Introduction

Healthcare leaders face escalating cybersecurity threats that jeopardize patient safety and organizational operations: The industry is a “high-value target for cybercriminals and nation-state actors alike,” and “2025 was defined by a critical escalation in the volume, complexity, and systemic risk facing the global health ecosystem.”¹

Cyberattacks affected 72% of healthcare organizations, with attacks causing patient-care disruptions up 3% last year and “severe clinical consequences: 54% reported increased medical procedure complications, 53% reported longer patient stays and 29% reported a rise in mortality rates as a direct result.”²

Yet many clinicians and administrators lack a clear, grounded framework for understanding and communicating cybersecurity risks. This article bridges that gap by applying foundational principles of emergency medicine and emergency response — such as rapid triage decision-making and mass-casualty protocols — to the cybersecurity domain.

A second gap facing the healthcare industry extends beyond interdisciplinary understanding: widespread staff shortages. By 2038, the United States is projected to face a shortfall of 141,000 physicians across all specialties.³ Demand for technical cybersecurity professionals is outpacing supply and doubling annually.⁴ In industries like healthcare, cybersecurity professionals and clinicians, both in short supply, need to work collectively to alleviate the operational cybersecurity risks threatening the healthcare landscape. This partnership between technical and clinical expertise will be key.

To address the challenges of building cybersecurity literacy, we must educate at scale and communicate in familiar, accessible terms. Research shows that the “use of analogies in instruction can significantly reduce the cognitive load a student faces in learning” ... and is “effective and result(s) in improved student learning outcomes.”⁵ For this article, we use emergency medicine and emergency response analogies to understand key cybersecurity concepts. From this foundation, clinicians and administrators can more effectively educate their teams and reinforce the importance of avoiding prevalent cybersecurity risks. Building a strong risk alliance among clinicians, administrators and cybersecurity professionals is crucial for the improvement of healthcare. Let’s start now.

"Shame on all of us ... if we cannot, at this moment in time, come together and create the pathways ... to do what we already know we can do: provide better outcomes for patients." — Gianrico Farrugia, MD⁶

Frameworks

Let us first look at how these disciplines are defined and compare them.

Emergency Medicine (and Emergency Response)

“A field of practice based on the knowledge and skills required for the prevention, diagnosis and management of acute and urgent aspects of illness and injury affecting patients of all age groups with a full spectrum of undifferentiated physical and behavioral disorders. It further encompasses an understanding of the development of pre-hospital and in-hospital emergency medical systems and the skills necessary for this development.”⁷

Cybersecurity

“Prevention of damage to, protection of and restoration of computers, electronic communications systems, electronic communications services, wire communication and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality and nonrepudiation.”⁸ 

From commonalities in definition to parallels in governance, Table 1 highlights how each discipline falls under the regulation, policy and protocol frameworks. Although not exhaustive, it demonstrates how this structure influences the disciplines in their daily operations and quality standards.

Understanding this alignment provides useful analogies for interpreting cybersecurity concepts through the lens of emergency medicine and emergency response. These concepts can be specifically applied to the following domains: Sources of Emergencies, Systems Affected, Validity of Emergencies, Acuity/Severity Level, Protocols/Playbooks, Size of the Emergency, and Disease Transfer.

Sources of Emergencies

In Emergency Medicine and Emergency Response

In Emergency Medical Services (EMS), emergency responders analyze what may have caused the medical emergency to guide treatment and to ensure personal and personnel safety. Consider a welfare check at a residence where multiple individuals are unconscious. The cause could be an infectious pathogen (such as COVID-19), or a caustic agent (such as carbon monoxide). Identifying the source of the emergency helps responders provide effective care and support for patient(s) while safeguarding themselves.

In trauma cases, such as vehicular collisions, responders analyze several key factors, including the cause of the accident, whether it resulted from a medical event or driver error, and the mechanism and speed of impact. Establishing reference points for the source of an emergency, such as medical, traumatic, or related to mental health, aids in treatment decisions and minimizes risk to responders.

