Can healthcare achieve true resilience? Introducing the minimal viable hospital

This is the final installment of a three-part series sponsored by Zscaler and focused on the evolving role of cybersecurity in healthcare. The series explores the industry’s shift from compliance-driven security toward operational resilience, examines why growing cyber investments do not always translate into effective protection, and outlines how healthcare organizations can define and build a “minimal viable hospital” capable of sustaining safe patient care during disruption. Read article 1, Understanding the shift from compliance to continuity in healthcare, and article 2, Healthcare security paradox: How effective are cyber investments?

The massive cyberattacks and outages faced by healthcare in recent years have demonstrated how a sudden loss of connectivity can drastically impact operations for the impacted entity, as well as nearby hospitals that take on any diverted patients.

Technology dependence has created a new risk state in healthcare — where if systems go down from a cyberattack, a power outage, or even a vendor disruption, care delivery organizations struggle to maintain care.

More than ever, incident response and disaster recovery plans are paramount to the continuity of care. In this current state of digital healthcare, organizations must define the minimum set of capabilities required to safely operate during a cyber event to reduce risk, improve response and recovery times, and ensure all workforce members and clinicians understand their role in the event of unexpected downtime.

In this ideal minimal viable hospital, organizations have a true understanding of the number of systems deemed mission critical to patient care and the fewest number of systems and apps needed to maintain patient care.

Examining the premise of the minimal viable hospital

The idea of the minimal viable hospital is to truly examine the barest number of tools and technology necessary to operate for a period of three to five weeks. For reference, the average downtime hovers around four weeks in healthcare.

Anecdotally, industry leaders have long worried about the impact on patient care and morbidity on the victim hospital. During the Change Healthcare cyberattack in 2024, for example, patients admitted themselves to the hospital when they could not access their chronic care prescriptions. Many providers could not bill, as those processing systems were also down, which forced some to delay paying employees. Some providers opted to take out personal loans to keep the lights on. Some closed altogether.

That’s where a minimal viable hospital can help organizations better understand their true resilience — and in doing so, reduce tech and tool bloat. As recently discussed during a CHIME webinar featuring Zscaler CISO Ravi Monga (available on demand), in this process, network defenders examine:

• Which clinical systems are non-negotiable during an outage?
• What is your manual fallback for medication administration?
• Can your nursing staff actually execute paper-based workflows?
• What is your real RTO for your EHR, and have you tested it?
• Have you validated recovery in an isolated environment?

The goal, of course, is to validate that the organization can safely deliver patient care during an incident.

The struggles facing healthcare are not tied to a lack of adoption or awareness around the need to better protect systems. In fact, it’s opposite: the Digital Health Most Wired report found an 84.2% adoption rate in cybersecurity investments. The trouble lies within the 21.5% integration gap that shows these tools are in place but not optimized.

Strategic misalignment occurs when organizations focus on tactical tool acquisition, rather than strategic integration.

Understanding mission critical processes

In 2022, parts of the healthcare sector first learned the hard way about the importance securing mission critical processes during the cyberattack and month-long outage against payroll service vendor UKG that disabled its Kronos Private Cloud product. During the outage, employees and clients asked the media and community boards: Shouldn’t providers have had contingencies in place to ensure employees are paid? And the bigger question, who is to blame?

The impacted providers were forced to manually track and estimate employee hours. Some even put the onus on employees to validate their time.

The service disruptions made it clear: Organizations need to identify the risks and most critical elements within the enterprise that are necessary to maintain business operations. This includes patient-facing technology and mission critical cloud data, but it should also extend to prescribing and billing services, as well as payroll and phone lines.

Further, healthcare stakeholders have long stressed the importance of business continuity plans that include the aforementioned items. But the most important piece is to practice and test policies and tools to ensure those pieces work during an incident.

Achieving minimal viable hospital status

The true foundation of minimal viable hospitals starts with workflows, not technology. Network defenders should walk through the patient experience, from registration to discharge, noting every system and dependency used for every step.

How do we build resilience around those essential technologies?

With objective answers, network defenders can review and enhance policies to provide clarity for teams across the organization. Policies can only go so far if they are not validated or enforced, or if the teams tasked with performing the frontline work during an incident lack a full understanding of their responsibilities and expectations; that means, practicing downtime procedures as one would tackle disaster recovery.

Frameworks like NIST and the HHS Cyber Performance Goals can provide objective structure to prioritize remediation gaps. They can help your organization’s framework support further auditing into the tech stack and other dependencies, particularly those that support main services and systems in the background that are often overlooked.

However, the real work lies in moving these policies from the page to the bedside.

The Resilience Imperative

Healthcare has spent the last decade proving it can adopt technology. The next decade demands something harder: proving it can survive without it.

While there will be many organizations with large security budgets or the most sophisticated tool stacks, the true leaders in this space will be those who have done the unglamorous work: walking every patient workflow, stress-testing every fallback, and drilling downtime procedures until clinical staff execute them without hesitation. They will measure resilience by what continues to function when everything fails.

That is a different definition of “done.” And most of healthcare isn’t there yet.

Ignorance and underinvestment are challenges, but the primary gap is the persistent organizational habit of treating cybersecurity as an IT problem rather than a care delivery problem. Every unvalidated policy, every untested recovery plan, every clinical team that has never run a downtime drill is a liability that doesn’t appear on any dashboard — until 3:00 AM, when a total network outage forces the question no one wanted to answer under pressure: Can we still keep patients safe?

The minimal viable hospital framework exists to make sure that answer is always yes.

Healthcare leaders who are ready to move from security posture to operational resilience — from documentation to demonstrated preparedness — can start with the same conversation Monga brought to CHIME: What does your organization actually need to function, and have you proven it? (Watch the full session on demand.)

About Zscaler

Zscaler, a leader in cloud security, helps healthcare organizations protect patient data and critical systems with its Zero Trust platform. As the healthcare landscape becomes increasingly digital, Zscaler understands the importance of robust cybersecurity measures in ensuring secure and compliant operations.