2024年醫(yī)療保健行業(yè)網(wǎng)絡(luò)安全調(diào)查（英）

PAGE

10

2024HIMSSHealthcareCybersecuritySurvey|?2025HealthcareInformationandManagementSystemsSociety

2024HIMSSHealthcareCybersecuritySurvey

TableofContents

ExecutiveSummary 3

MethodologyandDemographics 4

Methodology 4

Demographics 4

LevelsofResponsibility 5

TypesofOrganizationsRepresented 5

EconomicsofHealthcareCybersecurity 6

BudgetsareImproving 6

OverallITBudgetsareModestlyImproving 6

AllocationofcurrentITbudgettocybersecurity 7

Comparing2023to2024:CybersecurityBudgetAllocations 8

TrendsinCybersecurityBudgetAllocations 9

CybersecurityBudgetsProjectedtoRise 10

Changestocybersecuritybudgetin2025 10

EffectofCybersecurityBudgetIncreasesin2025 11

SecurityAwareness 12

SecurityAwarenessPrograms 12

Effectivenessofsecurityawarenessprograms 13

SecurityIncidents 14

SignificantSecurityIncidents 14

InitialPointsofCompromise 14

TestingofIncidentResponsePlans 15

StakeholderParticipationinTabletopExercises 16

What’sHappeningwithRansomware 17

PresentState 17

2024RansomwareTrends 17

RansomwareTrends:2022-2024 18

ToPayorNottoPay–RansomwarePayments 19

Proactivevs.ReactiveSecurityMeasures 20

FutureState 21

AIAdoptioninHealthcare 22

AllowingtheUseofAIinHealthcare 22

ToGovernorNot:OrganizationalApproachestoAI 22

AITechnologyUseCases 23

AIGuardrails 24

ApprovalProcessforAITechnology 24

ActiveMonitoringofAITechnology 25

AcceptableUsePolicyforAITechnology 25

FutureConcernsRegardingAI 26

ManagingThird-PartyRisks 27

Third-PartyRiskManagementPrograms 27

Third-PartySecurityIncidents 28

ImpactsofThird-PartySecurityIncidents 29

InsiderThreatPrograms 30

FormalInsiderThreatPrograms 30

InsiderThreatandAI 31

InsiderThreatActivityInvolvingThirdParties 32

Conclusion 33

AboutHIMSS 34

HowtoCitethisSurvey 34

HowtoRequestAdditionalInformation 34

ExecutiveSummary

CybersecurityBudgets

??Investments-Organizationsarededicatingmoreresourcestofortifydefenses.

??StrategicFocus-Budgetsareincreasinglyalignedwithcriticalvulnerabilities.

SecurityAwareness

??PhishingMitigation-Programstargetphishing,theleadingattackvector.

??InnovativeTraining-Gamificationandscenario-basedtrainingboostengagement.

SecurityIncidents

??PhishingDominance-Phishingisthetopmethodofcompromise.

??AI-DrivenAttacks-Deepfakesareanemergingthreat.

Ransomware

???CombattingRansomware-Ransomwaredefensecontinuestobeapriority.

?FewerRansomPayments-Fewerransomwarevictimsarereportingpayingransom.

ArtificialIntelligence

??PolicyShortfalls-AlackofformalAIgovernanceincreasesrisk.

??LimitedOversight-ThereislimitedmonitoringofAIusage.

Third-PartyRisks

??Third-PartyIncidents-Significantincidentsinvolvingthird-partiesarenotable.

?Impacts-Third-partyincidentscausedisruptionandotherimpacts.

InsiderThreats

??FormalPrograms-Formalprogramsareneededtomanageinsiderthreats.

MethodologyandDemographics

The2024HIMSSHealthcareCybersecuritySurveyreflectstheresponsesof273healthcarecybersecurityprofessionals.Theseprofessionalshadatleastsomeresponsibilityforday-to-daycybersecurityoperationsoroversightofthehealthcareorganization’scybersecurityprogram.Respondentswhoindicatedtheydidnothaveanylevelofresponsibilityforeitherday-to-daycybersecurityoperationsoroversightwerenoteligibletotakethesurvey.

