CISA warns healthcare should prepare for disruptive cyberattacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging healthcare organizations and other critical infrastructure sectors to strengthen their cyber resilience against growing nation-state threats. Through its new “CI Fortify” initiative, the agency is encouraging organizations to invest in isolation and recovery capabilities to maintain operations during disruptive cyberattacks.

What happened

According to Healthcare IT news, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify,” urging organizations in critical sectors such as healthcare, energy, telecommunications, transportation, and water services to strengthen their cyber resilience. The initiative focuses on helping organizations continue operating during large-scale cyberattacks or geopolitical conflicts.

The guidance emphasizes two core strategies: isolation and recovery. Isolation refers to the ability to disconnect operational systems from third-party networks or compromised infrastructure, while recovery focuses on restoring systems quickly and safely after an attack.

Going deeper

According to CISA, organizations should prepare for scenarios where internet connectivity, telecommunications providers, vendors, or cloud services may become unreliable or unavailable during a cyber incident. The agency warned that critical infrastructure operators may need to function independently for “weeks to months” while isolated from external systems.

The guidance was influenced by recent nation-state cyber campaigns, including attacks linked to Chinese threat groups such as Volt Typhoon and Salt Typhoon. U.S. officials have previously warned that these groups have embedded themselves within critical infrastructure networks to potentially disrupt services during future geopolitical conflicts.

Healthcare organizations are among the sectors specifically highlighted because of their reliance on interconnected systems, cloud-based services, and third-party vendors. CISA is encouraging health systems and other operators to develop continuity plans that allow essential services to continue even if systems are partially compromised.

The agency also called on technology vendors, managed service providers, and cybersecurity companies to support customers by improving resilience planning and recovery capabilities.

What was said

According to the Healthcare IT News article, CISA notes that “preparation is the key to maintaining operations during a cyberattack,” urging critical infrastructure organizations to “invest in and develop isolation and recovery capabilities” before a crisis occurs. The agency warned that organizations should assume “third-party telecommunications, internet, vendors, service providers and any upstream dependencies are unreliable” during a geopolitical conflict and that “threat actors have access to networks.”

Acting CISA Director Nick Andersen described the initiative as “timely, actionable guidance” that helps organizations “protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure.” He added, “We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors.”

The American Hospital Association also backed the initiative. John Riggi, the organization’s national advisor for cybersecurity and risk, said the guidance would help hospitals “continue delivering essential services in the event of a destructive nation-state cyberattack or ransomware attack.” He added that “cyber resilience is essential to maintain patient care and safety during any incident that disrupts access to healthcare technology.”

The bigger picture

Recent reports show that nation-state cyber campaigns are becoming more aggressive, sophisticated, and focused on critical infrastructure sectors such as healthcare, energy, telecommunications, and water systems.

One of the most concerning developments involves Chinese state-linked groups such as Volt Typhoon. According to The Register, the group remained embedded in U.S. energy networks throughout 2025 and continued targeting electric, oil, and gas infrastructure. Researchers warned that the activity appeared aimed at maintaining long-term access capable of disrupting infrastructure during a future geopolitical conflict.

Governments are also warning about covert attack techniques. In April 2026, Reuters released a report from cybersecurity agencies from the U.K., U.S., Canada, Australia, Germany, and Japan that issued a joint advisory warning that China-linked hackers were hiding their operations behind compromised everyday internet-connected devices such as routers and smart home equipment. Officials said the tactic allows attackers to evade detection while maintaining persistent access to targeted systems.

Iran-linked cyber activity has also intensified in 2026. Security Week reported on a joint advisory from U.S. federal agencies warned that Iranian-affiliated actors were targeting programmable logic controllers (PLCs) and industrial control systems used in water, energy, and municipal infrastructure. The campaign, linked to groups such as CyberAv3ngers, focused on operational disruption rather than traditional espionage.

Healthcare organizations are increasingly caught in the crossfire. In March 2026, Stryker experienced a major cyberattack allegedly linked to a pro-Iranian hacking group. The attack reportedly wiped employee devices and disrupted access to corporate systems worldwide, prompting an investigation by the CISA.

Industry reports also suggest that attacks against healthcare and critical infrastructure are expanding in scale. The 2026 Health-ISAC Global Health Sector Threat Landscape Report found that ransomware, third-party compromise, and sophisticated social engineering campaigns continue to threaten hospital operations and patient care globally.

Security experts warn that nation-state cyber campaigns are no longer focused solely on espionage or data theft. Increasingly, these operations are designed to pre-position attackers inside critical systems so they can disrupt essential services during periods of political or military tension. The shift has pushed governments and organizations to prioritize cyber resilience, rapid recovery planning, and operational continuity.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Why is healthcare considered a high-risk target?

Healthcare organizations rely heavily on interconnected systems, cloud services, medical devices, and third-party vendors. Cyberattacks can disrupt patient care, delay treatments, and expose sensitive patient information.

Why is CISA focusing on isolation and recovery?

CISA says organizations should be prepared to continue operating even if parts of their systems are compromised. Isolation capabilities help contain attacks, while recovery strategies help organizations restore systems quickly and safely.

Why are cyber resilience plans becoming more important?

Experts warn that cyberattacks are increasingly designed to disrupt operations, not just steal data. Strong resilience and recovery planning can help organizations continue operating during major incidents.