally managed platforms that streamline disaster recovery and daily operations. 

  3. Risk and Compliance mandates at an all-time high.
    Organizations are not just concerned about compliance with HIPAA and other regulations. Civil lawsuits are an ongoing reality, exposing gaps in processes, oversight and record keeping.

    From the C-suite to every individual on the floor, organizations need to adopt a security and safety culture that spans governance, people, process, and technology. 

“When your patient reputation is destroyed overnight and you’re spending 10 plus million dollars to recover from an event, it becomes a, a little bit easier to get that executive alignment to make sure that you do everything to prevent that from happening again.”

 

Actionable Steps for Accelerating Healthcare Compliance Transformation 

  1. Incorporate security into IT transformation planning from the outset. 
    Why: “Security by design” is a core principle in NIST CSF, HIPAA, and HITRUST. Embedding security early prevents downstream gaps and aligns with regulatory expectations.
    Action: Integrate security requirements into every phase of system and process design, not just as a final checklist. 
  2. Conduct ongoing risk assessments using modern exposure monitoring tools. 
    Why: Continuous risk assessment is required by HIPAA and recommended by NIST and HITRUST. Automated, AI-driven tools are increasingly used for predictive risk management. 
    Action: Schedule regular risk assessments, leveraging threat intelligence feeds and automated monitoring to identify and address vulnerabilities. 

  3. Implement resilience safeguards such as immutable backups and isolated recovery environments.
    Why: Resilience is emphasized in NIST CSF and HITRUST, and recent ransomware attacks highlight the need for robust disaster recovery. 
    Action: Deploy backup solutions that cannot be altered or deleted by attackers, and maintain isolated recovery systems to ensure rapid restoration after incidents. 
  4. Enforce least privilege through role-based access controls. 
    Why: Least privilege is a foundational control in all major frameworks and is critical for minimizing insider risk.
    Action: Review and update access permissions regularly, ensuring users only have the minimum necessary rights for their roles. 
  5. Align with vendors through clear, HIPAA-compliant business associate agreements (BAAs). 
    Why: Vendor risk is a leading cause of breaches. HIPAA mandates BAAs, and HITRUST/NIST provide templates and guidance for effective third-party management.
    Action: Execute and periodically review BAAs with all vendors handling PHI, specifying security obligations and breach notification protocols.

  6. Use audits as engines for improvement, not just compliance checks. 
    Why: Audits are required by HIPAA and HITRUST, but leading organizations use audit findings to drive innovation and process improvement. 
    Action: Treat audit results as opportunities to pilot new controls, refine workflows, and enhance overall security posture.
     
  7. Establish executive accountability with visible ownership and compliance metrics. 
    Why: Leadership engagement is cited as the most critical factor in building a compliance-driven culture.
    Action: Assign clear compliance responsibilities to executives, track key performance indicators (KPIs), and report progress regularly. 
  8. Engage staff through scenario-based compliance training.
    Why: Scenario-based training improves retention and decision-making, and is recommended by compliance experts and regulatory bodies. 
    Action: Develop training modules that use real-world scenarios relevant to staff roles, and reinforce learning through interactive exercises. 
  9. Foster a transparent, learning culture after incidents. 
    Why: Transparency and a culture of learning are essential for continuous improvement and regulatory trust.
    Action: Share lessons learned from incidents openly, encourage reporting of compliance concerns, and celebrate improvements. 
  10. Leverage managed services to ensure 24x7 coverage and fill skills gaps. 
    Why: Managed services providers (MSPs) offer specialized compliance, security, and IT support, helping organizations maintain continuous coverage and expertise. 
    Action: Partner with reputable MSPs for compliance management, cybersecurity, and operational support, especially where internal resources are limited. 

 

References & Validation