Methodology

ThedataforthissurveywascollectedbetweenNovember6andDecember16,2024.Questionsaskedrespondentsabouttheirperspectives,knowledge,andexperiencesoverthepast12months.Forsimplicity,werefertothisdataas"2024"throughoutthisreport.

Similarly,datafromprevioussurveysisidentifiedbytheyearinwhichitwascollected.

Demographics

AsshowninFigure1below,respondentsheldvariousroles,includingexecutivemanagement(50%),non-executivemanagement(37%),andnon-management(13%).ExecutivemanagementincludedindividualsintheC-suite,non-executivemanagementcomprisedseniormanagement,andnon-managementencompassedanalystsandspecialists.

Figure1:RespondentRoles

LevelsofResponsibility

AsshowninFigure2below,respondentsreportedvaryinglevelsofinvolvementintheirorganization'scybersecurityprograms.46%hadprimaryresponsibility,30%sharedresponsibility,and24%wereinvolvedasneededintheday-to-dayoperationsoroversight.

Figure2:RespondentCybersecurityResponsibility

TypesofOrganizationsRepresented

AsshowninFigure3below,respondentsrepresentedadiverserangeoforganizations,includinghealthcareproviders(50%),vendors(18%),consultingfirms(13%),governmententities(8%),andotherorganizations(11%).Otherorganizationsincludedacademicinstitutions,non-profits,payors,andlifesciencescompanies.

Figure3:TypesofOrganizations

EconomicsofHealthcareCybersecurity

Investinginrobustcybersecuritymeasuresisnolongeroptionalforhealthcareorganizations—itisessential.Yet,achievingastrongcybersecurityposturerequiressufficientresources,whichareoftenlimitedbybudgetaryconstraints.ChiefInformationSecurityOfficersandtheirteamsfrequentlyfindthemselvesbalancingtheneedtoaddressevolvingthreatswiththerealityoftightfinancialresources.

Healthcareorganizationswithgreaterfinancialresourcesarebetterequippedtoleveragerobustcybersecuritysolutions.Sufficientcybersecurityfundingenablesorganizationstoaccessadvancedtools,hireskilledpersonnel,andimplementcomprehensivestrategies.

Conversely,limitedbudgetscanposechallenges,makingitmoredifficulttoaddresstheever-evolvingcyberthreatlandscapeeffectively.However,evenwithmodestresources,strategicplanningandprioritizationcanplayacriticalrole.

BudgetsareImproving

OverallITBudgetsareModestlyImproving

Traditionally,healthcareorganizationshavegenerallyallocated6%orlessoftheirITbudgetstocybersecurity,accordingtoaggregatedatafromthe2018to2022and2024HIMSSHealthcareCybersecuritySurveys.SincecybersecuritybudgetsaretypicallycarvedoutofoverallITbudgets,thissurveyexaminedboththeexpectedchangesinoverallITbudgetsfromfiscalyear2024tofiscalyear2025andthecurrentallocationofthosebudgetstocybersecurity.

AsshowninFigure4below,aslightmajorityofrespondents(52%)reportedthattheir

organizations’overallITbudgetswouldincreaseduringthisperiod,while10%indicatedadecrease.28%ofrespondentsreportednochangeintheiroverallITbudgets.TenpercentofrespondentsdidnotknowabouttheanticipatedchangeinITbudgetfrom2024to2025.

Figure4:AnticipatedChangeinITBudget2024to2025

AllocationofcurrentITbudgettocybersecurity

UnderstandinghoworganizationsallocatetheirITbudgetstocybersecurityprovidesvaluableinsightintotheirprioritizationofsecuritymeasures.Variabilityinspendinglevelshighlightsdifferencesinhoworganizationsapproachprotectingtheirsystemsanddata.Thesebudgetarydecisionspresentopportunitiestostrengthendefensesandenhancepreparednessagainstevolvingthreats.

