Why 73% of healthcare IT leaders fear rising security challenges

As medical institutions continue their digital transformation, a reality has emerged from recent industry research: 73% of healthcare IT leaders anticipate increased security challenges in the coming year. This statistic is highlighted in the latest Paubox report.

Healthcare organizations face multiple vulnerabilities: legacy systems never designed for modern threats, budget constraints that force impossible choices between patient care and security infrastructure, and the reality that lives depend on systems that cannot be taken offline for protection.

The digital healthcare revolution and its unintended consequences

The healthcare industry's digital transformation has accelerated, particularly following the global pandemic. Electronic health records (EHRs), telemedicine platforms, Internet of Medical Things (IoMT) devices, and cloud-based systems have changed patient care delivery. However, this digitization has also expanded the attack surface for cybercriminals.

As noted in "Power, paradox and pessimism: On the unintended consequences of digital health technologies in primary care" by Ziebland, Hyde, and Powell, "In many high income countries, including the UK, digital approaches to health care have been championed by enthusiastic policy makers as offering the potential to address some of the key 21st century challenges by providing cheaper, safer care that is more accessible to patients and at least as effective and patient-centred as the traditional alternatives." However, the research also shows that "unintended consequences 'which result from behaviour initiated for other purposes' have provided rich pickings for social scientists" and that "in complex health care systems where components interact in 'nonlinear, dynamic, and unpredictable ways,' unintended consequences are likely to attend new initiatives."

Every connected medical device, from insulin pumps to MRI machines, represents a potential entry point for malicious actors. The rush to implement remote care solutions during the pandemic often prioritized functionality over security, leaving many healthcare organizations with vulnerable systems that were hastily deployed without thorough security frameworks.

The integration of artificial intelligence and machine learning in healthcare has added another layer of difficulty. While these technologies offer benefits for diagnosis and treatment, they also introduce new vulnerabilities and data privacy concerns that many healthcare IT departments are still learning to address.

Understanding the threat landscape

Healthcare organizations face a unique and challenging threat environment. Unlike other industries, healthcare cannot simply shut down systems when under attack—lives depend on continuous operation. This creates a scenario where attackers hold leverage.

As Sarah Varnell, manager at BARR Advisory, explains, "Healthcare organizations are high-value targets. They hold sensitive personal and medical data, and often rely on complex, legacy systems that weren't built with modern security threats in mind. Unlike credit card information, protected health information (PHI) doesn't expire. It can be used to commit medical fraud, obtain prescriptions or treatments under false identities, or even blackmail individuals based on diagnoses or treatments."

The scale of the threat became particularly evident in 2024. According to the Paubox report, "The healthcare sector has always been a prime target for cybercriminals, but 2024 was a wake-up call… 180 healthcare organizations reported violations involving email breaches last year," while "60% of IT leaders in healthcare organizations reported experiencing email-related breaches or security incidents." 

The impact of sophisticated attacks was exemplified by the Change Healthcare ransomware incident in February 2024. Cybercriminals affiliated with the ALPHV/BlackCat ransomware gang broke into Change Healthcare's systems using leaked credentials to access a Citrix portal account that lacked multi-factor authentication protection. The attackers siphoned off sensitive data—including names, Social Security numbers, diagnoses, treatment plans, and financial information—affecting an estimated 112 million people before deploying ransomware. The attack on Change Healthcare, which operates the US's largest clearinghouse for medical insurance claims, paralyzed significant portions of the US healthcare system for weeks, forcing thousands of pharmacies and healthcare providers to halt electronic payments and medical claims processing. The total cost of the breach is expected to exceed $1 billion, while UnitedHealth Group had to provide $2 billion in assistance to affected healthcare providers.

However, sophisticated external attacks aren't the only concern. Internal threats can be equally damaging, as demonstrated by the Mass General Brigham incident in 2024. The hospital discovered that two employees had allowed an unauthorized person to access patient records between February 2023 and April 2024. This insider threat resulted in the potential exposure of patients' personal information, including names, addresses, medical record numbers, dates of birth, email addresses, phone numbers, and health insurance policy numbers. Both employees were subsequently terminated, but the incident shows how trust-based healthcare environments can be vulnerable to internal breaches.

