The Health Information Sharing and Analysis Center (Health-ISAC) released its ‘2025 After-Action Report,’ drawing on a series of seven resilience exercises conducted through regional workshops with member organizations and strategic partners. The exercises were designed to test security preparedness and operational resilience, while enabling participants to exchange insights and identify effective practices in responding to cyber incidents impacting the healthcare sector.
The report highlights a set of recurring operational priorities, including the need for layered monitoring to detect threats early, rapid containment to limit impact on patient care, and clearly defined incident declaration processes to enable coordinated response. It also underscores the importance of cross-functional coordination spanning technical, operational, and leadership teams, besides using out-of-band communications during incidents.
Broader considerations such as legal, regulatory, and public communication requirements, as well as the complexity of ransomware payment decisions, were found to shape response outcomes. The findings further point to gaps in coordination between cyber and physical security teams, while emphasizing that joint exercises, structured after-action reporting, and timely information sharing are critical to strengthening sector-wide resilience.
Health-ISAC identified that the observations from the seven exercises have been consolidated into several key findings. Participants underscored the need to leverage multiple monitoring tools and data sources, including firewall logs, SIEM platforms, EDR tools, IAM systems, and DLP capabilities, to detect unauthorized access and potential data exfiltration.
They emphasized that correlating alerts across these systems allows analysts to spot suspicious behavior more quickly, from abnormal traffic patterns and unusual authentication activity to encryption spikes that may signal compromise. Supplementary inputs, such as email logs, hardware monitoring data, and CCTV footage, add critical context to investigations. Participants also agreed that integrating diverse telemetry and measuring activity against established network baselines strengthens the ability to detect external intrusions and insider threats.
Rapid containment is critical to limiting operational and patient care impacts. Participants stressed that once malicious activity is confirmed, immediate action is essential. This includes isolating infected systems through EDR tools, disconnecting compromised devices, and isolating affected sites to prevent lateral movement across healthcare networks. Proactive measures such as network segmentation and microsegmentation were also highlighted as key enablers of effective containment.
They acknowledged that such actions can disrupt operations, often forcing a shift to downtime procedures or paper-based workflows. Even so, participants were clear that containment must take precedence to avoid further compromise of clinical systems, medical devices, and sensitive patient data. Reviewing logs to assess whether attackers accessed medical devices or moved laterally across hospitals and partner networks was also identified as a critical step.
The Health-ISAC observed that clear incident declaration processes enable a quick and coordinated response. Participants emphasized the importance of predefined escalation pathways and well-defined criteria for declaring incidents. In many cases, potential threats are first flagged through help desks or operational teams before reaching cybersecurity leadership or security operations centers.
They noted that organizations should favor early escalation, as seemingly routine IT issues can quickly evolve into confirmed cyber incidents. Empowering frontline staff to escalate concerns and involving cybersecurity teams early improves response speed and situational awareness. Establishing a designated Incident Commander and setting clear approval thresholds for major actions, such as network shutdowns or system disconnections, were also seen as essential.
Effective response requires strong coordination across technical, operational, and leadership teams. Participants highlighted the need for close collaboration between cybersecurity, IT operations, clinical leadership, emergency management, legal teams, and executive leadership during incidents.
Early engagement with senior leadership enables faster assessment of operational impact, activation of business continuity plans, and preparation for disruptions to patient care. For prolonged incidents, structured staffing models with defined response teams and shift rotations are necessary to sustain operations and avoid burnout. External partners, including digital forensics firms, cyber insurance providers, and incident response vendors, also play a key role in containment, investigation, and recovery. Engaging these partners in advance through exercises or consultations helps clarify expectations and reduce friction during real-world incidents.
Out-of-band communications are essential during cyber incidents. Participants emphasized the need for reliable alternatives when primary systems such as email, messaging platforms, or phone networks are disrupted. Options such as mass notification systems, phone trees, internal platforms, and manually distributed situation reports were widely cited. Emergency operations centers can help coordinate the preparation, approval, and dissemination of updates, while preconfigured ‘black site’ webpages and pre-approved messaging templates enable rapid communication with staff and patients. Clear communication cadences and centralized messaging were seen as critical to reducing confusion and limiting misinformation.
The Health-ISAC pointed to legal, regulatory, and public communications considerations that significantly shape response processes and outcomes. Participants highlighted the central role of legal counsel in guiding forensic activities, regulatory reporting, and external communications, ensuring compliance and, where appropriate, preserving legal privilege. Close coordination between cybersecurity, legal, and communications teams is essential to deliver accurate, consistent, and defensible messaging to staff, patients, media, and other stakeholders. Predefined communication plans, approved templates, and clearly designated spokespersons were identified as key elements of an effective crisis response.
