Health care cybersecurity is moving deeper into recovery planning as clinics, imaging centers and remote clinicians depend on electronic health record access during cyber incidents.
Endpoint OS vendor IGEL and cloud security provider Zscaler released joint health care security blueprints for distributed care delivery, covering isolated recovery access, distributed clinics and remote clinician workflows.
The blueprints combine IGEL’s endpoint operating system with Zscaler’s cloud-delivered access controls, with the stated goal of keeping protected health information, or PHI, governed across endpoint, access and application layers.
The companies introduced the blueprints at HIMSS26 Europe in Copenhagen. Matthias Haas, CTO of IGEL, described the joint work in operational terms, saying “resilience and security cannot be treated as separate initiatives,” according to the launch announcement.
Securing access to isolated recovery environments
The recovery blueprint focuses on Epic Isolated Recovery Environment access during disruptive cyber incidents, infrastructure failures or endpoint compromise. The document says IREs can provide the application and data architecture needed to continue care, but only if endpoints used for access are trusted and access to the recovery environment is tightly controlled.
The access path is the main control point in the recovery design. IGEL’s operating system can boot from dual boot or USB and bypass the installed Windows partition during recovery. Zscaler Private Access brokers access to the IRE as a private application rather than exposing it to the public internet.
The blueprint also says access is established outbound only, evaluated per request based on identity and policy and centrally logged for audit and investigation.
Meeting federal recovery mandates with limited IT capacity
Federal health guidance already treats recovery as more than backup restoration. The HHS ransomware and HIPAA fact sheet says covered entities and business associates must maintain a contingency plan under the HIPAA Security Rule, including a data backup plan, disaster recovery plan, emergency mode operation plan, application and data criticality analysis and periodic testing.
HHS also says: “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.”
For smaller providers, those recovery requirements collide with limited staffing and security resources. HHS’s Health Industry Cybersecurity Practices technical volume for small health care organizations says small organizations generally do not have dedicated IT and security staff for cybersecurity work because of limited resources.
The same volume lists clinical care, practice management, business operations, IT, staff education, patient-information protection and business continuity or disaster recovery among the functions small organizations still have to support.
Applying zero trust to distributed clinics and remote workflows
The distributed clinic blueprint applies the problem to outpatient and imaging sites with limited on-site IT support. It cites outpatient clinics and imaging sites with distributed endpoints, limited on-site IT resources, remote access to hospital-hosted systems and physical risks such as device loss, theft or unauthorized local access. Its proposed architecture uses centrally managed endpoints and centralized policy enforcement for private applications, web access and SaaS traffic.
The remote clinician blueprint extends the same logic beyond hospital networks. The blueprint says clinicians now require access to clinical systems from locations that do not share the trust assumptions of hospital networks.
Frank Nydam, executive director for health care at Zscaler, put the same point in operational terms in the launch announcement: “Care delivery has expanded far beyond the hospital walls, and the attack surface has expanded with it.”
The blueprint says VPN-centric approaches can extend network access without enough control over endpoint state or session context, widening the attack surface and increasing the risk of lateral movement.
That language tracks with NIST’s definition of zero trust. NIST SP 800-207 says zero trust removes implicit trust based on physical or network location or asset ownership, with authentication and authorization performed before a session to an enterprise resource is established. NIST also says zero trust focuses on protecting resources, not network segments.
Treating ransomware downtime as a patient care crisis
Federal guidance also frames ransomware recovery as a patient-care issue, not only an IT issue. CISA and HHS released a health care cybersecurity toolkit after a roundtable on resource and capability gaps in the health care and public health sector.
CISA disclosed that in 2023 it conducted pre-ransomware notifications to more than 65 U.S. health care organizations to warn of early-stage ransomware activity.
The recovery stakes are also documented outside vendor material. A 2024 Government Accountability Office report said health care and public health sector officials told GAO that hospitals could take up to 45 days to recover from a ransomware attack.
During that period, nearby hospitals may not be equipped to absorb patient-service disruptions, even if they were not directly attacked.
The proposed HIPAA Security Rule update would make some of that operational discipline more explicit. HHS’s proposed HIPAA Security Rule update would update security standards for electronic protected health information, though it remains a proposed rule.
The Federal Register notice says HHS proposed written risk management plans, annual review, activity-record retention and migration plans where technology assets do not support encryption or multifactor authentication.
The IGEL and Zscaler blueprints do not change HIPAA obligations and do not prove patient-care outcomes. They show how endpoint state, identity-based access, private application brokering and centralized logging are being packaged around health care recovery scenarios, where PHI protection and clinical continuity remain linked.