In Cybersecurity

A similar principle applies in cybersecurity: understanding causation aids in assessing the severity of the threat. Identifying whether an organizational breach or system compromise was caused by:

• External actors (cybercriminals, hackers, nation-state actors) will determine the use of the appropriate playbook, the number of resources needed, the method of visibility and the method of communication with leaders; versus
• Insider threats or negligence (unintentionally negligent employees, disgruntled employees, IT maintenance), which could invoke different solutions, resources and responses.

Systems Affected

In Emergency Medicine and Emergency Response

Penetrating Trauma occurs when a foreign object pierces the skin and damages underlying tissues. Examples include high-velocity injuries such as gunshot wounds or shrapnel, as well as lower-velocity wounds such as stabbings or impalements.

Clinicians must identify all wounds involved in the trauma and perform a thorough physical examination. Key questions include whether the wound is through-and-through, a superficial graze, or contains retained projectiles. Identifying any foreign bodies — such as bullet fragments, which can lead to neurovascular compromise or large organ/viscous injury — is important for long-term patient outcomes.⁹ 

Certain mechanisms, injuries, or exam findings (e.g., seat-belt sign, calcaneal fractures, sternal fractures) are known risk factors for more extensive internal damage. A trained practitioner will know to take the next steps to diagnose the expected associated injuries.

In Cybersecurity

In cybersecurity, symptom presentation often serves as the key indicator that an incident is occurring. Whereas clinicians obtain a patient history and conduct a physical exam, cybersecurity professionals rely on signals collected in a real-time central command center called a SIEM (Security Information and Event Management). Functionally, SIEM can be likened to the human body’s neurological system, as it continuously collects, monitors, analyzes and reports on the operational state of all IT environments or systems. Some SIEMs also initiate automatic defensive actions, similar to an immune system response. When the SIEM system does not provide autonomous defense, Security Orchestration, Automation, and Response (SOAR) tools fulfill this automatic-response role.

Cybersecurity professionals also examine specific IT systems when symptoms of breach or compromise are detected:

• Networks (analogous to the circulatory system)
• Applications (metabolic processes)
• Endpoints, such as laptops, desktops, printers, servers, etc. (alveoli facilitating exchange)
• Identity systems (DNA)

Identifying the IT system(s) affected enables cybersecurity professionals to examine the activity using frameworks to help identify where the adversary is in the attack lifecycle and where to disrupt.¹⁰  

In both cybersecurity and medicine, understanding which systems are affected allows responders to move beyond managing symptoms. It enables them to identify associated compromises or injuries and treat the root cause, leading to better outcomes.

Validity of Emergencies

In Emergency Medicine and Emergency Response

Patients may present with variable symptoms for the same diagnosis based on their underlying conditions and comorbidities. Likewise, not all subjective symptoms correspond to objective findings. Abdominal pain, for example, is among the most common presenting complaints in an emergency department and has a broad differential that ranges from emergent to benign.¹¹ The differential is commonly approached through pattern recognition. For instance, a ruptured abdominal aortic aneurysm (AAA) is high on the differential in a hypotensive patient with sudden-onset abdominal pain and pulsatile abdominal mass.¹² Oftentimes, symptoms are more vague. Diagnostic tools such as labs and imaging are required until a diagnosis of exclusion can be reached. A diagnosis of exclusion requires time, attention and additional effort by the practitioner. 

This is why emergency medicine practitioners are trained to rapidly distinguish true emergencies from non-emergent conditions — for example, differentiating life-threatening abdominal pain caused by a ruptured AAA from abdominal pain attributable to gastroesophageal reflux disease (GERD). The ability to determine emergency validity is an essential component of emergency practice. 

In Cybersecurity

In medicine, evidence-based reasoning supports the diagnostic process. In cybersecurity, this parallel is linking indicators of compromise (IOCs) to known threats. The more direct the connection between an IOC and a validated cybersecurity threat, the more apparent it is a true positive. True positives can result in a timelier response, remediation and recovery. 

