Cybersecurity investment is strong, but not strong enough to keep up

When it comes to cybersecurity investment in healthcare, too much is never enough. Despite continuing attention to bulking up cybersecurity infrastructure, healthcare organizations are struggling to put enough safeguards in place to adequately protect them from the sheer volume of attacks.  

In 2024, a staggering 92% of organizations reported at least one cyberattack, according to research released ahead of the 2025 HealthSec USA Summit, up from 88% the year prior. More than two-thirds (67%) of those attacked in 2024 said ransomware was involved. 2024 saw some of the biggest data breaches of all time, including 13 events that exposed the records of more than 1 million patients each.  

This is despite the healthcare industry spending more than $125 billion on securing their infrastructure over the first half of the decade, the report notes, indicating that organizations understand the need for continued attention to this issue.   

A separate poll from Software Advice, published in late May, adds to the notion that organizations are trying to take the problem seriously. In this survey of more than 360 healthcare providers, 34% stated that IT cybersecurity is their top priority for 2025 – significantly exceeding the 28% that tapped AI as their number one goal.  

However, even $125 billion, and strong endorsement from the executive team does not appear to be enough to satisfy the real-world needs of the average IT department. Returning to the HealthSec report, 41% of IT professionals believe that their organizations allocate insufficient resources to security needs, and 30% say their security teams are somewhat or severely understaffed.  Over half said they require more help to meet their organization’s needs. 

Slow and cumbersome decision-making processes around implementing new technologies might be part of the problem, the Software Advice survey suggests.  Organizations that take longer to deliberate over software purchases are more likely to regret their decision than those that make a faster commitment. Only 46% of the fastest decision-makers experience buyer’s remorse compared to 82% of those who took 7 months or longer before finally signing on the dotted line.  

Even AI isn’t turning out to be the silver bullet solution that some CISOs might have hoped for. While the majority of stakeholders believe that AI tools are absolutely essential to fight off AI-powered attacks, implementing an AI-enabled cybersecurity shield comes with its own pitfalls, with 65% of IT teams facing challenges with integrating new tools into legacy infrastructure, the HealthSec report authors said.  

The answer might not come solely from dumping more money into the issue, although organizations can’t go wrong with upping their talent budget to fill up their empty offices with the best possible recruits. Instead, the solution likely lies in improved governance and a more strategic, comprehensive approach to closing gaps in organizational defenses. 

For example, common threat vectors often include issues that are generally within the organization’s control, such as excessive permissions, says Hugo Chun Hin Lai, CISO at Temple Health, in the report. Workarounds in the interest of speedy access to data, as well as decentralized identity access management structures, can lead to a proliferation of permissions that create exploitable vulnerabilities. Organizations should focus on centralizing identity management and closely monitoring privileged access to reduce the risks of attack through this vector, he recommended.  

Cybercrime is here to stay in the healthcare industry, and organizations will always have to contend with being a half step behind the creative criminals that aim to penetrate their defenses. But steady commitment to cybersecurity as a top priority, along with shrewd and timely investment in strategically important areas of the organization, can help to strengthen and protect sensitive infrastructure from falling victim to bad actors. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].