It also aligns with what healthcare leaders are planning to do regardless of what happens on the federal level: Many have planned to increase their cybersecurity budgets this year, and according to the 2024 HIMSS Healthcare Cybersecurity Survey report, 57% of respondents are looking to improve the tools they work with, 47% hope to update their policies, and 34% aim to do all of the above plus bolster their staffing.
It's clear why cybersecurity has been a major focus area at annual industry events such as ViVE and HIMSS. In fact, one keynote speaker at HIMSS was former National Security Agency Director Paul Nakasone, who discussed the importance of sustained talent development and partnerships to improve healthcare cybersecurity.
The State of Healthcare Cybersecurity in 2025
Healthcare organizations also have targets for cyber insurance coverage that they need to hit, especially concerning identity and access management. That’s a major area for improvement in healthcare. After all, a lack of multifactor authentication was behind last year’s cyberattack on Change Healthcare.
But if MFA isn’t configured properly, it’s just another gap that can cause more pain. Don’t deploy MFA to simply check a box for cyber insurance or other compliance requirements. Understand what your organization needs and tailor your approach that way.
Industry leaders will also see more expectations around auditing and monitoring to mitigate and understand risk for organizations. Many are starting to better realize what their organizations’ appetite for risk looks like. Building a risk-based approach historically hasn’t been widespread in healthcare, but today’s reality requires organizations to estimate how long they can operate without an electronic health records system, a phone system, and other core applications or technologies critical for care delivery.
EXPLORE: How does IAM address the challenges of increasingly complex IT environments?
It also includes third-party risk management. Many providers learned how vulnerable they were after last year’s cyber events. Baptist Health in Jacksonville, Fla., for instance, learned that certain contracts were still associated with Change Healthcare even though the health system didn’t use it for revenue cycle management.
“We weren’t affected that much, but we were affected in pockets, and we didn’t know about that,” Vice President and CISO James Case said during a ViVE session last month. Older contracts that hadn’t been updated to reflect Change Healthcare’s new name after being acquired by UnitedHealth Group in 2022 were also discovered. “It had a much broader impact for us and the whole industry than expected,” Case said.
Ultimately, healthcare cybersecurity needs to be treated as an ecosystemwide issue. It’s not enough for organizations to individually tackle security. Everyone needs to work together to improve their strategies to protect patient data.
This article is part of HealthTech’s MonITor blog series.
