Trends & Reports

Survey Reveals Most Healthcare Orgs are Planning to Increase Cybersecurity Spending

By Daniel Lopez

The Healthcare Information and Management Systems Society (HIMSS) annually surveys healthcare leaders. A recent survey revealed that

  • 55% of healthcare organizations have plans to spend more on cybersecurity in 2025
  • 21% say budgets are mostly the same every year
  • 4% have plans to spend less on cybersecurity compared to 2024

The HIMSS Healthcare Cybersecurity Survey this year was participated by 273 healthcare cybersecurity experts: 50% from executive management; 37% from non-executive management; and 13% from non-management positions. 46% of participants were primarily responsible for cybersecurity, 30% had some responsibility, and 24% occasionally were accountable, as necessary. The survey was done from November 6, 2024 to December 16, 2024, and included questions concerning cybersecurity investment and experiences within the past 12 months.

Over the years, healthcare companies have spent about 6% of their IT funds on cybersecurity; nevertheless, more funds are currently being used on cybersecurity enhancements. 30% of survey participants said they are spending over 7% of their IT funds on cybersecurity in 2025. 19% of participants intend to spend 3-6% of their IT funds on cybersecurity, 14% intend to spend 7-10%, 7% intend to spend 11-14%, and 9% intend to spend over 14%. 20% of participants reported they have not set an amount to invest in cybersecurity and could increase their funds when necessary; 23% stated they have no information about their cybersecurity funds. Although it is good to find developments in cybersecurity investment, HIMSS says that just increasing investment is insufficient and may not result in substantial security enhancements. Prioritization and good planning are important to be sure that finances are spent on the areas that will produce the best enhancements to security posture.

The participants who mentioned higher cybersecurity funds were questioned whether the higher budget would enable them to make purposeful enhancements to their security. The areas that needed substantial enhancements were cybersecurity tools (57%) and security policies (47%), although only 34% of participants stated they anticipated making substantial enhancements in the cybersecurity workforce. 34% of participants stated they expected some enhancements to solutions, guidelines, or workforce.

Although hackers frequently exploit unpatched vulnerabilities to access healthcare systems, it is much more prevalent for healthcare workers to be targeted. According to the survey, the most frequent initial areas of compromise in security breaches in the last 12 months were business email compromise (31%), spear phishing (34%), SMS phishing (34%), and email phishing (63%).

Considering the number of attacks on healthcare workers, it is a must to have regular HIPAA training on security awareness. The survey looked into the ways employed in security awareness training, which included email notifications and updates (73%), simulated phishing attacks (63%), interactive conversations (49%), face-to-face or virtual workshops (47%), training on upcoming hazards (40%), and tabletop activities (38%). According to 4% of respondents, their organization did not provide cybersecurity awareness training, even though it is a HIPAA Security Rule requirement. Another 2% stated they did not know if there was a security awareness training offered, and 3% stated they depend on other methods like video-based instruction or compliance activities, which aren’t equal to efficient cybersecurity training.

Concerning the efficiency of the security awareness training, 18% said it was very effective, 62% said somewhat effective, 18% said slightly effective, and 2% said not effective at all. HIMSS recommends utilizing tailored security awareness training instead of ready-made training programs.

The survey showed that many healthcare organizations are looking at their associations with business partners after the Change Healthcare ransomware attack in February 2024. The attack resulted in substantial disruption at healthcare organizations throughout the country because a Citrix server lacked multifactor authentication. The attack also required many healthcare companies to examine their incident response procedures and organization continuity plans to make sure they can still operate in case of a cyberattack

On the whole, the survey reveals that most healthcare organizations value giving additional funds in cybersecurity and are doing something to enhance their security posture. By employing better cybersecurity protection, healthcare organizations can better protect patient information and patient security.

Image credit: death_rip, AdobeStock

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

No related posts.

Amazon Faces Lawsuit for Alleged Illegal Collection of Medical & Location Information

Philips Intellispace Cardiovascular (ISCV) Vulnerabilities Found