The Minimum Viable Hospital: Protect Patient Care and Build Cyber Resilience

Why Hospitals Must Focus on Cyber Resilience

The utility of thinking along the lines of a minimum viable hospital becomes clear when considering today’s healthcare environment:

• Reliance on technology is absolute. Despite the continued focus on training practitioners using paper-based forms, manual workflows cannot sustain modern healthcare operations. The MVH mindset recognizes that hospitals must prioritize rapid recovery of a subset of applications rather than place faith in paper-based contingencies.
• Coordination determines recovery speed. Recovery from cyberattacks requires cross-functional collaboration. Clarity on priorities ensures cross-functional teams work from a unified recovery blueprint, reducing friction and accelerating restoration.
• Question Immutability Claims. Because attackers almost always target backup systems (and succeed all too frequently), it’s important to validate whether a healthcare organization has secure, verifiable restoration processes. Today, many healthcare organizations do not.
• Prioritization is the difference between disruption and destruction. The MVH model’s structured triage ensures that the most critical applications (those safeguarding patient care and core operations) are restored first — preferably, within a specified period — while operating with constrained resources.

READ MORE: Healthcare organizations need a cyber resilience strategy that supports success.

How to Build a Minimum Viable Hospital

Through the process of defining and prioritizing the barest subset of applications necessary to operate for a period of three to five weeks, healthcare leaders help the organization understand what to expect and focus preparation on making key decisions now that will minimize impacts during an attack. Core actions should include:

• Identifying the specific applications, systems and connected devices that are indispensable to patient care. Map their dependencies to establish a logical, tiered recovery sequence that prioritizes lifesaving operations.
• Adopting zero-trust data security principles that assume a breach will happen and limit access to data and systems. Deploy truly immutable backups and ensure they’re available to restore in an isolated recovery environment (IRE), and that organizations have the tools to do it without spreading malware into their IRE.
• Establishing low-tech, out-of-band crisis communication channels capable of functioning without network connectivity. These channels should connect clinical, security, IT and executive teams for rapid, coordinated decision-making.
• Conducting regular tabletop drills and simulated cyberattacks that involve all operational stakeholders, including external partners such as insurers and vendors. Use these sessions to validate assumptions, identify gaps, white-list key vendors and refine processes.

DISCOVER: Why is a good cyber resilience strategy essential to business success?

Breaking the Attack Cycle to Protect Patients

In healthcare, every second counts, and every system, data set and process that supports clinical decisions, treatment plans and operational flow can directly impact patient outcomes. Paying a ransom invites repeat attacks. By preparing a well-defined, minimal set of prioritized applications and an isolated recovery environment in which to run them, healthcare organizations can move beyond reactive measures and paying ransoms to building true resilience. Organizations that know they can bounce back won’t need to pay ransoms, and when they stop paying ransoms, the attacks will cease. 

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of Rubrik. This article is for informational purposes only and does not constitute business or legal advice. Organizations should consult with legal and compliance professionals to ensure their cybersecurity strategies meet all applicable federal, state and international requirements.