What the Marines can teach us about managing IT risk in healthcare | Viewpoint

In the world of healthcare IT, managing cyber risk is not just a technical endeavor; it’s a mission-critical operation that demands discipline, coordination, and relentless training of the whole team.

Barry Mathis

Interestingly, one of the most fitting analogies for this high-pressure environment comes from the U.S. Marine Corps Boot Camp.

The transformation from civilian to Marine is a grueling 13-week journey that forges individuals into a cohesive, mission-ready unit. Similarly, building a resilient healthcare team requires structure, repetition, and unity.

Let’s explore how the three phases of Marine Corps Boot Camp - initial conditioning, weapons training, and combat readiness - mirror the journey of managing IT risk in a healthcare organization.

Phase 1: Initial conditioning—Laying the groundwork

The first phase of Marine Corps Boot Camp is all about breaking down old habits and instilling a new mindset. Recruits are introduced to the basics: physical fitness, military customs, and the importance of following orders. They learn to wake up early, move in formation, and execute tasks with precision. Conditioning is not glamorous, but it’s essential.

In healthcare, this phase is about establishing a culture of discipline and compliance. Teams must internalize the importance of routine tasks: patching systems, managing user access, documenting changes, and following HIPAA regulations. These tasks may seem mundane, but they are the bedrock of a secure environment.

“Discipline is doing the right thing, even when no one is watching.” This Marine Corps mantra applies perfectly to IT risk management.

Just as a recruit learns to make their bed with military precision, healthcare staff must learn to follow procedures to the letter. One click of the mouse, skipped patch, or misconfigured firewall can open the door to a catastrophic breach.

Phase 2: Weapons training—Mastering the tools of the trade

In the second phase of Boot Camp, recruits become experts with their weapons.

They learn to disassemble, clean, and fire their rifles with precision. They drill endlessly, sometimes in the rain, sometimes in the dark, until every movement becomes second nature. In fact, some recruits may be forced to clean their rifles for hours because of a single speck of rust or entire platoons punished for one recruit’s mistake.

To the uninitiated, this may seem cruel or unnecessary. This phase, however, is all about repetition and mastery. It is about becoming an expert.

In healthcare technology security, the “weapons” are different: firewalls, intrusion detection systems, encryption protocols, endpoint protection, and incident response plans, but the principle is the same. These tools must be understood, maintained, and deployed with precision.

During a cyber event, you have no time to fumble through a manual. Your incident response team must respond instinctively, much like a Marine unit under fire. A moment’s hesitation can change the outcome with devastating consequences.

Repetitive training is key. Just as Marines drill until muscle memory takes over, health systems must simulate cyberattacks, run tabletop exercises, and rehearse incident response plans until every team member knows their role without hesitation. Response success is not just about IT and systems. It’s about the entire health system coming together for the sake of survival and recovery.

Phase 3: Combat readiness—Operating as a cohesive unit

The final phase of Boot Camp is when everything comes together. Recruits are tested in simulated combat scenarios that require teamwork, communication, and trust. They must navigate obstacle courses, execute missions, and rely on each other to succeed. One weak link can jeopardize the entire unit’s safety.

In healthcare technology, the test for unit and mission readiness is that moment when a ransomware attack hits, or a phishing campaign targets your staff. The team must move as one: Legal, leadership, security analysts, system admins, compliance officers, and frontline staff must be aligned and ready to act.

“No one fights alone.” In both the Marines and healthcare, success depends on unity.

A cohesive team is one that communicates clearly, trusts each other’s expertise, and understands the mission. This means breaking down silos between departments, conducting cross-functional training, and ensuring that everyone, from the helpdesk to the CEO, knows the playbook.

Boot camp and IT parallels

Marine Boot Camp is legendary for its intensity. Recruits have been known to spend hours in the “pit,” a sand-filled training area, doing pushups and burpees as punishment for minor infractions. I recall being awakened at 2 a.m. to clean my rifle because it failed inspection. Another time, our entire platoon had to dress and undress dozens of times until we dressed in unison starting and finishing at exactly the same time.

These examples may sound extreme, but they serve a purpose: to instill discipline and ensure readiness under pressure.

In healthcare, the horror stories are different but no less impactful. A single employee clicking a phishing link can lead to a full-scale breach. A misconfigured server can expose thousands of patient records. A delayed response to a ransomware alert can cost millions.

The lesson? Train hard, fight easy. If your team is prepared for the worst, they’ll perform their best when it matters most.

Muscle memory and cyber events

One of the most powerful outcomes of Marine training is muscle memory. Recruits drill until their bodies respond automatically. This is crucial in combat, where hesitation can be fatal.

Muscle memory is just as important to a health system under attack. During a cyber event, stress levels spike, and decision-making can falter. That’s why incident response plans must be rehearsed repeatedly. Everyone should know who to contact, what systems to isolate, how to communicate with stakeholders, and when to escalate.

The goal is to remove uncertainty and replace it with instinctive action.

The role of leadership and accountability

Drill instructors in the Marines are relentless, but their goal is to build leaders. They hold recruits accountable, push them beyond their limits, and demand excellence.

In healthcare IT, leadership must do the same. Compliance officers, chief information officers, chief information security officers, and department managers must take these steps.

• Set clear expectations
• Enforce policies consistently
• Invest in training and development
• Lead by example

Accountability is key. If one team member ignores protocol, the entire organization is at risk. Just like in the Marines, everyone must pull their weight.

Train like a Marine, defend like an expert

Managing IT risk in a healthcare organization is not just about firewalls and antivirus software; it’s about discipline, training, and unity. The Marine Corps Boot Camp offers a powerful metaphor for what it takes to build a resilient, high-performing team.

• Initial conditioning teaches the importance of routine and compliance.
• Weapons training emphasizes mastery through repetition.
• Combat readiness highlights the need for teamwork and trust.

In both worlds, the stakes are high. Lives are on the line. And when the pressure mounts, you don’t rise to the occasion; you fall to the level of your training.

So, train hard. Drill often. And build a team that’s ready for anything.