Healthcare AI innovation outpaces cybersecurity guardrails

Healthcare organizations are struggling to adapt their cybersecurity practices to match increasingly sophisticated threats, according to a new survey from the Healthcare Information and Management Systems Society (HIMSS).

The 2024 HIMSS Healthcare Cybersecurity Survey, which collected responses from 273 healthcare cybersecurity professionals, finds that while organizations are making modest improvements in security funding, critical vulnerabilities persist in artificial intelligence governance, third-party risk management, and insider threat detection.

Budgets improving but still insufficient

The survey reveals a mixed picture on cybersecurity funding. While 52% of organizations anticipate IT budget increases for 2025, many allocate only a small portion to cybersecurity. Only 16% of organizations dedicate more than 14% of their IT budget to security measures.

This funding gap is particularly problematic as ransomware attacks continue to plague the sector. While 74% of respondents reported no ransomware attacks in the past year, 13% confirmed incidents—a rate that has remained relatively stable since 2022.

Another concerning trend shows a shift in how organizations respond to ransomware. Among organizations that experienced attacks in 2024, only 11% paid the ransom—a significant drop from 30% in 2023. While refusing to pay ransoms may discourage future attacks, it also indicates organizations must strengthen their recovery capabilities. (Which begs the never-ending question should healthcare leaders pay up when ransomware hits?)

AI adoption outpacing security controls

Perhaps most alarming is the rapid adoption of artificial intelligence without corresponding security measures. The survey found 81% of healthcare organizations now use AI, yet only 31% actively monitor its usage, and less than half (42%) have established acceptable use policies.

These security gaps create significant vulnerabilities, with 75% of respondents citing data privacy as their top AI-related concern, followed by data breaches (53%) and algorithmic bias (53%).

Organizations are implementing AI across multiple domains simultaneously—37% use it for technical tasks, 35% for clinical services, 34% for administrative functions, and 34% for cybersecurity itself—creating a complex environment that requires comprehensive oversight.

Third-party risks and insider threats

The survey also exposes critical weaknesses in how healthcare organizations manage external partnerships. Only 31% have fully implemented third-party risk management programs, despite 25% reporting significant security incidents involving vendors or suppliers.

These third-party incidents caused widespread disruption, with 50% of affected organizations reporting business disruptions, 49% experiencing IT disruptions, and 43% facing clinical service disruptions. Cross-domain impacts included data breaches (43%), financial losses (32%), and reputational damage (16%).

Similarly concerning is the management of insider threats. Only 26% of organizations have fully implemented insider threat programs, with 33% having no formal program at all. Moreover, 10% of respondents reported insider threats involving third parties with trusted access—a growing risk as healthcare ecosystems become more interconnected.

Defending against evolving threats

Despite these challenges, the survey indicates some positive trends. Security awareness is improving, with 63% of organizations conducting simulated phishing attacks and 40% providing training on emerging threats like deepfakes and QR code phishing.

Organizations are also becoming more strategic in their post-attack responses, with 62% implementing new security tools and 57% establishing new security policies after incidents. Nearly half (49%) enhanced their security awareness training programs following breaches.

The survey highlights phishing as a persistent primary attack vector, with 63% of significant security incidents beginning with general email phishing. Other initial compromise points included SMS phishing (34%), spear-phishing (34%), and business email compromise (31%).