WhenaskedaboutorganizationalallocationofthecurrentITbudgettocybersecurity,20%ofrespondentsindicatedthattheirorganizationhadnospecificcarve-outbutspentmoneyoncybersecurity,asshowninFigure5below.However,19%ofrespondentsreportedtheirorganizationsallocated3-6%oftheoverallITbudgettocybersecurity;14%reported7-10%;7%reported11-14%;9%reportedmorethan14%;and7%reported1-2%.

Onepercentofrespondents—severalvendorsandahealthcareprovider—indicatedtheirorganizationsdonotspendanymoneyoncybersecurity.Notably,23%ofrespondentsdidnotknowwhatpercentageoftheirorganizations’ITbudgetswereallocatedtocybersecurity.

Figure5:PercentofOrganization’sITBudgetSpentonCybersecurity

Comparing2023to2024:CybersecurityBudgetAllocations

Datafromthe2023and2024HIMSSHealthcareCybersecuritySurveysrevealanotableshiftincybersecuritybudgetallocations.Thepercentageoforganizationsallocating3-6%oftheirITbudgetstocybersecurityincreasedfrom13%in2023to18%in2024,whilethoseallocating1-2%decreasedfrom10%to7%,asshownbelowinFigure6.Allocationsbetween7-10%weresimilar,decreasingslightlyfrom15%oforganizationsin2023to14%in2024,whileabove10%droppedsignificantly,from21%oforganizationsin2023to16%in2024,reflectingapossibleredistributionofresourcesormorestrategicspending.

Thepercentageoforganizationswithoutaspecificcarve-outforcybersecurityincreasedslightly,from19%in2023to20%in2024.Additionally,respondentsunawareoftheirorganizations’cybersecuritybudgetallocationsrosefrom19%in2023to23%in2024,pointingtopotentialgapsincommunicationorgovernanceovercybersecurityspending.

Thesefindingssuggestthatorganizationsareoptimizingcybersecurityinvestments,movingtowardmoremoderatebudgetallocations.However,theincreaseinrespondentsunawareoftheirorganizations’cybersecuritybudgetallocationsunderscorestheneedforimprovedcommunicationaroundcybersecuritypriorities.Whileexecutivemanagementrespondentsweregenerallyawareofcybersecuritybudgetallocations,non-managementandnon-executivemanagementrespondentsdemonstratedlimitedawareness,highlightinganopportunityforbetterinformationsharingaboutorganizationalcybersecurityprograms.

Figure6:CybersecurityBudgetAllocation,2023vs.2024

TrendsinCybersecurityBudgetAllocations

Overtheyears,cybersecuritybudgetallocationwithinITbudgetshasshownnotablefluctuations,reflectingchangesinorganizationalprioritiesandresourceallocationstrategies.AsshowninTable1,organizationsreportingnocybersecurityallocationremainedsteadyat1-3%,whileallocationsinthe1-2%rangepeakedat18%in2020butdroppedto7%in2024.Budgetsinthe3-6%rangedippedto13%in2023beforerecoveringto18%in2024,indicatingstabilityinmoderatespending.Allocationsinthe7-10%rangegraduallyincreasedfrom10%in2020to14%in2024,showinggrowinginvestmentinhighercybersecuritybudgets.Budgetsexceeding10%peakedat21%in2023beforefallingto16%in2024,suggestingshiftstowardmorebalancedspending.

Thepercentageofhealthcareorganizationswithflexibleorunspecifiedcybersecuritybudgetsdeclinedfrom26%in2019to20%in2024,reflectingimprovedbudgetingpractices.However,respondentsunawareoftheirorganizations’cybersecuritybudgetsrosefrom18%in2020to23%in2024,highlightingcommunicationgaps.Whilemodestincreasesinhealthcarecybersecuritybudgetsareevident,additionalinvestmentsarecriticaltoaddressgrowingthreats,protectsensitiveassets,andsupportnewtechnologies.Withoutsufficientfunding,organizationsriskdisruptionstopatientcare,lossoftrust,andsignificantfinancialandreputationalharm.

