Larry Ponemon
Healthcare organizations’ ability to protect confidential patient data and ensure the highest quality of medical care is increasingly at risk, underscoring the need for a more human-centric security approach, our Cyber Insecurity in Healthcare study has found.
This fourth annual report was conducted to determine the healthcare industry’s effectiveness in reducing human-targeted cybersecurity risks and disruptions to patient care. With sponsorship from Proofpoint, Ponemon Institute surveyed 677 IT and IT security practitioners in healthcare organizations who are responsible for participating in such cybersecurity strategies as setting IT cybersecurity priorities, managing budgets and selecting vendors and contractors.
Healthcare organizations remain frequent targets, with cyberattacks continuing to disrupt patient care. According to the research, 93 percent of organizations surveyed experienced at least one cyberattack in the past 12 months. For organizations in that group, the average number of cyberattacks was 43, a 3-point increase from 40 in 2024.
The cyberattacks analyzed that took place over a two-year period in this research are cloud/account compromises, supply chain attacks, ransomware and business email compromise (BEC)/spoofing/impersonation. Among the organizations that experienced the four types of cyberattacks, an average of 72 percent report disruption to patient care, a 3-point jump from 69 percent in 2024.
While the cost of cyberattacks has declined, they remain a significant financial burden. We asked respondents to estimate the single most expensive cyberattack experienced in the past 12 months from a range of less than $10,000 to more than $25 million. Based on the responses, the average total cost for the most expensive cyberattack was $3.9 million, down from $4.7 million in 2024 but still substantial. This includes all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities.
Operational disruptions stemming from system availability problems remain the most expensive consequence. The following is a breakdown of the five cybersecurity cost categories for the single most expensive cyberattack as well as their average cost:
- Disruption to normal healthcare operations cost an average of $1,210.172, a decrease from $1,469,524 in 2024.
- Users’ idle time and lost productivity dropped to $858,832 from $995,484 in 2024. These costs were due to downtime or system performance delays.
- The cost of the time required to ensure the impact on patient care is corrected decreased to $702,680 from an average of $853,272 in 2024.
- The damage or theft of IT assets and infrastructure averaged $624,605,down slightly from $711,060 in 2024.
- Remediation and technical support activities, including forensic investigations, incident response activities, help desk and delivery of services to patients saw the largest drop (28.6%) from $711,060 in 2024 to $507,491 in 2025.
For the first time, this year’s study examined plans to secure clinical operations in the cloud. Thirty percent of respondents say their organizations have moved clinical applications to the cloud. Forty-five percent say their organizations will move clinical applications to the cloud in the next six months (9 percent), within the next year (8 percent), in the next one to two years (15 percent) or eventually (13 percent). This accelerating shift toward cloud-hosted clinical systems underscores the urgency of addressing cloud/account compromise risks, given the potential impact on patient care and service continuity.
The report analyzes four types of cyberattacks that occurred over the past two years and their impact on healthcare organizations, patient safety and patient care delivery:
Cloud/account compromise. A cloud/account compromise results from criminals obtaining access to credentials (e.g. user ID and passwords). The consequence is typically an account takeover where criminals then use those validated credentials to commit fraud and transfer sensitive data to systems under their control.
For the fourth consecutive year, frequent attacks against the cloud make it the top cybersecurity threat. Nearly two-thirds of respondents (64 percent) say their organizations are vulnerable or highly vulnerable to a cloud/account compromise. Seventy-two percent say their organizations have experienced cloud/account compromises, an increase from 69 percent in 2024. These organizations had an average of 21 such compromises in the past two years.
Supply chain attacks. Supplier impersonation and compromise attacks occur when a malicious actor impersonates or successfully compromises an email account in the supply chain. The attacker then observes, mimics and uses historical information to craft scenarios to spoof employees in the supply chain.
Fewer organizations are experiencing supply chain attacks. Forty-four percent of respondents say their organizations experienced an attack against its supply chains, a significant decline from 68 percent in 2024. Of these organizations, on average they experienced four supply chain attacks in the past two years. Fifty-seven percent say their organizations are very or highly vulnerable to supply chain attacks.
Ransomware. Ransomware is a sophisticated piece of malware that blocks the victim’s access to files. While there are many strains of ransomware, they generally fall into two categories. Crypto ransomware encrypts files on a computer or mobile device making them unstable. It takes the files hostage, demanding a ransom in exchange for the decryption key needed to restore the files. Locker ransomware is a virus that blocks basic computer functions, essentially locking the victim out of their data and files located on the infected devices. Instead of targeting files with encryption, cybercriminals demand a ransom to unlock the device.
