As healthcare organisations embrace digital transformation, cybersecurity has become a critical priority. A recently published 2024 HIMSS Healthcare Cybersecurity Survey highlights key trends, challenges and advancements in protecting sensitive data and systems. With increasing cyber threats, organisations are investing more in security, refining awareness programmes and strengthening defences against ransomware and insider threats. However, gaps in AI governance, third-party risk management and budget allocation persist, requiring strategic improvements. The survey provides a comprehensive look at cybersecurity budgets, security incidents and emerging concerns that require immediate attention.
Budget Allocations and Ransomware Threats
Healthcare organisations are gradually increasing their cybersecurity budgets to address evolving threats. While overall IT budgets are modestly improving, the allocation to cybersecurity varies widely. Many organisations now dedicate between 3% and 6% of their IT budgets to cybersecurity, reflecting a shift toward more strategic spending. Notably, some organisations lack a dedicated cybersecurity budget, raising concerns about preparedness. The survey found that a notable percentage of respondents were unaware of how cybersecurity funds were allocated, highlighting the need for greater transparency and governance.
Phishing remains the leading cause of security incidents in healthcare, with email-based attacks being the most common initial point of compromise. SMS phishing, spear-phishing and business email compromise also pose significant risks. Newer threats, such as deepfake-enabled attacks, have emerged, demonstrating the need for improved awareness and defence strategies. Organisations have implemented phishing simulations and awareness training, but only 40% address emerging threats like deepfakes, quishing (QR code phishing) and smishing (SMS phishing). These gaps indicate a need for more comprehensive training programmes. Ransomware continues to be a persistent threat, with 13% of respondents reporting an attack in the past year. Although fewer organisations choose to pay ransoms, ransomware attacks still cause significant disruptions. Over 74% of respondents reported that their organisations had not experienced a ransomware attack, while a small but concerning percentage remained uncertain about whether their organisations had been targeted.
AI and Third-Party Risks
Artificial intelligence (AI) adoption in healthcare introduces both opportunities and security risks. While 81% of organisations allow AI usage, a lack of formal governance structures and active monitoring raises concerns. The survey found that half of healthcare organisations only permit pre-approved AI technologies, while 30% allow AI without formal restrictions. This lack of oversight increases risks such as data breaches, compliance issues and biased AI decision-making.
Recommended Read: Strengthening Healthcare Cybersecurity: The Impact of New Regulations
Additionally, third-party security incidents continue to pose significant risks, leading to business disruptions, IT failures and clinical service interruptions. Despite the increasing reliance on vendors and service providers, only 31% of organisations have fully implemented third-party risk management programmes. This leaves healthcare providers vulnerable to supply chain attacks, which can have far-reaching consequences for patient care and operational continuity. The survey found that 25% of organisations experienced significant security incidents involving a vendor, supplier or service provider. These incidents resulted in financial losses, reputational damage and regulatory scrutiny, further emphasising the need for improved third-party risk management.
Insider Threats
Insider threats remain a persistent challenge for healthcare organisations, requiring proactive measures to mitigate risks. The 2024 HIMSS Survey revealed that 26% of organisations have fully implemented insider threat programmes, while 33% do not have any formal programme in place. This lack of structured insider threat management leaves organisations vulnerable to both malicious and negligent insider activities. With the increasing adoption of AI, concerns about insider misuse of AI-driven technologies are rising.
While reported cases of AI-related insider threats are still low, experts anticipate an increase in the future as AI tools become more embedded in daily operations. Organisations that fail to monitor AI usage may be unable to detect unauthorised or unethical activities, creating a new frontier of cybersecurity risk. Similarly, third-party insider threats—such as vendors or contractors with privileged access—remain a concern. 10% of organisations reported experiencing insider threat incidents involving external entities, while 26% were unaware whether such incidents had occurred.
The findings from the 2024 HIMSS Healthcare Cybersecurity Survey emphasise the urgent need for stronger cybersecurity strategies in healthcare. While organisations are making strides in budget allocation, ransomware preparedness and security awareness, significant challenges persist in AI governance, third-party risk management and incident response planning. The increasing complexity of cyber threats requires healthcare providers to implement comprehensive security measures, improve staff training and enhance oversight of emerging technologies. Strengthening collaboration across departments, enforcing third-party security standards and investing in emerging security technologies will be critical for building a cyber-resilient healthcare ecosystem. Continued adaptation and innovation in cybersecurity practices will be essential to mitigate risks, protect patient information and uphold the integrity of healthcare services.
Source: HIMSS
Image Credit: iStock