Table1:CybersecurityBudgetAllocation,2019-2024

BudgetAllocation

2019

2020

2021

2023

2024

Noallocation 1%

1%

1%

3%

1%

1-2percent

9%

18%

18%

10%

7%

3-6percent 25%

24%

22%

13%

19%

7-10percent

11%

10%

15%

15%

14%

Morethan10percent 10%

6%

11%

21%

16%

FlexibleAllocation

26%

23%

24%

19%

20%

Don’tKnow 18%

18%

10%

19%

23%

CybersecurityBudgetsProjectedtoRise

Changestocybersecuritybudgetin2025

Anticipatedchangestocybersecuritybudgetsprovideinsightintoorganizations’evolvingprioritiesandstrategies.Withthegrowingcomplexityofcyberthreats,manyorganizationsrecognizetheneedtoadjusttheirspendingtostayahead.Theseshiftshighlightanincreasingfocusonbolsteringdefensesandaddressingemergingrisks.AsshowninFigure7below,amongrespondentswhoreportedaspecificallocationfortheirorganizations’cybersecuritybudgets,aslightmajority(55%)anticipatedanincreasein2025.Only4%expectedadecrease,while21%statedtheirbudgetswouldremainthesame.Notably,20%ofrespondentsindicatedtheydidnotknow.

Figure7:ChangetoCybersecurityBudgetin2025

EffectofCybersecurityBudgetIncreasesin2025

Amongrespondentswhoindicatedthattheircybersecuritybudgetswouldincrease,weaskedwhethertheincreaseenabledtheirorganizationstomakemeaningfulimprovements,suchasinvestinginadditionalstaff,tools,and/orpolicies.AsshowninFigure8,amajority(57%)reportedsignificantimprovementstothetoolstheyuse,47%reportedsignificantimprovementstopolicies,and31%reportedsignificantimprovementstostaff.Notably,34%statedthattheincreaseallowedforonlysomeimprovementsacrossstaff,tools,andpolicies.Threepercentindicatedthattheincreasemerelymaintainedexistingsupportforstaff,tools,andpolicies,and8%ofrespondentsstatedthattheydidnotknow.

Figure8:ImpactofIncreaseinCybersecurityBudgetfor2025

SecurityAwareness

SecurityAwarenessPrograms

Effectivesecurityawarenesstrainingisvitalforhelpingemployeesrecognizeandrespondtocybersecuritythreats.Organizationsuseavarietyofmethodstoengagetheirworkforcesandreinforcekeyconcepts,tailoringtheirapproachestoaddresstheirspecificrisks.Understandingthestrategiesemployedprovidesvaluableinsightintohoworganizationsprioritizeeducationaspartoftheiroveralldefensestrategies.

AsshowninFigure9below,respondentsreportedusingavarietyofmethodsforsecurityawarenesstraining,with73%citingregularemailalertsandcommunications,63%usingsimulatedphishing,49%usinginteractivediscussions,and47%holdingin-personorvirtualworkshops.Incidentresponseexercisesliketabletopswereusedby38%,while10%engagedininteractivegames.Notably,4%reportednotraining,2%wereunawareiftrainingoccurred,and3%usedalternatemethodslikevideo-basedtrainingorcomplianceactivities,whicharenotequivalenttoeffectivecybersecuritytraining.Only40%addressedemergingthreatslikedeepfakes,quishing(QRcodephishing),andsmishing(SMSphishing),highlightingtheneedforcomprehensive,up-to-datetrainingprogramstocounterevolvingthreats.

Organizationsmayneedtodevelopcustomtrainingprogramssinceoff-the-shelfsecurityawarenesstrainingmightnotadequatelyaddressemergingthreats.Tailoredapproachesensurethattrainingisrelevantandcomprehensive,equippingteamstoeffectivelyidentifyandrespondtosophisticatedattacks.