Email has emerged as the primary attack vector for healthcare cybercriminals. Despite being recognized as healthcare's "top cybersecurity vulnerability," the Paubox report reveals that organizations are struggling to adequately address this threat. The gap between recognition and effective response highlights the complexity of securing healthcare communications while maintaining the rapid, accessible communication that patient care demands.

Resource constraints and competing priorities

One of the factors contributing to healthcare IT leaders' concerns is the challenge of resource allocation. Healthcare organizations often operate on thin margins, with the majority of their budgets dedicated to patient care rather than IT infrastructure. This creates an environment where cybersecurity investments must compete with direct patient care needs.

According to recent findings from the Paubox report, "Healthcare organizations currently allocate only 11–20% of their IT budgets to email security, despite email being their top cybersecurity vulnerability." This misalignment between spending and risk exposure reveals a gap in healthcare cybersecurity strategy. The financial services sector, by comparison, "dedicates approximately 6–14% of overall IT budgets specifically to cybersecurity," demonstrating a more thorough approach to protecting sensitive data.

Perhaps most concerning is that "despite healthcare's comparable or even slightly higher proportional spending, 74% of healthcare IT leaders still report dissatisfaction with their current email security solutions." This dissatisfaction suggests that the issue isn't necessarily the amount of spending, but rather how effectively those resources are being deployed. The Paubox report notes that "this gap results in overworked security teams, ineffective protections, and substantial financial and operational risk, highlighting an urgent need to reassess and enhance healthcare email security investments."

Regulatory compliance and evolving standards

Healthcare organizations must navigate different regulations. HIPAA compliance remains an important requirement, but additional regulations and standards continue to emerge. The European Union's GDPR has implications for healthcare organizations that serve international patients, while various state-level privacy laws add additional compliance burdens.

The Food and Drug Administration (FDA) has also increased its focus on medical device cybersecurity, implementing new requirements for manufacturers and healthcare organizations. These changing standards require continuous monitoring and updates to security practices, adding to the workload of already overworked IT teams.

The challenge is not just meeting current regulatory requirements but anticipating future changes. Healthcare IT leaders must build security programs that can adapt to changing compliance standards while maintaining operational efficiency.

Read also: Challenges with managing regulatory compliance

The human factor in healthcare cybersecurity

Healthcare environments present human factors that complicate cybersecurity efforts. Medical professionals are primarily focused on patient care, and security measures that interfere with their ability to quickly access information or treat patients often face resistance. This creates tension between security and usability that healthcare IT leaders must carefully balance.

According to Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review, "the high susceptibility rate of healthcare professionals and the failure to recognise phishing attacks are attributed to the high stress environments often encountered in hospitals." Additionally, the systemic review reveals that "the lack of sufficient training and awareness impacts healthcare organisations facing ever-increasing cyber threats. [Each] healthcare organisation is unique and often faced with economic pressure to deliver patient care, with IT system security not being prioritised above medical services."

The diverse workforce in healthcare settings includes everyone from highly educated physicians to contract workers and volunteers. Implementing consistent security training and awareness programs across such a varied population requires a lot of resources and ongoing attention.

The systemic review further states that, "The lack of organisational roles, such as those of chief information officer and chief security information officer, has also been cited as a reason for the increasing number of data breaches reported across national healthcare infrastructures."

Emergency situations in healthcare settings often require access to systems and information, sometimes necessitating the bypass of normal security protocols. Creating security frameworks that can accommodate these legitimate emergency needs while preventing abuse requires planning and implementation.

Learn more: The human factors and organizational risks to email security

FAQs

What role does cyber insurance play in healthcare cybersecurity?

Cyber insurance helps mitigate financial loss after a breach, but it cannot replace a strong, proactive security strategy.

How do small or rural healthcare providers compare in cybersecurity readiness?

Smaller providers often lack the resources for comprehensive cybersecurity, making them more vulnerable to attacks.

Are there any government-funded programs to support healthcare cybersecurity improvements?

Some federal initiatives exist, but they are limited and often inaccessible to underfunded or smaller healthcare entities.

How are third-party vendors contributing to healthcare cybersecurity risks?

Vendors can introduce vulnerabilities through weak security practices or insufficient data protection controls.

What is the role of mobile device security in healthcare?

Mobile devices increase accessibility but also expand the attack surface if not properly secured.