With the uptick in Russia-led cyberattacks against all types of non-military targets, business executives have to start thinking like military commanders, says Larry Clinton, president of the Internet Security Alliance. “Critical infrastructure is now taking on national security responsibilities,” he says. “Ordinary [businesses] have to be prepared to repel attacks from nation-states. That wasn’t true until recently.”

To address this new reality, a number of healthcare providers are becoming proactive in their preparation for future attacks. For example, Hospital Corporation of America (HCA) and Kaiser Permanente take an always-on approach to cybersecurity, says M. Eric Johnson, a professor of business strategy at Vanderbilt University. Kaiser prioritizes asset management, rigorously keeping track of who has access to sensitive information and vigorously protecting system administrators’ credentials to make sure unauthorized employees can’t slip through a firewall unnoticed. “HCA approaches cybersecurity like a Fortune 500 company, with a full-time CISO and continuous monitoring for threats,” says Johnson.

Regardless of size, all healthcare providers must proactively defend themselves against attacks as the number and seriousness of threats is growing and becoming more serious. “At some point, a nation-state sponsored attack will succeed and take many lives,” warns Greiman. “We should not wait until then to make changes.”