Figure9:MethodsforSecurityAwarenessTraining

Effectivenessofsecurityawarenessprograms

Securityawarenessprogramsareakeyelementoforganizationaldefense,designedtoeducateemployeesonrecognizingandrespondingtopotentialthreats.Ascybersecurityriskscontinuetoevolve,theeffectivenessoftheseprogramsiscriticalinreducingvulnerabilitiesandpreventingincidents.Evaluatinghowwelltheseprogramsperformcanhighlightareasforimprovementandensuretheyremainalignedwiththechangingthreatlandscape.

AsshowninFigure10below,weaskedrespondentswhoseorganizationsconductsecurityawarenessprogramstoassesstheeffectivenessoftheseprograms.Amajority(62%)indicatedtheirprogramsaresomewhateffective,while18%describedthemasveryeffective.Another18%reportedtheirprogramsareonlyslightlyeffective,and2%statedtheyarenoteffectiveatall.Therelativelylowpercentageofrespondentsratingtheirprogramsasveryeffective(18%)suggestsaneedforenhancedstrategies.Itissuggestedthatorganizationsfocusonkeyareasforimprovement,includingaddressingemergingthreatsandmitigatingrisksfromnewandemergingtechnologies.Strengtheningthesesecurityawarenessprogramscouldbetterequiporganizationstostayaheadofevolvingcybersecuritychallengesandbolstertheiroveralldefenses.

Proactivemeasures,suchasgamification,tabletopexercises,andinteractiveworkshops,canhelpeducatetheworkforceaboutbothbasicandadvancedthreats.Theseapproachescanengageemployeeseffectively,fosteringpracticalskillsandawareness.

Socialengineeringremainsadominantattackmethod,makingitcrucialforsecurityawarenessprogramsinhealthcareorganizationstoaddressemergingthreatssuchasdeepfakes(image,audio,video),smishing,andquishing.

Figure10:EffectivenessofSecurityAwarenessTrainingPrograms

SecurityIncidents

SignificantSecurityIncidents

InitialPointsofCompromise

Understandinginitialpointsofcompromiseiskeytoidentifyingvulnerabilitiesandstrengtheningdefensessincetheyoftenserveasgatewaysforattackers.Addressingtheseweaknessescansignificantlyreducetheriskofbreachesandimprovesecurityposture.AsshowninFigure11below,weaskedrespondentstoidentifyinitialpointsofcompromiseforsignificantsecurityincidentsinthepastyear.Generalemailphishing(63%),SMSphishingandtargetedspear-phishing(each34%),businessemailcompromise(31%),phishingwebsites(21%),maliciousads(20%),socialmediaphishing(19%),vishing(voicephishing)(17%),andwhaling(alsoknownasexecutiveimpersonation)(16%),deepfakeimages(6%),audiodeepfakes(4%),videodeepfakes(3%),distributeddenialofservice(DDoS)attacks(3%),andprivacybreaches(3%)werereported.Eightpercentdidnotknow.Eighteenpercentreportednosignificantsecurityincidents,

Figure11:InitialPointsofCompromiseforSignificantSecurityIncidentsinthePast12Months

TestingofIncidentResponsePlans

Regulartestingofincidentresponseplansisessentialtoensureorganizationsarepreparedtohandlecybersecurityincidentseffectively.Tabletopexercisesplayacriticalroleinidentifyinggaps,improvingcoordination,andstrengtheningoverallresponsecapabilities.Understandinghowfrequentlyorganizationsengageintheseexercisesprovidesinsightintotheirlevelofpreparednessandcommitmenttomitigatingpotentialrisks.

Weaskedrespondentswhethertheirorganizationsconducttabletopexercisestotestthecapabilitiesoftheirincidentresponseprograms.AsshowninFigure12below,45%ofrespondentsindicatedthattheirorganizationsdoconducttabletopexercises,while39%reportedtheydonot.Sixteenpercentstatedthattheywereunsurewhethertheirorganizationsconducttabletopexercises.

Thesefindingshighlightamixedlevelofpreparednessamongorganizations,withmanyfailingtotesttheirincidentresponseplansbyusingtabletopexercises.Tabletopexercisesarecriticalforsimulatingvariousscenarios,identifyinggapsinresponsecapabilities,andstrengtheningoverallincidentresponsestrategies.