When no clear IOC-to-threat relationship emerges, cybersecurity professionals must rely on a diagnosis of exclusion and determine whether they are observing a false positive or a true negative. In doing so, professionals consider:

• the prevalence of a threat (How likely is it that the attack is an advanced persistent-threat actor?);
• the potential of a mimic or mirage (What else could present like this or be a sign of nothing?); and
• the severity of an outcome (How impactful would this threat be if true?).

Severity of outcome directly speaks to risk. Just as clinicians continually balance known and unknown risks in diagnosing a patient, cybersecurity professionals must make informed decisions with imperfect information. In both disciplines, the greatest risk faced is a potentially deadly emergency or threat that is misdiagnosed. This is called a false negative in cybersecurity.

Acuity/Severity Level

In Emergency Medicine and Emergency Response

When a patient suffers traumatic injury, clinicians must determine the extent of harm and the need for specialty interventions. For example, the approach to a patient who fell from a 12-foot ladder onto a concrete patio differs significantly from the approach to a patient who rolled their all-terrain vehicle (ATV).¹³ Providers begin by performing a primary survey, such as the xABCDE (Exsanguinating Hemorrhage, Airway, Breathing, Circulation, Disability, Exposure/Environmental Control), which assists with prioritizing treatments.¹⁴ 

In the ladder-fall scenario, a patient who sustains a traumatic brain injury will require a definitive airway and transfer to a facility with neurosurgical capabilities. In the ATV rollover scenario, a patient with open fractures and an unstable pelvis will require stabilization and transfer to a trauma center.¹⁵ By contrast, a sprained ankle or superficial burn on the hand would be assigned a lower acuity level due to the limited severity of the injury and body systems affected.

In Cybersecurity

Severity assessment in cybersecurity similarly examines the systems affected and the level of impact to those systems. For example, a practitioner clicks a phishing link in an email and unknowingly divulges login credentials. Phishing emails are the most common attack in cybersecurity, with nearly 1 million attacks reported between 2022 and 2024.¹⁶ The severity of such an attack ranges from medium to high depending on the stage of resulting actions. Disclosure of credentials may initially represent a medium-level incident, but if an attacker subsequently uses those credentials to access systems, the severity escalates to high, as the attacker can now attempt lateral movement across the organization to a loftier, more impactful goal. 

If the compromised user holds special or heightened permissions (such as a system administrator), the severity is immediately high. Because of this, clinicians should collaborate closely with cybersecurity professionals during password-reset scenarios to avoid inadvertently enabling a high-severity incident. 

Ransomware, a growing threat in healthcare, represents a high-severity, true-positive emergency capable of debilitating effects on all systems. Because this threat is a known threat, cybersecurity professionals train through continuing education, tabletops and additional simulations to address if/when this emergency arrives. This leads to another parallel between the disciplines: protocols. 

Protocols / Playbooks

In Emergency Medicine and Emergency Response

During an emergency, once the affected body system(s) and severity are determined, clinicians apply an established algorithm to guide the appropriate diagnostics, treatments, medication administration, and follow-up care. 

In emergency situations such as shock and cardiac arrest, research from wartime operations and civilian emergency responses has identified best practices for achieving return of spontaneous circulation (ROSC).¹⁷

In Cybersecurity

Protocols used for orchestration are known as playbooks, while protocols for accomplishing technical tasks are called runbooks. Playbooks and runbooks serve the same purpose of providing an outline of actions in a specified order that are tailored to gain the best results. For example, most large organizations maintain a ransomware playbook because the potential adverse impact is great, the response must be fluid, and the end goal — full recovery —is known. Familiarity with these playbooks enables cybersecurity professionals to respond quickly, yet thoughtfully.

Just as clinicians strive to stabilize patients and promote a full recovery by using established protocols, cybersecurity professionals use playbooks and runbooks to statistically provide the highest chance of a successful recovery. 

