Are You Actually Ready for a Cyber Incident?
A Caribbean Health Cyber Readiness Checklist
This checklist is not about theoretical maturity.
It is about whether your health system can withstand a real cyber incident without collapsing care or trust.
Answer Yes / Partially / No.
If you cannot answer confidently, assume No
1. Leadership & Accountability
If something happens at 2 a.m., who is in charge?
| ▢ A named executive has formal accountability for cybersecurity (not just IT). | ||||
| ▢ Cyber risk is reported at Board or Ministerial level, not buried in technical updates. | ||||
| ▢ There is a clear decision authority for shutting down systems if patient safety is at risk. | ||||
| ▢ Cybersecurity is explicitly framed as patient safety, not just compliance. | ||||
| ▢ Leadership has participated in at least one cyber incident simulation. |
Red flag:
If cybersecurity lives only in IT, response will be slow and fragmented.
2. Identity, Access & User Control
Can you say who accessed what — and stop them immediately?
| ▢ Every user has a unique login (no shared accounts). | ||||
| ▢ Role-based access is enforced (users only see what they need). | ||||
| ▢ Multi-factor authentication is required for clinical, admin, and remote access. | ||||
| ▢ Accounts are disabled immediately when staff leave or change roles. | ||||
| ▢ System logs are retained and regularly reviewed. |
Red flag:
Shared logins = guaranteed breach amplification.
3. Network & System Architecture
How far could an attacker move if they get in?
| ▢ Clinical systems are segmented from administrative systems. | ||||
| ▢ EHR, lab, imaging, pharmacy, and billing systems are not on a flat network. | ||||
| ▢ Vendor access is time-limited, monitored, and logged. | ||||
| ▢ Guest or public Wi-Fi is fully isolated from clinical systems. | ||||
| ▢ Legacy systems are clearly documented and isolated where possible. |
Red flag:
Flat networks turn small breaches into system-wide outages.
4. Backups & Recovery
Could you restore care — not just data?
| ▢ Backups are offline or immutable (not accessible from production systems). | ||||
| ▢ Backup credentials are separate from live system credentials. | ||||
| ▢ Critical systems are prioritised for recovery (EHR, lab, pharmacy). | ||||
| ▢ Full restoration has been tested under time pressure. | ||||
| ▢ Clinical downtime procedures are documented and known. |
Red flag:
If you’ve never restored from backup, you don’t have a recovery plan.
5. Monitoring & Detection
Would you know something is wrong — quickly?
| ▢ Real-time monitoring or alerting is in place (internal or outsourced). | ||||
| ▢ Alerts have clear thresholds for escalation. | ||||
| ▢ Someone has authority to act immediately when alerts fire. | ||||
| ▢ Security events are logged and reviewed routinely. | ||||
| ▢ Phishing and user-driven threats are actively monitored. |
Red flag:
Delayed detection = multiplied damage.
6. Vendor & Third-Party Risk
Do your partners increase or reduce your risk?
| ▢ Vendor contracts include explicit security obligations. | ||||
| ▢ Breach notification timelines are clearly defined. | ||||
| ▢ Data ownership and portability are contractually protected. | ||||
| ▢ Vendors are subject to security review or audit. | ||||
| ▢ You know which vendors have access to live systems right now. |
Red flag:
If a vendor is breached, the public will still blame you.
7. Data Governance
Do people trust how data is used — not just stored?
| ▢ Data use for planning, analytics, AI, and research is clearly defined. | ||||
| ▢ Secondary data use requires approval and oversight. | ||||
| ▢ De-identification standards are enforced, not assumed. | ||||
| ▢ Data retention and deletion rules exist and are followed. | ||||
| ▢ Breaches of data governance have real consequences. |
Red flag:
Poor governance turns analytics into controversy.
8. Workforce Readiness
Do staff understand their role in security?
| ▢ Cybersecurity training is role-specific, not generic. | ||||
| ▢ Staff know how to report suspected incidents without fear. | ||||
| ▢ Phishing simulations or awareness exercises are conducted. | ||||
| ▢ Cyber hygiene is reinforced as part of patient safety. | ||||
| ▢ Senior clinicians are engaged, not bypassed. |
Red flag:
Security culture matters more than security tools.
9. Incident Response & Communication
What happens in the first 24 hours?
| ▢ A cyber incident response plan exists and is current. | ||||
| ▢ A clear command structure is defined and rehearsed. | ||||
| ▢ Clinical continuity plans activate immediately during outages. | ||||
| ▢ Communications templates are pre-approved. | ||||
| ▢ Legal and regulatory notification pathways are known. |
Red flag:
Silence after a breach destroys trust faster than the breach itself.
10. After-Action Learning
Do you improve — or move on?
| ▢ Independent review follows major incidents. | ||||
| ▢ Lessons learned are documented and acted upon. | ||||
| ▢ Governance, training, and systems are updated accordingly. | ||||
| ▢ Accountability includes leadership, not just technical staff. | ||||
| ▢ Improvements are communicated transparently. |
Red flag:
If nothing changes after an incident, trust won’t recover.
How to interpret your results
Mostly “No”
You are digitally exposed. Expansion of digital health without remediation increases risk.
Mostly “Partially”
You are fragile. A breach will test leadership and credibility.
Mostly “Yes”
You are credible — not invulnerable, but prepared.
Preparedness does not prevent breaches.
It limits harm.
Share:
