Cyberattacks on healthcare are growing. According to the 2025 Ponemon Healthcare Cybersecurity Report1, 93% of the asked organizations had experienced at least one cyberattack, with nearly three in four US healthcare organizations reporting related patient care disruption.

This paints a bleak picture, but it’s just one of many reports confirming the same: Our hospitals are under siege, daily. Once an attacker has their foot in the door, they seek to move laterally through the system by means such as escalating privileges, exploiting unpatched vulnerabilities, or a variety of other techniques, as they look for sensitive data they can encrypt or steal, and critical systems they can disrupt.

But what if they couldn’t get in? What if there were a model that could fortify a healthcare organization’s wall with layers upon layers of security, a shot to reinvigorate their immune system? It’s simple; the medicine is zero trust, and it doesn’t require a prescription to administer.

Key points of this article:

  • The healthcare sector is facing an unprecedented scale of cyberattacks, as detailed in major industry publications.
  • A major argument for why this is happening is that the hybrid nature of work environments defeats the purpose of perimeter security, stretching it to unwieldy proportions that create more opportunities for exploitation that defenders can’t cope with.
  • However, using models like zero trust can serve as best practice in preserving the integrity of healthcare systems, also supported by advice coming from NIST and the NSA.
  • To tackle zero trust comprehensively, setting up multiple layers of defense in combination with an external security service can make a profound difference in resilience.

Why healthcare organizations are prime targets for cyberattacks

In a May 2025 report on the cybersecurity of smaller resource-constrained healthcare organizations, the Health Sector Coordinating Council noted2 that, during 2024, there were more than 729 breaches of 500 or more records reported on the HHS Office of Civil Rights portal—the third consecutive year in which OCR recorded over 700 large breaches. What’s worse, the average breach costs the healthcare sector $7.42 million3—the highest average amongst all sectors— and it also takes the longest to identify and contain, at 279 days.

As of March 2026, The HHS Office of Civil Rights portal reports 699 HIPAA breaches as being under investigation within the past 24 months.

This is mostly enabled by hybrid environments that have become increasingly prevalent in healthcare and add to the complexity of defending against rapidly multiplying threats:

  • As reported by Becker’s Health IT, a 2025 survey found that 80% of healthcare organizations are using a public cloud provider, but 40% reported that 90% or more of their IT systems remain on-prem.
  • Remote work is no longer a pandemic trend, but a well-established staffing strategy for both urban and rural organizations that need to hire talent, regardless of where they live. HealthTech magazine reported that a nationwide staffing agency analyzed its job placements over the course of a year and found that 69% of the healthcare support roles it filled were fully remote.
  • Medical IoT device use is growing for applications such as remote patient monitoring, and with their use also comes the requirement to protect the sensitive patient information they collect and transmit.

These interconnected hybrid systems add to the attack surface while making visibility challenging. 

Why traditional perimeter security no longer works

Traditional network security focuses on securing the perimeter of the network with firewalls and access controls. Other protective layers on the network, such as endpoint protection and intrusion detection systems, augment perimeter security in the event said perimeter is breached. Once a user has authenticated to the system and been allowed access, trust inside the network is generally assumed. 

However, legacy perimeter security is no longer adequate to protect a modern healthcare enterprise, since there is no longer a single and easily identified perimeter. Cloud services and applications lie outside it, satellite clinics and offices have their own local infrastructure, and remote and mobile workers seek to connect from either inside or outside the network. 

Given the increasing complexity of these hybrid network environments and the rapidly evolving nature of adversary threats, traditional perimeter-based network defenses with multiple layers of disjointed security technologies have proven ineffective. Threat actors have become stealthier and more persistent, and they can penetrate network perimeter defenses with regularity. Once the perimeter is breached, assumed trust means they can traverse the network undetected and unhindered.

What is zero trust security? The “never trust, always verify” model explained

To defend their organizations in a perimeter-less environment, the healthcare sector should implement zero  trust-based preventive approaches to security. The fundamental mantra of zero trust is “never trust, always verify,” but healthcare organizations have found that getting there is a complex proposition

Zero trust is a journey. Every healthcare organization starts with a different set of IT assets in place; therefore, each has different priorities, and each faces unique constraints in terms of budget allocation and availability of IT staffing to take on new initiatives. Therefore, as healthcare strives for true zero trust, no two journeys look the same.

In its paper, Embracing a Zero Trust Security Model4, the National Security Agency (NSA) describes zero trust as follows:

“The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.”

Per the NSA, the guiding principles of zero trust are as follows:

  • Never trust, always verify: Treat every user, device, application/workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies. 
  • Assume breach: Consciously operate and defend resources with the assumption that an adversary already has presence within the environment. Heavily scrutinize all users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity. 
  • Verify explicitly: Access to all resources should be conducted in a consistent and secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions. 

It is acknowledged that adopting zero trust is a non-trivial effort, and an incremental process that may take years to implement. However, organizations that take the path to zero trust reduce their risk at each step of the journey.

How ESET PROTECT MDR supports a zero trust architecture

As it proactively detects, investigates, and responds to threats, ESET PROTECT MDR supports the key tenets of a zero trust architecture as described by the National Institute of Standards and Technology (NIST) and the NSA, particularly continuous monitoring, assumed breach operations, and behavior based visibility.

By your powers combined!

Combining the power of the ESET PROTECT Platform—enabled by endpoint telemetry, behavioral analytics, and AI-native detection engines—and ESET MDR, the shared solution + service surfaces and deals with suspicious activity, such as unauthorized access attempts, anomalous user or process behavior, and others, swiftly and without mercy.

