Skip to main content
Email

The latest news in Healthcare IT – straight to your inbox.

Home
  • Main Menu
  • Subscribe
  • Topics
    • Video
    • Analytics
    • Artificial Intelligence
    • Cloud Computing
    • EHR
    • Government & Policy
    • Interoperability
    • Patient Engagement
    • Population Health
    • Precision Medicine
    • Privacy & Security
    • Telehealth
    • Women In Health IT

Regions

  • ANZ
  • ASIA
  • EMEA
  • Global Edition
Global Edition
Cybersecurity In Focus

Lack of AI governance poses threat to data security, new HIMSS research shows

Budget bumps have led to better security tools, but the growing use of artificial intelligence requires more focus and investments from organizations. HIMSS25 attendees can learn more at the preconference Healthcare Cybersecurity Forum.
By Andrea Fox
February 25, 2025
04:38 PM

Photo: Hero Images

Healthcare organizations are making progress in strengthening their security postures, but increased focus on governance and further investments in healthcare security workforces are still needed, according to the latest Healthcare Information Management Systems Society analysis. 

For the 2024 Healthcare Cybersecurity Survey Report, HIMSS asked healthcare cybersecurity professionals with daily cybersecurity responsibilities about cybersecurity practices and trends across the industry. 

The report highlights growing threats and issues challenging security, examines how budgets are being used and provides insight on where organizations have the opportunity to improve their security conversations.

Threats still underfunded

Now in its 16th year, the HIMSS annual cybersecurity survey reflects insights from healthcare cybersecurity professionals overseeing or managing healthcare cybersecurity programs. Key topics include ransomware, security incidents, budgets and artificial intelligence.

"This year’s survey shows that tools alone are not enough – stronger governance is essential, with critical areas including artificial intelligence, insider threat management and third-party risk management," HIMSS, the parent company of Healthcare IT News, said in a statement. 

"Money supports security, but without governance, AI-related risks remain unchecked," Lee Kim, HIMSS senior principal of cybersecurity and privacy, told HITN on Tuesday.

"These risks apply to the healthcare organization, but also others. They extend to contractors, subcontractors and third parties that handle patient or sensitive data, as well as vendors providing services to the healthcare organization," she noted.

Fewer ransomware victims are reporting paying ransom, HIMSS researchers noted. 

That may be due in part to increased healthcare organizations' IT security investments. In dedicating more resources to fortify cybersecurity defenses than in previous years, healthcare organizations are strategically aligning budgets with critical vulnerabilities and further investments are predicted, the survey found.

"Allocations in the 7% to 10% range gradually increased from 10% in 2020 to 14% in 2024, showing growing investment in higher cybersecurity budgets," researchers said in the report.

A slight majority of respondents – 52% – said they anticipated their organizations’ overall IT budgets would increase in 2025, while 10% indicated a decrease, 28% reported they envision no change and 10% did not know. 

However, HIMSS said in the report that survey respondents' budget increases since 2019 are, overall, modest and that additional budget allocations are needed to support these increased providers' security risks.

"Effective AI governance requires appropriate policies, staff and ongoing monitoring to address risks like data leaks, breaches, social engineering – which includes without limitation, deepfakes and AI-driven phishing attacks, insider threats, etc.," said Kim.

AI spurs further security investments

A looming concern, the healthcare cybersecurity professionals who responded to the survey said there is limited monitoring of AI use at their organizations.

"When asked whether their organizations have approval processes in place for AI technologies, nearly half – 47% – of respondents indicated that their organizations do have approval processes, while 42% reported that they do not," the researchers said. 

"An additional 11% were unsure whether such processes exist within their organizations." 

That lack of formal AI governance increases risk, according to the new report, which also noted machine learning-driven cyber subterfuge as an emerging threat.

"Half – 50 % – of respondents said their organizations permit only approved AI technologies, while 30% allow AI without formal restrictions and 16% prohibit AI use entirely," the report said.

Only 1% of respondents reported taking actions like "developing AI policies or implementing guardrails," while 3% of HIMSS survey respondents were unsure of their organizations’ stance.

Most meaningful, weakest spends

The 2024 respondents cited security improvements to tools as the most meaningful progress out of increased overall HIT budgets.

"A majority – 57% – reported significant improvements to the tools they use, 47% reported significant improvements to policies and 31% reported significant improvements to staff," according to the report.

Bolstering the workforce – employee retention, hiring and upskilling – has been an ongoing issue for the sector.

Respondents to previous HIMSS cybersecurity survey polls have cited staffing as a top barrier to improving healthcare cybersecurity programs, and researchers said limited security budgets have made progress on that challenge slow.

Last year's report showed that the 2023 HIMSS poll found retention of qualified cybersecurity staff a challenge for that year's privacy and security professionals. 

"We are making progress, but we must do more to stay ahead of today’s evolving threats and to be prepared for future threats," HIMSS researchers said in a statement.

"The weakest link in any security program is the people, which is why education, tools and policies remain the most important lines of defense."

Communication around cybersecurity priorities

This year's report involved 273 healthcare cybersecurity professionals who had at least some responsibility for day-to-day cybersecurity operations or oversight of a healthcare organization’s cybersecurity program. 

Researchers asked respondents on November 6 and December 16, 2024, about their perspectives, knowledge and experiences over the past 12 months. 

Nearly half the respondents were both executive managers and held cybersecurity as their primary responsibility and had definitive responses. Poorer visibility into cybersecurity budget allocations by other responders is also cause for concern, according to HIMSS researchers. 

