Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness
Cybersecurity risk is growing, and healthcare organizations are struggling to defend a rapidly increasing attack surface. AI tools are being implemented without the secure infrastructure to support them. Most healthcare practices have meaningful gaps in cyberattack recovery readiness, face ongoing and regular third-party vendor disruptions, and there is growing concern that a cyberattack will result in a patient fatality. The current state of cybersecurity in healthcare is far from rosy.
These were some of the findings from the 2026 Healthcare IT Landscape Report from Omega Systems, a leading provider of managed IT and security services to the healthcare and financial services industries. The report is based on a survey of 200 healthcare business leaders in the United States, including CEOs, CISOs, CIOs, CFOs, and COOs, at healthcare organizations with between 50 and 600 employees. The healthcare organizations represented in the report include medical practices, clinics, ambulatory care centers, specialty services, and long-term care facilities.
In 2025, when the study was last conducted, 52% of healthcare organizations said it is inevitable that a cyberattack on a healthcare facility will result in a patient fatality in the next five years. There has been a relative 17% increase in just 12 months, with 61% now expressing that concern. The increase is unsurprising given the lack of cyberattack recovery readiness. In the event of a cyberattack that prevents access to the electronic medical record (EMR) system, 47% said loss of access to patient records would create an immediate patient safety issue and malpractice liabilities, 53% say billing, claims, and scheduling would instantly stop, freezing cash flow at the moment when clinical operations are most compromised, and 25% said they would be unable to maintain baseline care standards, resulting in temporary or even permanent closure.
Omega Systems said 82% of providers acknowledged meaningful gaps in their recovery readiness. Almost one-third (31%) of respondents lack the ability to contain and resolve data breaches quickly; almost one-quarter (24%) do not regularly train teams on incident response; one-fifth (21%) have no independent EMR recovery path or access to a 24/7 SOC team, and 13% have no documented recovery plan at all. AI adoption is almost universal, with 93% of healthcare practices already having adopted AI tools, yet they lack the secure infrastructure to support it safely.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The risk of cyberattacks has never been greater. According to OCR data, 2025 saw more large data breaches reported than any year since records of data breaches have been published, fueled in part by an increase in cyberattacks on vendors, which usually impact multiple healthcare clients and cause considerable disruption.
Omega Systems found that 85% of healthcare practices experienced at least one operational disruption in the past 12 months due to a third-party vendor or vendor of a vendor, and 24% experienced a third-party or vendor breach that directly affected their data or operations.
While vendor incidents are increasing, a concerningly high percentage of respondents – 70% – said they were confident or very confident in their vendors’ cybersecurity posture. Vendors have been engaged and are trusted, and are no longer being questioned about their cybersecurity posture.
OCR is due to issue a final rule implementing proposed changes to the HIPAA Security Rule, one of the requirements of which is annual reverification of cybersecurity measures of their business associates, which will force practices to continually verify vendor cybersecurity. According to Omega Systems reports, currently, 63% of practices are not continuously monitoring their networks and digital supply chains, while 70% say they are confident in the vendors connected to them. “A practice can’t be confident in what they aren’t watching,” warns Omega Systems. “Trust is a natural byproduct of long-term vendor relationships. And that’s precisely what attackers count on. They target vendors because their healthcare clients trust them – and rarely verify the controls behind that trust.”
Omega Systems identified a single root cause of the cybersecurity problem in healthcare – Cybersecurity is a patient safety issue, yet healthcare organizations are still treating cybersecurity as a technical expense. “Sixty-two percent (62%) of healthcare leaders still treat cybersecurity as a technical expense rather than a clinical or fiduciary risk,” explained Omega Systems in the report. “That posture determines what gets funded, what gets deferred, and what gets ignored. It is why the gaps documented in this report persist despite years of escalating threat data.”
OCR investigates all reported data breaches affecting 500 or more individuals, and data breaches are being reported in record numbers. OCR currently has an initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule, which has been expanded to also cover risk management. The survey revealed that six in ten leaders have self-attested to HIPAA-compliance, when they know that their risk analyses identified unresolved vulnerabilities. According to the report, 23% of practices have already filed a breach report with OCR.
“For many, that filing was not the result of negligence. It was the result of a gap that grew faster than their resources could close it,” explained Omega Systems. “Small practice leaders are not ignoring compliance. They are managing it with teams that are stretched thin, budgets that do not go far enough, and requirements that keep changing. The breach notification is often the moment they find out how serious that gap had become.”
When the HIPAA Security Rule update is released, practices will have a lot of ground to cover in a short space of time. Only 24% of practices report that they are fully prepared for the proposed changes; many lack the required in-house staff and have cybersecurity and compliance programs that have been built for a simpler threat landscape.
More than one-third (35%) say their cybersecurity/IT team is understaffed, one-third (33%) underestimate the severity and frequency of cyberattacks, one-quarter (26%) say their cybersecurity/IT team is underfunded and has antiquated cybersecurity technology (23%), and one-fifth (21%) deliberately downplays cyberattack risk to avoid reputational damage.
With the HIPAA Security Rule final rule expected this year (the proposed release date was May 2026), healthcare cybersecurity and compliance programs will have to be overhauled. Omega Systems explains that the leaders will not be the healthcare organizations with the most advanced technology. They will be the ones who have made a governance-level commitment to treating security, compliance, vendor risk, and AI not as separate problems requiring separate solutions, but as one, with a partner accountable for the whole picture.