In a mature zero trust architecture, resource access is granted dynamically on a per-session basis using contextual signals, including:

  • user identity
  • device posture 
  • software versions
  • observed behavior
  • time and location

With ESET PROTECT MDR in place, your organization can start with a basic set of policies and evolve them over time, knowing that your environment is protected. The telemetry surfaced through its ESET PROTECT XDR module, combined with ESET MDR analyst findings, provides organizations with actionable data to strengthen their zero trust posture.

The secret sauce is MDR

Located therein is ESET MDR working alongside the ESET PROTECT Platform, using its protective base and ESET PROTECT XDR telemetry as the foundation for threat detection and investigation. With ESET’s agents deployed across servers, laptops, and workstations, MDR analysts gain continuous visibility into endpoint events, correlated detections, behavioral indicators, and more. This allows the MDR service to deliver 24/7 monitoring, proactive threat hunting, and rapid incident response.

Device posture and vulnerability management in zero trust

In a zero trust environment, according to a special publication by NIST5: “[t]he enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted.” 

Within the ESET PROTECT Platform, ESET Vulnerability & Patch Management can assess whether endpoints have required operating system and application updates, and automates patch deployment for supported software when enabled by policy. This posture information supports the type of continuous diagnostics and mitigation (CDM) capabilities described by NIST, enabling organizations to make informed access control decisions within their broader zero trust enforcement architecture:

“An enterprise implementing a ZTA should establish continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications, and should apply patches/fixes as needed. Assets that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise may be treated differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state …”

Confiiming the security posture of connected devices also extends to personally owned devices that may receive restricted access to certain resources. Within this broader ecosystem, ESET MDR leverages telemetry from the ESET PROTECT Platform to surface actionable insights about the state of organizational assets, providing customers with enriched incident visibility and contextual reporting.

For healthcare institutions, time is precious. Every lengthy disruption can cost real human lives. Crucially, our international scope allows us to monitor your network with an around-the-clock time commitment that’s simply out of reach for all but the largest healthcare organizations. ESET analysts know the threat actors, their tactics, and their techniques. They know when an active threat on your network needs to be blocked or contained, and oversight over the ESET MDR-protected endpoints gives them the means to prevent attacks by killing processes or blocking them, saving lives with every response measure.

XDR telemetry and AI automation: Reducing alert noise at scale

NIST’s publication states that in a zero trust architecture, “The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications, and uses it to improve its security posture.” 

ESET PROTECT XDR ingests detailed telemetry from ESET protected endpoints and surfaces detections, correlations, and response actions in a single console. It also uses a public REST API so that alerts and context can be exported or integrated with third party SIEM and SOAR tools, such as Splunk or Microsoft Sentinel. It complements those platforms rather than replacing them. Thus, your internal IT team can use the information about security alerts and incidents to improve and refine your policies.

Telemetry + AI automation

The extensive use of automation and AI allows your organization to be effectively protected without a large team of expensive and hard-to-find security analysts. The ESET PROTECT Platform continuously ingests telemetry from endpoints and applies detection rules and analytics to correlate related events into indicators with rich context, such as processes involved, affected hosts, users, and timelines. This significantly reduces alert noise and gives both MDR analysts and in-house teams a clear, investigation-ready view of suspicious activity.

How ESET Threat Intelligence powers faster zero trust response

Likewise, NIST also highlights the importance of threat intelligence in zero trust architecture, noting that organizations should use external and internal intelligence sources to stay aware of emerging attacks, malware, software flaws, and vulnerabilities. ESET Threat Intelligence (ETI) contributes here by providing curated insight into global threat activity, drawing on telemetry from ESET protected endpoints worldwide and the ongoing research conducted across ESET’s R&D centers. 

ETI supports analysts with context on APT groups, botnet behavior, malicious domains, IP addresses, and infrastructure, complementing incident response operations with rich data via curated feeds as well as separate APT and eCrime Reports, the latter of which give analysts unprecedented access to data that shows how actual incidents unfold, including affiliate-level attack visibility, full attack-chain timelines, and tooling. 

At the same time, ETI also supports ESET MDR analyst workflows by providing contextual insights, contributing to our industry-leading six-minute response time, a result of mature endpoint protection, AI-powered XDR, and a worldwide team of threat experts.

How to start your zero trust journey as a healthcare organization

For healthcare institutions, time is precious. Every lengthy disruption can cost real human lives, and it seems like trust is now a major factor in life-or-death decisions. If you are a smaller or mid-sized healthcare organization, implementing ESET PROTECT MDR could prove to be a major step in undertaking your zero trust journey, while also heavily contributing to your overall cyber resilience. So why not take what the doctor ordered?

Explore how ESET protects healthcare organizations with advanced endpoint security, MDR, and zero trust aligned solutions. For further details, check out our other healthcare blog.

ESET_Cyber-resilience

Additional references
1) Bradley, T. (2025, October 8). Cybersecurity in healthcare is now a clinical safety issue. Forbes. https://www.forbes.com/sites/tonybradley/2025/10/08/cybersecurity-in-healthcare-is-now-a-clinical-safety-issue/ Accessed: 27.02.2026.
2) Health Sector Coordinating Council Cybersecurity Working Group. (2025). On the edge: Cybersecurity health of America’s resource‑constrained health providers (Findings and recommendations). https://healthsectorcouncil.org/wp-content/uploads/2025/05/On-the-Edge-RESOURCE-CONSTRAINED-HEALTHCARE-CYBERSECURITY.pdf Accessed: 27.02.2026.
3) IBM Security, & Ponemon Institute. (2025). Cost of a data breach report 2025 (p. 12). IBM.
4) National Security Agency. (2021, February 25). Embracing a Zero Trust security model. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF Accessed: 27.02.2026
5) National Institute of Standards and Technology. (2020). Zero Trust architecture (NIST Special Publication 800‑207). https://doi.org/10.6028/NIST.SP.800-207, Accessed 27.02.2026.