A year after WannaCry, healthcare organizations face mounting cyberthreats

But ransomware attacks don't come from hacker organizations alone. "Nation-states are aggressively targeting healthcare and hospitals in particular," Riggi said.

Health systems have more to fear than their IT infrastructure going down. Breached data can end up on the dark web, where they're bought and sold. As more health data becomes available on those networks, prices have fallen. But the data is still useful to buyers, Finn said. People can aggregate health data and non-healthcare data from multiple sources, connecting people's health data with their financial information.

"They're using data in ways we don't even think of," he said.

Those risks have spurred hospitals and healthcare organizations to be more aggressive in their defenses, Riggi said. But their plight never ends. "With every counter-measure put in place by a hospital, the adversaries come forward with a counter-measure for that," Riggi said.

Part of the trouble is the speed—or lack thereof—with which healthcare organizations can react, Olsen said. "It's sort of like moving a big ocean liner—it just takes time."

Healthcare executives and security teams should prioritize protecting the most sensitive and critical data, including protected health information, Olsen said. That work includes an initial risk assessment and putting in place appropriate training policies, and patches.

Those assessments now need to be in line with HIPAA and the EU's GDPR. "It is a much broader and deeper regulation," said David MacLeod, Welltok's senior vice president, chief information officer, and enterprise CISO.

Healthcare organizations could also benefit by taking the hackers' perspective and conducting white-hat hacking to expose vulnerabilities. Even when health systems think they're well-prepared, they may still be hacked.

"The key is knowing when the breach has occurred, obtaining that knowledge in real time, and then having predefined plans for responding to the incident," MacLeod said.

For healthcare systems to succeed in protecting their data, they need to put someone in charge of information security, Olsen said. Too often, that role falls onto the chief compliance officer or chief privacy officer, who might not have cybersecurity backgrounds or not have time to dedicate to security, he said.

"If you don't have somebody in that role looking across the entire enterprise, it's easy to have a lot of blind spots," Olsen said.

There might be gaps between linked information systems, for instance. "When you connect, security IT really is like the old chain adage: Your security can be only as good as the weakest link in the chain," said David Finn, executive vice president of strategic innovation for IT consulting firm CynergisTek. One straightforward tactic is making sure all software is up to date and sufficiently patched, he said.

"In healthcare, we have a legacy problem with old hardware and software," he said. "That represents a huge risk."

At the core, cybersecurity is about actual people, security consultants said. "The best defense against cyber-adversaries is a culture of cybersecurity within an organization," Riggi said. "Ultimately, the entire staff and leadership of an organization should be considered part of the information security department."

Everyone in an organization should also take into account the business implications of an attack, Finn said. "They have to understand that every time there's a breach or disruption, it costs them money."