Healthcare organizations must balance operational recovery with forensic and regulatory requirements. Participants pointed to the tension between restoring critical systems, such as electronic health records and clinical platforms, and preserving evidence for investigation or law enforcement. Verifying the integrity of backups before restoration and prioritizing recovery based on patient safety and operational criticality were seen as essential steps. Many stressed adopting a zero-trust mindset during recovery, assuming systems and credentials may be compromised until validated.
Ransom payment decisions require rigorous legal, operational, and ethical scrutiny. Participants described these decisions as complex and high-risk, noting that payment does not guarantee data recovery, deletion, or protection from further extortion. Concerns include regulatory exposure, potential sanctions violations, reputational damage, and the risk of incentivizing future attacks. Many observed that restoring from reliable backups is often faster and more dependable than relying on threat actors. Decisions should involve executive leadership, legal counsel, and external advisors, with input from cyber insurance providers, incident response vendors, and law enforcement where necessary.
Strengthening coordination between cyber and physical security teams remains an area of opportunity. Participants noted that while both functions are critical during complex incidents, collaboration is often limited. They called for shared communication channels, joint response procedures, and unified command structures, such as hospital incident command frameworks, to improve coordination when cyber incidents intersect with physical threats or facility disruptions. Stronger alignment between these teams can enhance situational awareness and reduce response delays.
Joint exercises across cyber, physical, legal, and operational teams improve organizational preparedness. Participants observed that many organizations still run these exercises in isolation, leaving gaps when responding to multi-faceted incidents. Those who have adopted integrated exercises involving cybersecurity, physical security, emergency management, legal, and clinical leadership reported better coordination and clearer understanding of roles. Expanding these efforts to include integrated cyber-physical scenarios, executive-level tabletop exercises, and routine cross-functional collaboration was seen as key to strengthening readiness.
Structured after-action reporting is essential for continuous improvement. Participants emphasized the need for thorough reviews following incidents or exercises, with a focus on root cause analysis, key decision points, lessons learned, and clear identification of strengths and gaps. They noted that corrective actions should be assigned to accountable teams and tracked through formal governance processes to ensure follow-through. Internal audit functions can support this by verifying that improvements are implemented and sustained. Maintaining detailed timelines, documentation, and evidence throughout the response process was also highlighted as a best practice for both organizational learning and regulatory compliance.
Timely information sharing enhances sector-wide resilience during incidents. Participants underscored that proactive, real-time information sharing, both internally and with external partners, is critical to reducing the impact of cyber and physical incidents on healthcare operations and patient care. Within organizations, rapid dissemination of accurate incident details across cybersecurity, IT, clinical leadership, physical security, legal, and executive teams improves situational awareness and speeds decision-making. Establishing clear processes to document indicators of compromise, affected systems, and operational impacts, and distributing this information through defined channels, was seen as essential.
Externally, participants highlighted the value of trusted information-sharing networks, including Health-ISAC, along with coordination with government partners and incident response providers. Sharing anonymized indicators of compromise, tactics, techniques, and procedures, phishing activity, and lessons learned enables peer organizations to detect threats earlier, validate defenses, and avoid similar pitfalls. Organizations that contribute to and leverage shared threat intelligence were viewed as better positioned to identify and mitigate malicious activity.
The Health-ISAC report highlighted several practical considerations for effective information sharing. Establishing predefined criteria and approval workflows for what can be shared, with whom, and when helps prevent delays and reduces legal, regulatory, reputational, and patient privacy risks during an incident. Using established Health-ISAC channels and standardized formats, such as structured IOC packages, bulletins, and secure portals, streamlines dissemination and improves the usability of shared intelligence.
They also stressed the importance of bidirectional communication, where organizations provide ongoing updates to Health-ISAC and trusted partners as investigations evolve. This continuous exchange supports the refinement of defensive measures across the sector. Overall, participants agreed that timely, structured, and well-coordinated information sharing, both internally and across the healthcare ecosystem, acts as a force multiplier, strengthening collective resilience and reducing the risk of isolated incidents escalating into sector-wide crises.
In March, the Health-ISAC marked its fifteenth year by doubling down on sector-wide resilience as cyber and physical threats continue to disrupt healthcare delivery worldwide. In its Annual Report 2025, the organization details expanded global threat intelligence operations, including round-the-clock ‘follow-the-sun’ coverage with new analysts in Asia-Pacific, and broader international collaboration, such as the onboarding of 90% of Belgium’s public hospitals.
