Healthcare organizations are making progress in strengthening their security postures, but increased focus on governance and further investments in healthcare security workforces are still needed, according to the latest Healthcare Information Management Systems Society analysis. 

For the 2024 Healthcare Cybersecurity Survey Report, HIMSS asked healthcare cybersecurity professionals with daily cybersecurity responsibilities about cybersecurity practices and trends across the industry. 

The report highlights growing threats and issues challenging security, examines how budgets are being used and provides insight on where organizations have the opportunity to improve their security conversations.

Threats still underfunded

Now in its 16th year, the HIMSS annual cybersecurity survey reflects insights from healthcare cybersecurity professionals overseeing or managing healthcare cybersecurity programs. Key topics include ransomware, security incidents, budgets and artificial intelligence.

"This year’s survey shows that tools alone are not enough – stronger governance is essential, with critical areas including artificial intelligence, insider threat management and third-party risk management," HIMSS, the parent company of Healthcare IT News, said in a statement. 

"Money supports security, but without governance, AI-related risks remain unchecked," Lee Kim, HIMSS senior principal of cybersecurity and privacy, told HITN on Tuesday.

"These risks apply to the healthcare organization, but also others. They extend to contractors, subcontractors and third parties that handle patient or sensitive data, as well as vendors providing services to the healthcare organization," she noted.

Fewer ransomware victims are reporting paying ransom, HIMSS researchers noted. 

That may be due in part to increased healthcare organizations' IT security investments. In dedicating more resources to fortify cybersecurity defenses than in previous years, healthcare organizations are strategically aligning budgets with critical vulnerabilities and further investments are predicted, the survey found.

"Allocations in the 7% to 10% range gradually increased from 10% in 2020 to 14% in 2024, showing growing investment in higher cybersecurity budgets," researchers said in the report.

A slight majority of respondents – 52% – said they anticipated their organizations’ overall IT budgets would increase in 2025, while 10% indicated a decrease, 28% reported they envision no change and 10% did not know. 

However, HIMSS said in the report that survey respondents' budget increases since 2019 are, overall, modest and that additional budget allocations are needed to support these increased providers' security risks.

"Effective AI governance requires appropriate policies, staff and ongoing monitoring to address risks like data leaks, breaches, social engineering – which includes without limitation, deepfakes and AI-driven phishing attacks, insider threats, etc.," said Kim.

AI spurs further security investments

A looming concern, the healthcare cybersecurity professionals who responded to the survey said there is limited monitoring of AI use at their organizations.

"When asked whether their organizations have approval processes in place for AI technologies, nearly half – 47% – of respondents indicated that their organizations do have approval processes, while 42% reported that they do not," the researchers said. 

"An additional 11% were unsure whether such processes exist within their organizations." 

That lack of formal AI governance increases risk, according to the new report, which also noted machine learning-driven cyber subterfuge as an emerging threat.

"Half – 50 % – of respondents said their organizations permit only approved AI technologies, while 30% allow AI without formal restrictions and 16% prohibit AI use entirely," the report said.

Only 1% of respondents reported taking actions like "developing AI policies or implementing guardrails," while 3% of HIMSS survey respondents were unsure of their organizations’ stance.

Most meaningful, weakest spends

The 2024 respondents cited security improvements to tools as the most meaningful progress out of increased overall HIT budgets.

"A majority – 57% – reported significant improvements to the tools they use, 47% reported significant improvements to policies and 31% reported significant improvements to staff," according to the report.

Bolstering the workforce – employee retention, hiring and upskilling – has been an ongoing issue for the sector.

Respondents to previous HIMSS cybersecurity survey polls have cited staffing as a top barrier to improving healthcare cybersecurity programs, and researchers said limited security budgets have made progress on that challenge slow.

Last year's report showed that the 2023 HIMSS poll found retention of qualified cybersecurity staff a challenge for that year's privacy and security professionals. 

"We are making progress, but we must do more to stay ahead of today’s evolving threats and to be prepared for future threats," HIMSS researchers said in a statement.

"The weakest link in any security program is the people, which is why education, tools and policies remain the most important lines of defense."

Communication around cybersecurity priorities

This year's report involved 273 healthcare cybersecurity professionals who had at least some responsibility for day-to-day cybersecurity operations or oversight of a healthcare organization’s cybersecurity program. 

Researchers asked respondents on November 6 and December 16, 2024, about their perspectives, knowledge and experiences over the past 12 months. 

Nearly half the respondents were both executive managers and held cybersecurity as their primary responsibility and had definitive responses. Poorer visibility into cybersecurity budget allocations by other responders is also cause for concern, according to HIMSS researchers. 

"While executive management respondents were generally aware of cybersecurity budget allocations, nonmanagement and nonexecutive management respondents demonstrated limited awareness, highlighting an opportunity for better information sharing about organizational cybersecurity programs," they said.

While phishing is the most common method of cyberattack for significant security incidents, according to the poll, researchers noted that gamification, tabletop exercises and interactive workshops boost workforce engagement threat education.

"As the threat landscape evolves, healthcare organizations must stay vigilant while ensuring cybersecurity enables business and clinical care," HIMSS said in a statement. 

"Continued adaptation and innovation will be essential for navigating an increasingly digital world." 

Learn more at the Healthcare Cybersecurity Forumat this year’s HIMSS25 in Las Vegas.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.