Fewer organizations are paying a ransom, but the amount paid has increased. The costliest ransom paid (extrapolated value) was $1.2 million, up from $1.1 million in 2024 and a staggering 56 percent increase from $771,905 in 2022 when we first began tracking this data. This continuous rise underscores how threat actors are demanding and receiving larger payouts even as payment rates declined (33 percent in 2025 vs. 36 percent in 2024). Fifty-five percent of respondents believe their organizations are vulnerable or highly vulnerable to a ransomware attack. In the past two years, organizations that had ransomware attacks (61 percent) experienced an average of 5 such attacks. The combination of threat exposure and escalating ransom demands creates operational and financial risk for healthcare organizations.
Business email compromise (BEC)/spoofing/impersonation. BEC attacks are a form of cybercrime that uses email fraud to attack healthcare organizations to achieve a specific outcome. Examples include invoice scams, spear phishing that are designed to gather data for other criminal activities, attorney impersonations and CEO fraud.
Concerns about these attacks have decreased significantly since 2022 when 64 percent of respondents said their organizations were very or highly vulnerable. In the 2025 research, 53 percent say their organizations are vulnerable or highly vulnerable to a BEC/spoofing/impersonation incident, a very slight decrease from 52 percent in 2024. And, 62 percent say their organizations experienced an average of four attacks in the past two years. In 2024, 57 percent said they had an average of four attacks in the past two years.
From breach to bedside: The persistent link between cyberattacks and patient safety
As in the previous report, an important part of the research is the connection between cyberattacks and patient safety. Among the organizations that experienced the four types of cyberattacks in the study, an average of 72 percent report disruption to patient care, a 3-point jump from 69 percent in 2024.
An average of 54 percent report poor patient outcomes due to increases in medical procedure complications. An average of 53 percent saw an increase in a longer length of stay and an average of 29 percent say patient mortality rates increased.
The following are additional trends in how cyberattacks have affected patient safety and patient care delivery.
- Supply chain attacks continue to be the most likely to affect patient care. While fewer organizations in this year’s research had a supply chain attack (44 percent in 2025 vs. 68 percent in 2024), 87 percent of those respondents say it disrupted patient care, an increase from 82 percent in 2024. Patients were primarily impacted by delays in procedures and tests that resulted in poor outcomes (51 percent) and an increase in complications from medical procedures (49 percent). Mortality rates increased significantly from 26 percent in 2024 to 32 percent in 2025.
- BEC/spoofing/impersonation attacks cause delays in procedures and tests. Sixty-two percent of respondents say their organizations experienced a BEC/spoofing/impersonation incident and had an average of four attacks. Of these respondents, 70 percent say a BEC/spoofing/impersonation attack against their organizations disrupted patient care. Sixty-five percent say the attacks caused delays in procedures and tests that have resulted in poor outcomes and 55 percent say it increased complications from medical procedures.
- Ransomware attacks cause delays in patient care. Sixty-one percent of respondents say their organizations experienced an average of 5 successful ransomware attacks. Sixty-seven percent say ransomware attacks had a negative impact on patient care. Of these respondents, 67 percent say it resulted in longer lengths of stay, which affects organizations’ ability to care for patients. Fifty-six percent say it resulted delays in procedures and tests that resulted in a disruption to patient care.
- Cloud-based user accounts/collaboration tools that enable productivity are most often attacked. Seventy-two percent of respondents say their organizations experienced an average of 21 cloud/account compromises, a slight increase from 20 in 2024. In this year’s study, 61 percent say the cloud/account compromises resulted in disruption in patient care, an increase from 57 percent in 2024. Sixty-one percent say cloud/account compromises increased complications from medical procedures and 52 percent say it resulted in longer length of stay. The tools most often attacked are text messaging (59 percent), Zoom/Skype/video conferencing (54 percent) and email (45 percent).
- Data loss or exfiltration disrupts patient care and can increase mortality rates. Ninety-six percent of organizations in this research had at least two data loss or exfiltration incidents involving sensitive and confidential healthcare data in the past two years. On average, organizations experienced 18 such incidents in the past two years and 55 percent of respondents say they impacted patient care. Of these respondents, 54 percent say it increased the mortality rate and 36 percent say it caused delays in procedures and tests that resulted in poor outcomes.
Employee negligence because of not following policies (35 percent of respondents), privilege access abuse (25 percent) and employee sends PII or PHI to an unintended recipient via email (25 percent) are the primary root causes of the incident.