The16%ofrespondentsunawareofwhethertheirorganizationsconducttheseexercisespointstopotentialgapsincommunicationandparticipation.Thisunderscorestheimportanceofincludingallrelevantstakeholders—regardlessoftheirrole—intabletopexercises.Improvingcommunicationandtransparencyaboutincidentresponseeffortscanhelpensurebroaderorganizationalawarenessandmoreeffectivepreparednessforpotentialincidents.

Figure12:OrganizationsConductingTabletopExercisesforIncidentResponseTesting

StakeholderParticipationinTabletopExercises

Respondentswhoseorganizationsconducttabletopexercisesidentifiedparticipants.Theresultsshowadiverserangeofparticipantsbutalsohighlightgapsinparticipation.AsshowninFigure13below,ITstaff(89%)andcybersecuritystaff(77%)werethemostfrequentlyinvolvedstakeholders,reflectingtheircriticalrolesinmanagingandrespondingtoincidents.Seniormanagementparticipationwasreportedat73%,whileexecutives,includingC-suiteleaders,participatedin58%ofcases,demonstratingrobustlevelofleadershipengagement.

Otherdepartmentswithinhealthcareorganizationswereinvolvedintabletopexercises:

Compliance(48%)

Clinicians(44%)

Informatics(44%)

Humanresources(43%)

Legal(42%)

Accountingandfinance(35%)

Externalparties,suchasvendors(22%)andcontractors(15%),hadlowparticipationrates.Thismaypointtoanareaforimprovement,giventheirpotentialinvolvementwhenincidentsoccur.Additionally,theboardofdirectorsparticipatedinonly21%ofcases,despitetheircriticalroleinoverseeingcybersecurityrisk.Twopercentofrespondentsstatedtheydidnotknowwhichstakeholdersparticipate,whileanother2%reportedthatotherstakeholders,suchasemergencypreparednessprofessionals,wereinvolvedonanadhocbasis.

Figure13:TabletopExerciseParticipants

What’sHappeningwithRansomware

PresentState

Ransomwareattackscontinuetobeasignificantthreat.Oftenstatesponsored,theseattacksarehighlyorganizedandsophisticated.Healthcareorganizationsexperiencedaggressiveattackssinceatleast2018,andthethreatremainsaspersistentasever.

1

Ransomwareleaksitesareprevalent.

2

Healthcareproviders,payors,vendors,andotherentitiesacrossthehealthcareecosystemhavebeentargeted.Ransomwareremainsacriticalissue,highlightingtheneedforrobustdefensesandeffectiveresponsestrategies.

2024RansomwareTrends

Healthcareorganizationsappeartobepreparedtopreventanddefendagainstransomwareattacksin2024.AsshownbelowinFigure14,amajorityofrespondents(74%)indicatedthattheirorganizationshadnotexperiencedransomwareattacksinthepast12months.However,13%reportedthattheirorganizationshadbeentargeted,underscoringtheongoingriskransomwareposestothehealthcareandpublichealthsector.Thirteenpercentofrespondents—primarilyfromnon-executivemanagementandnon-managementroles—statedtheydidnotknowwhethertheirorganizationshadexperiencedsuchanattack.

Figure14:RansomwareAttackin2024

1U.S.DepartmentofHealthandHumanServices.RansomwareTrendsinHealthcare.,https://

/sites/default/files/ransomware-healthcare.pdf.

AccessedJan.242025.2PaloAltoNetworks.Unit42RansomwareLeakSiteDataAnalysis.PaloAltoNetworks,

/unit-42-ransomware-leak-site-data-analysis/.AccessedJan.242025.

RansomwareTrends:2022-2024

Thepercentageofrespondentsreportingthattheirorganizationsexperiencedransomwareattackshasremainedrelativelyconsistentinrecentyears.AsshowninFigure15below,in2024,13%indicatedtheirorganizationshadexperiencedaransomwareattack,slightlyhigherthanthe12%reportedin2023andmatchingthe13%reportedin2022.Similarly,thepercentageofrespondentsreportingnoransomwareattacksremainedsteadyat74%in2024,comparedto75%in2023and78%in2022.Respondentswhodidnotknowwhethertheirorganizationsexperiencedaransomwareattackwere13%ofrespondentsin2023and2024,comparedto9%in2022.

