In the last year, over 380 U.S. hospitals have been hit by cyberattacks. Some were ransomware. Others took down entire hospital networks. Some delayed surgeries, shut off access to patient charts and forced ambulances to divert to other cities.  These aren’t just IT headaches — they’re dan gerous. And they’re becoming routine. I’m a practicing physician. I’ve worked in clinics and emergency rooms during system outages. You feel it instantly.  Monitors stop syncing. Prescriptions can’t be verified. Orders pile up. Even the most routine tasks become risky. You don’t realize how much medicine relies on technology until it fails you in the middle of patient care. When a hospital gets hit, it’s not just about stolen data — it’s about interrupted care. And that’s the part that gets lost in most conversations around cybersecurity.  These attacks delay bloodwork, cancel MRIs and disrupt medication orders. I’ve seen colleagues scribbling vitals on scraps of paper during downtime. And that’s in a best-case scenario.  Imagine that happening across an entire hospital for days, or even weeks, because someone halfway around the world locked the system and demanded a payout.  Most hospitals were never built to handle these threats. Many, especially in rural areas, are operating with outdated infrastructure and limited IT staff. Cybersecurity wasn’t a priority until it had to be. And by then, it was already too late. The federal government is starting to take this more seriously. In late 2024, the Biden administration proposed updates to the HIPAA Security Rule, including requirements for encryption, multi-factor authentication and network segmentation. These are meaningful changes, aimed at getting hospitals to adopt more modern defenses.  There’s also the Healthcare Cybersecurity Act, which encourages collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency. In addition, tech giants like Microsoft and Google have offered tools and partnerships to help bolster digital defenses for health systems.  All of that is promising, but it’s not fast enough. These new rules haven’t gone into effect yet. Implementation takes time.  Meanwhile, hospitals are still being targeted every week. And smaller systems can’t always afford the upgrades needed to meet new security standards. For them, these policies feel more like pressure than protection, especially without funding to back them up.  The previous Trump administration approached the issue differently. In 2017, President Trump signed executive order 13800, which aimed to strengthen cybersecurity across all federal agencies and critical infrastructure, including healthcare. But there wasn’t much follow-through tailored specifically to hospitals. In fact, programs that helped with threat sharing, such as the Multi-State Information Sharing and Analysis Center, were deprioritized or defunded, leaving many healthcare institutions without timely threat alerts.  Both administrations recognized the threat. Neither moved fast enough. And cybercriminals haven’t waited. They’ve only gotten more aggressive and strategic.  It’s no longer just about stealing data or holding systems hostage for ransom. Some of these attacks are designed to inflict maximum disruption.  In 2024, several hospitals had to cancel cancer treatments and divert emergency patients because of ransomware attacks. These aren’t just cyber issues. They are care delivery failures triggered by external actors.  If a foreign group disabled the power grid in a major city, we’d treat it as a national security emergency. But when ransomware shuts down a hospital’s ICU, we treat it as a compliance issue. That needs to change.  Here’s what I believe would actually make a difference:  Minimum national cybersecurity standards for all hospitals. Standards must come with real funding. A rural facility can’t be expected to operate without help with the same digital firewalls as a large academic medical center.  Federal rapid-response cyber teams housed in HHS or the Cybersecurity and Infrastructure Security Agency — like FEMA, but for digital emergencies — should be ready to step in during an attack to help hospitals stabilize and recover.  Real-time threat intelligence sharing. It must be easy for hospital IT departments to access and act on modeled after the financial sector’s fusion centers.  A dedicated cybersecurity grant program for hospitals. This is especially critical for small and mid-sized hospitals. It should be backed by legislation and not dependent on short-term pilot funding. Cybersecurity training for healthcare executives and board members. This will help leadership understand the stakes and build it into their strategic planning — not just IT budgeting.  Hospitals aren’t just buildings. They’re places where people go when they are most vulnerable. They’re part of our emergency response system, our chronic care infrastructure, and our safety net all rolled into one. When one goes offline because of a cyberattack, it disrupts care, burdens nearby hospitals, and can lead to real harm for real people.  We cannot keep reacting after the fact. We need to be proactive — before another major attack forces another hospital to cancel surgeries or delay critical treatments. Cybersecurity in healthcare isn’t just about firewalls and software patches. It’s about protecting patients' health and their lives. It’s time Washington — and the rest of us — treated it that way. Sujan Gogu is a board-certified physician in family, sports and pain medicine. ...read more read less