"While executive management respondents were generally aware of cybersecurity budget allocations, nonmanagement and nonexecutive management respondents demonstrated limited awareness, highlighting an opportunity for better information sharing about organizational cybersecurity programs," they said.

While phishing is the most common method of cyberattack for significant security incidents, according to the poll, researchers noted that gamification, tabletop exercises and interactive workshops boost workforce engagement threat education.

"As the threat landscape evolves, healthcare organizations must stay vigilant while ensuring cybersecurity enables business and clinical care," HIMSS said in a statement. 

"Continued adaptation and innovation will be essential for navigating an increasingly digital world." 

Learn more at the Healthcare Cybersecurity Forumat this year’s HIMSS25 in Las Vegas.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Artificial Intelligence, HIMSS25, Privacy & Security

More regional news

Patient does a virtual care consult

Castlight Health intros virtual urgent care for members

By
Mike Miliard
April 18, 2025
HIMSSCast logo

HIMSSCast: Should every healthcare organization have an AI strategy?

By
Mike Miliard
April 18, 2025
Nurse checks tablet to communicate on shift

Zoom launches agentic AI-powered mobile comms for frontline staff

By
Andrea Fox
April 18, 2025
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Nurse checks tablet to communicate on shift
Zoom launches agentic AI-powered mobile comms for frontline staff

Most Read

How UCHealth is reducing fall injuries with AI-enhanced risk modeling
2025: AI enhances personalized care; caregiver experience in the spotlight
Frontera launches with $32M in seed funding
Korea University Medical Center pursues brain, heart AI development and more briefs
Roundup: AI and cloud tackle cyber risk and improve workflows
HIMSSCast: Fundamentals of data governance - lessons from UNC Health, part 1

Research

White Papers

More Whitepapers

Telehealth
Create secure, connected omnichannel communications
Telehealth
Let us guide you to HIPAA compliance
Cloud Computing
How a cloud communications platform puts connection at the center of care

Webinars

More Webinars

Analytics
Standby Eligibility and Claims Solutions: Diversify Your Risk & Ensure Business Continuity
Interoperability
Nursing Leadership, Operational Innovation, and Emerging Technologies with AONL
Artificial Intelligence
Loving the AI Revolution: How Automation is Humanizing Healthcare and Improving Provider Well-Being

Video

Ilir Kullolli, Stanford Medicine Children's Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
HIMSS-ACCE working together to advance digital health
Vik Bajaj, Foresite Labs_Medical research Photo by Edward Jenner/pexels.com
Healthcare research is being affected by federal budget cuts
Priyanka Jain, Evvy_Hand holding sample vial Photo courtesy of Evvy
How one women's health startup tests fertility outcomes
Keisuke Nakagawa, UC San Diego Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
Can technology help bring the human touch back to medicine?

More Stories

Lee Kim, HIMSS_Las Vegas skyline Photo by halbergman/E+/Getty Images
Past year's data breaches often stemmed from remediable cybersecurity gaps
Cathy Menkiena, Health Catalyst_Las Vegas skyline Photo by halbergman/E+/Getty Images
Innovative – and useful – tech is key to empowering care teams
Sameer Sethi of Hackensack Meridian Health on AI
Hackensack Meridian Chief AI Officer on the intersection of business and technology
Doctor checking and tracking information on a computer
HHS updates regulatory guides for the safe use of EHRs
Sameer Sethi, Hackensack Meridian Health_Computer neural network concept Photo by dan/Moment/Getty Images
Chief AI Officer on becoming one and working with the C-suite
Businessperson signing piece of paper
White House releases guidance on federal AI use and procurement
Dr. Ateev Mehrotra of Brown University School of Public Health on telehealth policy
Brown University policy expert talks about the future of telehealth flexibilities
Micky Tripathi, former HHS acting chief AI officer
Former National Coordinator headed to Mayo Clinic, reports say
Home

More News

  • MobiHealthNews
  • Healthcare Finance News
  • Healthcare Payers News

Newsletter Signup

HIMSS25 European Health Conference & Exhibition
HIMSS25 European Health Conference & Exhibition
Get ready for knowledge-sharing, all the latest innovations, and in-depth demos with Europe's most influential healthcare community.
10 - 12 June, 2025 | Paris
Learn More
AI in Healthcare Forum
AI in Healthcare Forum
The HIMSS AI in Healthcare Forum cuts through the hype to showcase real-world examples illustrating the transformative potential, and realistic challenges of AI application across the care continuum.
10 - 11 July 2025 | New York
Learn More

Footer Menu

  • About
  • Advertise
  • Reprints
  • Contact
  • Privacy Policy

© 2025 Healthcare IT News is a publication of HIMSS Media

X

Topics

  • Video
  • Analytics
  • Artificial Intelligence
  • Cloud Computing
  • EHR
  • Government & Policy
  • Interoperability
  • Patient Engagement
  • Population Health
  • Precision Medicine
  • Privacy & Security
  • Telehealth
  • Women In Health IT

Career

  • Events
  • Jobs
  • Research Papers
  • Webinars

More

  • About
  • Advertise
  • Contact
  • Special Projects
  • Video

Regions

  • ANZ
  • ASIA
  • EMEA
  • Global Edition

The Daily Brief Newsletter

Get daily news updates from Healthcare IT News.

Search form

Top Stories

Nurse checks tablet to communicate on shift
Zoom launches agentic AI-powered mobile comms for frontline staff
HIMSSCast logo
HIMSSCast: Should every healthcare organization have an AI strategy?
Vik Bajaj, Foresite Labs_Medical research Photo by Edward Jenner/pexels.com
Healthcare research is being affected by federal budget cuts