Size of the Emergency

In Emergency Medicine and Emergency Response

Once protocols are established, the size of the emergency directs the protocol usage to morph for scenarios and for number of patients presenting. For example, mass-casualty incidents such as mass shootings and terrorist attacks will follow established protocols. The volume of patients affected dictates the response. In mass-casualty events, all consequential actions stem from answering the question, “How many patients?” When the number is enough to overwhelm available resources, specialized protocols are activated.¹⁸

Triage then becomes essential. Adult and pediatric protocols use a color-based system (green, yellow, red and black) to sort patients by urgency — from those who require immediate attention (red) to those who can afford a delayed evaluation (green) to those deemed dead or imminently dead (black). This concept is a visual presentation akin to the acuity levels 1-4 of triage.¹⁹ Triage is a weighty process for a triage evaluator. Appropriate protocols support rapid decision-making, helping achieve the best health outcomes for the greatest number of patients.

In Cybersecurity

Cybersecurity professionals assess emergency size by examining the number of users, devices, and network segments affected. They also determine whether the issue is isolated or part of a broader, industrywide surge. Is the event a localized issue, or is it a systemic, zero-day threat — analogous to a novel infectious outbreak like COVID-19? 

While tactics and coordination change with scale, one key difference exists: cybersecurity responses can be executed at scale once a control point is identified. Once a solution is developed to corral the affected population/desired devices, the action to remediate is not a one-to-one. Instead the remediation is often in mass. For example, isolating one device can take the same amount of time as isolating dozens, provided they share the same configuration and security agent. Revoking credentials of one user versus 90 users can occur in a similar amount of time. While patient care requires a hands-on ratio of one-to-one, cybersecurity can respond in scale and this should only continue to grow with generative AI and agentic AI options.

Disease Transfer

In Emergency Medicine and Emergency Response

Infectious diseases often are acquired involuntarily and are frequently invisible to the naked eye, though their symptoms may be very apparent. Effective containment and appropriate infection-control measures help limit spread, enabling monitoring and, in some cases, burden reduction or elimination.

In Cybersecurity

The response approach to malware parallels the approach to infectious disease. Malware is unwanted, its presence is often signaled by symptoms, and the response focuses on containment and eradication.

Consider malware transferred by USB drives or chargers. Users often assume a personal USB device is safe simply because they own it — an incorrect assumption. 

A more accurate analogy is of the transfer of bloodborne pathogens — infectious agents found in bodily fluids. When blood products or instruments that come into contact with blood are shared between individuals, the risk of pathogen transmission increases.²⁰ Within clinical practice, the reuse of needles across patients is an absolute contraindication due to the substantial risk of bloodborne pathogen transmission. Similarly, hardware like a USB drive, flash drive or thumb drive used in an untrusted device (“in the wild”) should not then be reinserted into the user’s original device. That USB drive should be considered contaminated. Reinserting it into the original computer or network risks transferring malware, whether a worm, virus, or ransomware. 

Back to Frameworks

Earlier we explored how both disciplines rely on structured frameworks to guide practice. The table provided illustrates how regulation, policy, and protocol shape operations in both fields. Emergency medicine and emergency-response clinicians approach patient situations using the same conceptual yardsticks that cybersecurity professionals use in threat response: Systems Affected, Validity of Emergencies, Acuity/Severity Level, Protocols/Playbooks, Size of Emergencies, and Disease Transfer.

This final cybersecurity incident-response model brings these elements together visually, illustrating how they unfold during an actual event. Practitioners and administrators may find striking parallels between these phases and the steps involved in treating a patient.

In summary, preparation is where cybersecurity professionals build a strong, impenetrable environment, like well-checks and preventative medicine. The Detection and Analysis phase are like reviewing symptoms and labs. Containment, Eradication and Recovery are like medical treatment and recovery. Post-Incident Activity is similar to patient decisions post-treatment. We have the opportunity to utilize the frameworks used in emergency medicine and emergency response to understand cybersecurity risk in healthcare.  Let’s start now. 

Note: The authors appreciate the detailed review of the manuscript by and input of Peter C. Amadio, MD, and Tom O'Keefe, CISSP, GCIH, GCFE, GCFA, GNFA, M.S. IT. They also acknowledge the editing assistance of Mayo Clinic colleague Ethan Grove.