For the fourth year in a row, the data reinforces a sobering reality: cyber threats aren’t just IT security issues, they’re clinical risks. When care is delayed, disrupted or compromised due to a cyberattack, patient outcomes are impacted, and lives are potentially put at risk.
Other key trends in cyber insecurity
Concerns about insecure mobile apps (eHealth) remained the top issue for the second consecutive year. However, respondents who cited this issue decreased from 59 percent of respondents in 2024 to 55 percent of respondents in 2025. Organizations are less worried about employee-owned mobile devices or BYOD (a decrease from 53 percent of respondents in 2024 to 49 percent of respondents in 2025) and cloud/account compromise (a decrease from 55 percent in 2024 to 49 percent in 2025 rounding out the top three spots. Thirty-eight of respondents identified generative AI to AI tools as a cyber concern, a new category in this year’s survey.
The top two barriers to achieving a strong cybersecurity posture continue to be a lack of in-house expertise and clear leadership. Forty-three percent of respondents cite insufficient in-house expertise, while 40 percent point to a lack of clear leadership. Fewer organizations view limited budgets as a primary deterrent, with 37 percent citing it in 2025, down from 40 percent in 2024. The annual IT budget in 2025 is $66.2 million. Of that 21 percent is allocated to information security.
Organizations continue to rely on security training and awareness programs to reduce risks caused by employees. But are they effective? Negligent employees pose a significant risk to healthcare organizations. While more organizations (76 percent in 2025 vs. 71 percent of respondents in 2024) are taking steps to address the risk of employees’ lack of awareness about cybersecurity threats, but do they really reduce risks? Sixty-three percent say they conduct regular training and awareness programs. Fifty-one percent say their organizations monitor the actions of employees and 47 percent of respondents say their organizations use simulations of phishing attacks.
Multi-factor authentication (MFA) and secure email gateway are the top two technologies to reduce email and other email-based attacks. The use of MFA increased from 49 percent of respondents in 2024 to 54 percent of respondents in 2025. This is followed by secure email gateway (SEG) (52 percent of respondents in 2025 vs. 45 percent of respondents in 2024) and patch & vulnerability management (51 percent of respondents in 2025 vs. 52 percent in 2024).
Privileged access management (PAM) is the technology most often used to prevent identity risk and lateral movement in the network (59 percent of respondents). This is followed by identity and access management (53 percent of respondents) and alerts from SIEM to gain visibility (50 percent of respondents).
Trends in AI and machine learning in healthcare
AI can increase the productivity of IT security personnel and reduce the time and cost of patient care and administrators’ work. For the second year, we include in the research the impact AI is having on security and patient care. Fifty-seven percent of respondents say their organizations have embedded AI in cybersecurity (30 percent) or embedded in both cybersecurity and patient care (27 percent). Fifty-five percent of these respondents say AI is very effective in improving organizations’ cybersecurity posture.
Fifty-five percent of respondents agree or strongly agree that AI-based security technologies will increase the productivity of their organizations’ IT security personnel. Fifty-six percent of respondents agree or strongly agree that AI simplifies patient care and administrators’ work by performing tasks that are typically done by humans but in less time and at a lower cost.
While only 40 percent of respondents use AI and machine learning to understand human behavior. Of these respondents, 55 percent say understanding human behavior to protect emails is very important.
While AI offers benefits, there are issues that may deter wide-spread acceptance. Sixty percent of respondents say it is difficult or very difficult to safeguard confidential and sensitive data used in organizations’ AI.
AI technologies are maturing and stabilizing. While the No.1 challenge to the effectiveness of AI-based security technologies is interoperability (34 percent of respondents), the challenge of a lack of mature and/or stable AI technologies decreased from 34 percent of respondents to 28 percent of respondents. The second most difficult challenge are errors and inaccuracies in data inputs ingested by AI technology (33 percent of respondents).
AI-based data loss prevention (DLP) is effective in preventing data loss incidents caused by employees and malicious insiders. AI-based DLP refers to using artificial intelligence and machine learning techniques to enhance DLP solutions, making them more effective at identifying and preventing sensitive data from being leaked or misused. This includes things like automatically classifying sensitive data, detecting anomalous user behavior and adapting to evolving threats.
Twenty-three percent of respondents say their organizations have adopted AI-based DLP and another 29 percent plan to adopt it in in six months (14 percent) or in one year (15 percent). Fifty-six percent of respondents say AI-based DLP is very or highly effective in preventing employee data loss incidents and 50 percent say this technology is very or highly effective in preventing malicious insider data loss incidents.