Overview
The Cybersecurity and Infrastructure Security Agency published new guidance calling on critical infrastructure operators — including hospitals and health systems — to strengthen their ability to isolate affected systems and recover operations during a nation-state cyberattack. The guidance is issued under CISA's CI Fortify initiative, which focuses on keeping essential services functional when facing sustained, sophisticated attacks rather than solely preventing initial compromise.
The agency's framing represents a shift in emphasis: less on preventing every intrusion and more on ensuring that, when disruption occurs, affected organizations can contain damage and restore services quickly. For healthcare, where system downtime can directly affect patient safety, the guidance carries particular urgency.
The CI Fortify initiative targets sectors designated as critical infrastructure under federal law. Healthcare and public health is among those sectors, meaning the guidance is directly relevant to health systems, hospitals, and the vendors that support them.
Key developments
Isolation as a core operational discipline. CISA's guidance treats network isolation — the ability to segment and sever compromised systems from clean infrastructure — not as an emergency reaction but as a capability that must be built and tested in advance. Organizations that lack pre-planned isolation architecture face longer recovery times and wider blast radii when attacks occur.
Recovery planning elevated to strategic priority. The guidance pushes recovery planning beyond data backup to include operational continuity: maintaining clinical workflows, communications, and patient-record access even when primary systems are offline or untrusted. This aligns with lessons from high-profile ransomware events at health systems where backup systems were also encrypted.
Nation-state threat framing. By situating the guidance within a nation-state threat context, CISA signals that healthcare organizations should plan for adversaries with the resources and patience to target recovery infrastructure itself — not just opportunistic ransomware actors. This changes the risk calculation for how deeply redundant systems need to be and how thoroughly they must be tested.
CI Fortify as a structured federal program. Unlike advisory alerts, CI Fortify appears designed as an ongoing initiative with defined deliverables for each critical sector. Healthcare organizations can expect follow-on materials, sector-specific supplements, and potential coordination through the Health and Human Services sector risk management function.
## Industry impact
Healthcare has ranked as one of the most targeted sectors for cyberattacks for more than a decade. IBM's Cost of a Data Breach report has consistently placed healthcare at or near the top for average breach cost — $10.93 million per incident in its most recent edition — and HHS's Office for Civil Rights breach portal reflects hundreds of incidents annually affecting tens of thousands of patients each. Ransomware attacks on hospitals have triggered federal emergency declarations and, in documented cases, have been associated with delayed care and adverse patient outcomes.
The CISA guidance acknowledges that total prevention is not a realistic goal against well-resourced nation-state actors. That premise has significant implications for how healthcare organizations allocate security investment: organizations that have concentrated resources on perimeter defense while underinvesting in segmentation and recovery infrastructure face the greatest operational risk if primary defenses are breached.
HHS and CISA have previously issued joint advisories warning healthcare specifically about nation-state and state-affiliated threat actors, including groups linked to North Korea and Iran. The CI Fortify guidance extends that warning into a broader operational framework.
What this means for independent practices
- Map your isolation points now. Identify in advance which systems can be segmented or taken offline without halting all clinical operations, and document the procedure so staff can execute it under pressure.
- Test your downtime procedures. Paper-based or offline downtime workflows should be rehearsed at least annually; a plan that has never been exercised will fail at the moment it is needed. - Verify that backups are genuinely air-gapped. Backups stored on network-connected systems have been encrypted in ransomware events alongside primary data. Confirm that at least one backup copy is offline and inaccessible from production networks.
- Establish a recovery priority list. Know which systems — scheduling, EHR, pharmacy, billing — must come back online first, in what order, and who owns each recovery task.
- Review vendor contracts for continuity obligations. Business associates and EHR vendors may have their own recovery timelines that directly affect your practice's ability to operate; those timelines should be known and factored into your own continuity planning.
Independent practices typically lack the staffing depth of large health systems to respond to a prolonged outage. The CISA guidance's emphasis on pre-built, pre-tested isolation and recovery capability is especially relevant in that context: a small practice that waits until an incident to figure out how to isolate a compromised workstation or restore from backup will face days of disruption that a prepared practice can compress to hours. Continuity planning should be treated as an operational discipline reviewed on a defined schedule, not a document filed after initial HIPAA compliance assessment.
What would have prevented this
Network segmentation architecture: Dividing clinical, administrative, and external-facing systems into separate network zones limits the ability of an attacker who compromises one segment to move laterally into others, reducing the scope of any single incident.
Offline and immutable backup systems: Maintaining at least one complete backup copy that cannot be modified or deleted from the production network — whether through physical air-gap or write-once storage controls — ensures that ransomware encryption of live systems does not also destroy recovery data.
Documented and rehearsed downtime procedures: Written workflows covering how staff will register patients, access medication records, and document care without electronic systems give an organization the ability to continue operating while systems are restored, rather than halting all activity.
Incident response plans with isolation runbooks: Pre-written, step-by-step procedures for isolating specific system types allow technical staff and clinical administrators to act quickly and consistently under the stress of an active incident, rather than improvising containment.
Regular business continuity exercises: Tabletop and functional exercises that simulate extended system outages — including the involvement of clinical leadership, not just IT — surface gaps in recovery plans before an actual event forces them into view.