Survey: Cybersecurity seen as strategic priority, not compliance obligation

A new survey finds most US healthcare organizations face frequent cyberattacks, with many now treating cybersecurity as a core business enabler.

What happened

The 2025 US Healthcare Cyber Resilience Survey, conducted by EY and KLAS Research, reveals that more than 70% of healthcare organizations experienced disruptions due to cyber incidents over the past two years. The survey, based on input from 100 healthcare executives responsible for cybersecurity, shows organizations encountered an average of five different types of cyber threats in the last year. The most common were phishing (77%), third-party breaches (74%), malware (62%), data breaches (47%), and ransomware (45%).

The consequences were widespread: 72% of respondents cited moderate to severe financial impacts, 60% noted operational disruptions, and 59% experienced clinical effects such as delayed treatments and strained patient trust.

Going deeper

Traditionally treated as a compliance function, cybersecurity is increasingly being repositioned by health organizations as a strategic asset. Respondents reported that aligning cybersecurity investments with business outcomes such as patient safety, reduced downtime, and financial resilience improved executive buy-in. However, long-term investment remains difficult to sustain, especially in periods of budget tightening or when attacks persist despite improvements.

Executives also flagged challenges, including emerging AI-driven threats, managing third-party risk, and shortages in skilled cybersecurity personnel. Identity and access management is expected to be the top investment area in the coming fiscal year, with 68% prioritizing it. Over half of respondents also identified workforce upskilling as a tactic to improve cyber resilience.

What was said

EY and KLAS stated that cybersecurity must be shared across the organization and viewed as an enabler rather than a cost center. “In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs,” the report noted.

Nana Ahwoi, EY Americas’ Consumer and Health Cybersecurity Industry Leader, added: “Cybersecurity is more than a compliance checkbox- it drives safe care, patient trust and long-term success.”

The big picture

Healthcare organizations are moving from viewing cybersecurity as a regulatory checkbox to treating it as a core part of patient care and business strategy. With phishing driving 77% of reported cyber incidents, email remains the single most common entry point for attacks. Even the most advanced firewalls or endpoint protections can’t help if a malicious email slips through and reaches a busy clinician or administrator.

That’s why protecting the inbox has become just as important as protecting the network. Solutions like Paubox Inbound Email Security are designed for this reality. They detect and stop sophisticated phishing attempts, including AI-generated messages that mimic internal communications or trusted partners. For healthcare systems that already face skill shortages and mounting third-party risks, investing in behavioral and AI-driven email protection helps prevent the disruptions that jeopardize both operations and patient trust.

FAQs

Why is identity and access management receiving increased attention?

As attackers target stolen credentials and over-provisioned accounts, identity and access controls have become necessary for limiting unauthorized access and reducing lateral movement across systems.

How does cybersecurity support clinical outcomes?

Strong cyber defenses reduce system downtime, protect electronic health records, and ensure continuity of care all needed for timely treatment and patient safety.

What does it mean to view cybersecurity as a “value creator”?

Instead of treating cybersecurity as a cost to meet regulatory obligations, organizations that invest strategically see returns through operational stability, patient trust, and innovation readiness.

What are examples of AI-driven threats mentioned in the report?

These include machine-generated phishing, deepfake impersonation of staff or vendors, and automated attacks that adapt to traditional defenses in real time.

Why is third-party risk particularly challenging in healthcare?

Healthcare systems often rely on a wide range of vendors who may not maintain the same security standards. Weaknesses in a single vendor can expose sensitive data or disrupt care across multiple facilities.