Thesefindingshighlighttheimportanceofimprovingvisibilityandtransparencyregardingransomwareincidents.Evenwhenorganizationsarenotdirectlyimpacted,thepersistentthreatofransomwarenecessitatesconstantvigilance,proactiveplanning,androbustdefensestosafeguardsensitiveassetsandensureoperationalandclinicalcontinuity.

Figure15:RansomwareAttacksfrom2022-2024

ToPayorNottoPay–RansomwarePayments

Ransomwarevictimsfacethetoughdecisionofwhethertopay,basedontheirspecificcircumstances.Amonghealthcareorganizationsvictimizedin2024,62%ofrespondentsreportednotpayingaransom,11%paidtheransom,and27%didnotknow,asshowninFigure16.In2023,30%ofrespondentsstatedthattheirorganizationspaidtheransom,while52%didnot,and18%didnotknow,asshownbelowinFigure17.Payingaransomnotonlyhasthepotentialtoemboldenthreatactorsbutalsoincreasesthelikelihoodofrepeatedtargetingoradditionalattacksonotherhealthcareorganizations.Thereisaneedforbettercoordination,planning,andinformationsharingtoimproveresilience.

Figure16:RansomwarePaymentsin2024

Figure17:RansomwarePaymentsin2023-2024

Proactivevs.ReactiveSecurityMeasures

Organizationsreportedarangeofproactiveandreactivesecuritymeasuresinresponse

toevolvingcyberthreats.AsshownbelowinFigure18,themostcommonactionsincludedimplementingnewsecuritytools(62%)andestablishingnewsecuritypolicies(57%),emphasizingtheimportanceofstrengtheningbothtechnicaldefensesandgovernanceframeworks.

Nearlyhalfofrespondents(49%)reportedenhancingtheirsecurityawarenesstrainingprograms,underliningthecriticalroleofworkforceeducationinrecognizingandmitigatingpotentialthreats.Othersignificantmeasuresincludedupgradinglegacytechnology(43%)andincreasingcybersecuritystaff(30%),bothessentialformaintainingoperationalresilienceinthefaceofsophisticatedattacks.

Asmallerpercentageofrespondentsreportedinvestingincyberliabilityinsurance(16%)orenhancingexistingcoverage(14%),reflectingalesscommonbutstillimportantstrategyformanagingthepotentialfinancialimpactsofcyberincidents.

Whilethesefindingsindicateapredominantlyproactivestanceamonghealthcareorganizations,theyalsohighlightareasforimprovement.Notably,16%ofrespondentsstatedtheywereunawareofwhatmeasureshadbeenimplemented,and3%reportedthatnonewchangesweremade—anapproachthatalignsmorecloselywithreactivesecuritypractices.Additionally,3%focusedsolelyondevicelifecyclemanagement,

which,whileimportant,maynotadequatelyaddressthebroaderrisksposedbytoday’s

evolvingthreatlandscape.

Figure18:Post-RansomwareAttackChanges

FutureState

Ransomwareattacksarelikelytocontinueevolving,withanincreaseinbothfrequencyandsophistication.Emergingtechnologies,suchasartificialintelligenceand,inthefuture,quantumcomputing,areexpectedtoacceleratethistrend.

3

However,greaterinformationsharingwithinandacrossorganizationscanstrengthentheresilienceofthehealthcaresector.

ThedevelopmentofCentralBankDigitalCurrencies(CBDCs),includingthoseintheUnitedStatesandothernations,mayalsohelpmitigatecybersecurityrisks.Byofferingsecure,regulatedalternativestocryptocurrencies,CBDCscouldreducetheappealofuntraceablepaymentsoftenexploitedbyransomwareattackers.Whiletheiradoptionisstilldebated,CBDCshavethepotentialtodisrupttheransomwareecono