Notes:

1. HealHealth-ISAC. “2026 Global Health Sector Threat Landscape.” Jan. 21, 2026. Available from: https://bit.ly/4urmcpg
2. Ponemon Institute. “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2025 report.” Proofpoint. Available from: https://bit.ly/4bCovhI
3. HRSA. “State of the U.S. Health Care Workforce, 2025.” National Center for Health Workforce Analysis,
   December 2025. Available from: https://bit.ly/40rXiYY
4. ISACA. “State of Cybersecurity 2024: Global Update on Workforce Efforts, Resources, and Cyberoperations.” Available from: https://bit.ly/4lvH8Yg
5. Saxena P, Singh SK, Gupta G. “Achieving Effective Learning Outcomes through the Use of Analogies in Teaching Computer Science.” Mathematics. 2023; 11(15):3340. https://doi.org/10.3390/math11153340
6. Dryden D. “At the World Economic Forum, Mayo Clinic’s CEO is All in on AI.” Post Bulletin, Jan. 23, 2025. Available from: https://bit.ly/4uFKv2W
7. International Federation for Emergency Medicine. “About Us.” Available from: https://www.ifem.cc/about_us
8. NIST. “Cybersecurity.” CSRC Glossary. Available from: https://bit.ly/46Xylbl
9. Tintinalli JE, Stapczynski J, Ma O, Yealy DM, Meckler GD, Cline DM, eds. Tintinalli’s Emergency Medicine: A Comprehensive Study Guide. 8th edition. McGraw-Hill Education; 2016.
10. Lockheed Martin. “The Cyber Kill Chain.” Available from: https://lmt.co/4lvRJm0
11. Weiss AJ, Jiang HJ. “Most Frequent Reasons for Emergency Department Visits. 2018.” Healthcare Cost and Utilization Project. ARHQ. December 2021. Available from: https://bit.ly/3PfBpJO
12. Clancy K, Wong J, Spicher A. “Abdominal Aortic Aneurysm: A Case Report and Literature Review.” Perm J. 2019;23:18.218. doi: 10.7812/TPP/18.218. Epub (October 25, 2019),. PMID: 31926569; PMCID: PMC6836545.
13. Planas JH, Waseem M, Sigmon DF. “Trauma Primary Survey.” StatPearls. January 2025. Available from:
    https://bit.ly/4s1zBmc
14. American College of Surgeons. Advanced Trauma Life Support (ATLS) Student Course Manual, 11th edition; 2025.
15. McCoy CE, Chakravarthy B, Lotfipour S. “Guidelines for Field Triage of Injured Patients: In conjunction with the Morbidity and Mortality Weekly Report.” Western Journal of Emergency Medicine, February 14, 2013 Feb. 14(1):69-76. doi: 10.5811/westjem.2013.1.15981. PMID: 23447758; PMCID: PMC3582524.
16. Internet Crime Complaint Center (IC3). 2024 IC3 Annual Report. Federal Bureau of Investigation; 2025. Accessed March 12, 2026. Available from: https://bit.ly/46VTKll
17. Hodgetts TJ, Mahoney PF, Russell MQ, Byers M. “ABC to ABD: redefining the military trauma paradigm.” Emerg Med J. 2006;23(10):745-746. doi:10.1136/emj.2006.039610. PMID: 16988297; PMCID: PMC2579588.
18. Clarkson L, Williams M. “EMS Mass Casualty Triage.” StatPearls. 2023. Accessed via National Library of Medicine.
19. U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. Mass Casualty Trauma Triage: Paradigms and Pitfalls. Published July 2019. Available at: https://bit.ly/4uvzJfC
20. Nelson A, Rekhi S, Souppaya M, Scarfone K. “Incident Response Recommendations and Considerations for Cybersecurity Risk Management.” NIST, April 2025. Available from: https://bit.ly/4bhNllB
21. NIOSH. “Bloodborne infectious disease risk factors.” CDC. Feb. 13, 2025. Available from: https://bit.ly/4dhjWun