Survey Confirms Majority of Healthcare Orgs Plan to Increase Cybersecurity Investment
An annual survey of healthcare leaders by the Healthcare Information and Management Systems Society (HIMSS) has revealed that more than half of healthcare organizations (55%) plan to increase cybersecurity spending in 2025. Twenty-one percent say budgets are largely unchanged year over year, and four percent plan to spend less on cybersecurity than in 2024.
This year’s HIMSS Healthcare Cybersecurity Survey was conducted on 273 healthcare cybersecurity professionals, 50% of whom were in executive management, 37% in non-executive management, and 13% in non-management roles. 46% of respondents had primary responsibility for cybersecurity, 30% had some responsibility, and 24% sometimes had responsibility, as needed. The survey was conducted between November 6, 2024, and December 16, 2024, and asked questions about cybersecurity spending and cybersecurity experiences over the previous 12 months.
Historically, healthcare organizations have invested 6% or less of their IT budgets in cybersecurity; however, more money is now being spent on cybersecurity improvements, with 30% of respondents saying they are investing more than 7% of their IT budget on cybersecurity in 2025. 19% of respondents plan to spend 3-6% of their IT budget on cybersecurity, 14% plan to spend 7-10%, 7% plan to spend 11-14%, and 9% plan to spend more than 14%. 20% of respondents said they do not have a set amount to spend on cybersecurity and can increase their budget if more funds are required, but concerningly, 23% of respondents said they did not have good information on their cybersecurity budget, up from 19% the previous year. While it is encouraging to see improvements in cybersecurity spending, HIMSS warns that simply increasing spending is not enough and may not translate into significant security improvements. Proper prioritization and strategic planning are essential to ensure that funds are directed to the areas that will make the biggest improvements to security posture.
The respondents who said cybersecurity budgets would increase were asked if the increase in budget would allow them to make meaningful improvements to their security posture. The main areas where significant improvements are expected to be made were cybersecurity tools (57%) and security policies (47%), but only 34% of respondents said they expected to make significant improvements in cybersecurity staffing. 34% of respondents said they anticipated making some improvements to tools, policies, or staffing.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While hackers often target unpatched vulnerabilities to breach healthcare networks, it is far more common for healthcare employees to be targeted. The survey confirmed this to be the case, as the most common initial points of compromise in security incidents over the past year were email phishing (63% of respondents), SMS phishing (34%), spear phishing (34%) and business email compromise (31%).
Given the number of attacks on healthcare employees, it is important to provide regular security awareness training. The survey explored the methods used in security awareness training programs, with the most common being email alerts and updates (73%), simulated phishing attacks (63%), interactive discussions (49%), in person or virtual workshops (47%), training on emerging threats (40%), and tabletop exercises (38%). It is concerning that 4% of respondents said no cybersecurity awareness training was provided to the workforce, as it is a requirement of the HIPAA Security Rule. A further 2% of respondents said they were unaware if any security awareness training was provided, and 3% said they rely on alternative methods such as video-based training or compliance activities, which are not equivalent to effective cybersecurity training.
When asked to rate the effectiveness of their security awareness training programs, only 18% rated the programs as very effective, with 62% saying they are somewhat effective, and 18% saying they are slightly effective. 2% of respondents said training programs were not at all effective. HIMSS suggests using customized security awareness training rather than off-the-shelf training programs, as training is more effective when it is relevant to different roles, and that off-the-shelf security awareness training programs often do not adequately address emerging threats.
The survey confirmed that the biggest healthcare data breach of all time, the ransomware attack on Change Healthcare in February 2024, prompted many healthcare organizations to look at their relationships with business partners. The attack caused massive disruption at healthcare providers across the country, with the analysis confirming that access was gained to a Citrix server that did not have multifactor authentication, a failure of cybersecurity 101. The attack also prompted many healthcare providers to review their incident response and business continuity plans to ensure they can continue to operate in the event of a cyberattack
Concerningly, only 45% of respondents said they conduct tabletop exercises for incident response testing, with 39% of respondents saying they do not and 16% unaware if plans are tested. “These findings highlight a mixed level of preparedness among organizations, with many failing to test their incident response plans by using tabletop exercises,” explained HIMSS. “Tabletop exercises are critical for simulating various scenarios, identifying gaps in response capabilities, and strengthening overall incident response strategies.”
Overall, the survey confirms that the majority of healthcare organizations appreciate the importance of making further investments in cybersecurity and are taking steps to improve their security posture. “By implementing more robust cybersecurity defenses, healthcare organizations are better equipped to protect patient data and patient safety,” explained HIMSS. “Continued adaptation and innovation will be essential for navigating an increasingly digital world.”
