Healthcare Cybersecurity Gaps Demand Strategic Leadership Action

The latest report from EY, the 2025 U.S. Healthcare Cyber Resilience Survey, reveals a troubling trend in healthcare cybersecurity. Many leaders continue to view cybersecurity merely as a technical issue rather than as a vital component of strategic business functionality. Based on responses from 100 healthcare executives, the survey identifies critical gaps that jeopardize patient care and operational efficiency.

A significant 81% of respondents acknowledged that integrating cybersecurity into the overarching business strategy can help address the persistent challenges faced by healthcare organizations. Despite this awareness, nearly two-thirds of executives indicated that budget constraints and competing priorities hinder their ability to achieve cybersecurity goals. While 65% of those surveyed claimed they have the authority to allocate funds for cybersecurity initiatives, a concerning number still experience moderate to severe cyber incidents.

This discrepancy between decision-making power and the actual outcomes suggests a lack of enduring commitment to cybersecurity investments, particularly when budgets are tightened. Cybersecurity must be aligned with measurable results, such as reduced downtime, enhanced patient safety, and improved financial stability. It is essential to treat cybersecurity as a core enabler of healthcare delivery rather than merely a compliance requirement.

Investment Priorities and Challenges

The survey highlights that 68% of executives plan to invest in Identity and Access Management (IAM) as their top priority for the upcoming fiscal year. Credential theft, inadequate verification processes, and over-provisioned accounts are ongoing issues that healthcare organizations face. As a response, many are conducting audits of privileged accounts and assessing non-human identities, including bots and automated systems, to ensure proper ownership.

For effective management of these complexities, healthcare entities require real-time detection, authentication, and continuous monitoring. Implementing Multi-Factor Authentication (MFA) and lifecycle controls is crucial, particularly for patient portals and clinician access. As healthcare increasingly extends beyond traditional hospital settings, technologies such as remote monitoring, AI-assisted diagnostics, and patient wearables necessitate secure and seamless data exchange.

The findings indicate that cybersecurity teams contribute between 11% and 20% of the value generated by large-scale enterprise initiatives. Health systems that are planning geographic expansion or digital integration must regard cybersecurity capabilities as essential infrastructure. Connecting cybersecurity to strategic initiatives like AI operations or virtual care can shift its perception from a cost center to a value creator, safeguarding patient data and ensuring uninterrupted care delivery.

Workforce Training and Compliance Concerns

While 52% of respondents indicated that training and upskilling personnel are vital for addressing cyber challenges, many still prioritize funding for tools over staffing needs. Human oversight remains crucial for validating and responding to incidents. To develop a sustainable workforce, healthcare leaders must invest in internal training pipelines, establish cross-functional engineering roles, and forge partnerships with managed security providers.

“Healthcare leaders must prioritize workforce cyber training and readiness to unlock the full value of cybersecurity investments, ensuring safe patient care and strengthening system resilience,” stated Nana Ahwoi, EY Americas Consumer and Health Cybersecurity Industry Leader.

Cyber executives expressed concern that compliance-heavy workloads divert attention from meaningful risk reduction. They noted that regulatory processes often lag behind the pace of cyber threats, trapping organizations in a cycle of audits and paperwork. Compliance efforts should align with strategic risk management, unifying overlapping regulatory and contractual requirements to reduce complexity.

Additionally, executives pointed out that legal constraints frequently hinder them from sharing breach insights that could be beneficial to their peers. Greater collaboration and a shared understanding of risk among boards, regulators, and executives could significantly enhance resilience in the healthcare sector.

A substantial portion of damaging incidents in healthcare originates from third-party or fourth-party environments. Vendors that support clinical, administrative, and technical operations have become high-value targets for cybercriminals. The survey revealed that 68% of executives consider enforcing cybersecurity requirements in vendor contracts to be their greatest challenge, with 56% citing regulatory concerns related to third-party security.

Despite these challenges, only 11% of executives ranked vendor and supply chain risk among their top strategic influences for the year. This disconnect leaves healthcare organizations vulnerable, as they remain responsible for assessing the impact of breaches that may originate with vendors while ensuring the continuity of care delivery.

As the healthcare sector navigates an increasingly complex cyber landscape, leadership must shift its approach to view cybersecurity as an integral part of strategic planning and operational execution.