When hackers hit a hospital, it’s not just data at stake. It’s lives. That’s the stark undercurrent running through the 2024 HIMSS Healthcare Cybersecurity Survey. Released this spring by the Healthcare Information and Management Systems Society (HIMSS), the annual snapshot offers a sobering diagnosis of things like patient data protection and healthcare IT security. As threats like AI misuse rise cybersecurity in healthcare is improving, but not fast enough.
Money’s Flowing. But Are the Doors Still Open?
For years, Chief Information Security Officers have begged for more resources. In 2024, they finally got a modest bump. More than half of survey respondents said their IT budgets are set to increase this year. Yet, the number of organizations allocating more than 10% of their IT spend to cybersecurity actually dropped.
“Budgets are shifting, not necessarily expanding,” the report notes. “We’re seeing strategic prioritization, but not always at the scale needed.”
And the kicker? Nearly a quarter of respondents didn’t know how much of their budget went to cybersecurity at all. This may be a sign of deeper communication and governance challenges.
HIMSS surveyed 273 professionals with direct oversight or operational roles in cybersecurity. These were CISOs, senior managers, and hands-on analysts who’ve stared down phishing attempts and ransomware threats in real time. The data, collected in late 2024, reflects lived experience, not hypothetical risks.
Cyber Insurance
Fewer organizations are turning to cyber liability insurance, with just 16% investing in new policies and 14% enhancing existing ones. It’s not the most popular move, but it remains a crucial financial safety net in the face of growing digital threats.
Phishing Tops the Charts (Again)
The primary culprit behind breaches? Still phishing, by a long shot. Email phishing was cited as the initial point of compromise in 63% of significant security incidents. Variants like SMS phishing and spear phishing weren’t far behind.
And while training is widespread, only 18% of organizations described their awareness programs as very effective. That’s despite creative efforts like gamification and scenario-based workshops. Emerging threats like deepfakes and “quishing” (QR-code scams) remain poorly addressed.
AI Is Everywhere. Few Are Watching It
Artificial Intelligence is the elephant in the operating room. A whopping 81% of organizations now allow AI use. Yet only 31% are actively monitoring how it’s used across systems.
This unmonitored adoption is raising alarm bells. Respondents fear everything from privacy violations and data bias to patient safety. AI-driven insider threats have already been confirmed in several organizations.
“We’re adopting AI faster than we’re governing it,” one survey participant admitted. “That’s not a good place to be.”
Fewer Paying Ransom Is Good News. But Threats Persist
The good news? Healthcare organizations seem more resistant to ransomware extortion. In 2024, only 11% of victims paid up, compared to 30% in 2023.
The bad? Ransomware isn’t going away. Thirteen percent of organizations experienced attacks in 2024. That’s unchanged from previous years and suggests defenders are struggling to gain an edge.
Third-Party Risks Are the New Front Line
As healthcare grows more connected, the weakest link often lies outside the firewall. Vendors, cloud providers, and consultants now hold keys to sensitive systems. One in four organizations reported a major third-party security incident last year. Many of those had serious consequences.
Business disruptions. Clinical delays. Financial losses. All were common ripple effects of these vendor-related breaches.
And yet, only 31% of organizations have a formal third-party risk management program. It’s cybersecurity’s equivalent of performing surgery without sterilized instruments.
The Insider Threat Nobody Sees Coming
While headlines often focus on foreign hackers or ransomware gangs, insiders remain a ticking time bomb. Malicious or negligent employees, and sometimes third-party contractors, can wreak havoc.
Just 26% of organizations have formal programs to manage insider threats. With AI entering the mix, the stakes are only getting higher. A poorly trained employee feeding sensitive data into a public chatbot could trigger a privacy breach. A disgruntled IT staffer using AI to hide malicious code? That’s the stuff of next year’s case studies.
A Digital Pandemic
The HIMSS report reads like a digital pandemic playbook. There are vulnerabilities everywhere, institutional blind spots, and rising pressure to modernize faster than infrastructure allows.
And yet, there’s hope.
Organizations are testing incident response plans. Executive buy-in is rising. Cyber awareness is no longer relegated to IT. It’s becoming a boardroom issue. But like any recovery, it requires vigilance.
Other News: Healthcare Industry Cybersecurity Earns ‘B+’ in SecurityScorecard Report.(Opens in a new browser tab)
