Hospitals are running out of excuses for weak cyber hygiene

Healthcare leaders continue to treat cybersecurity as a technical safeguard instead of a strategic business function, according to the 2025 US Healthcare Cyber Resilience Survey by EY. The study, based on responses from 100 healthcare executives, outlines six areas where hospitals and health systems must act to close resilience gaps that threaten patient care and operations.

Cybersecurity as a business driver

81% of respondents said that prioritizing cybersecurity within the business strategy helps overcome challenges. Nearly two-thirds cited budget limits or competing priorities as the main barriers to meeting their goals.

While 65% of executives said they have the authority to allocate funds, many still face moderate to severe cyber incidents. The gap between decision-making power and outcomes points to a lack of sustained commitment once budgets tighten.

Cybersecurity should link directly to measurable results such as reduced downtime, improved patient safety and financial stability. It must be treated as a core enabler of healthcare delivery, not a compliance task.

IAM tops spending priorities

68% of respondents identified IAM as their top investment area for the next fiscal year. Executives cited credential theft, weak verification and over-provisioned accounts as ongoing problems. They are auditing privileged accounts and reviewing non-human identities, including bots and automated systems, to assign ownership.

Healthcare organizations need real-time detection, authentication and continuous monitoring to manage this complexity. MFA and lifecycle controls are essential, especially for patient portals and clinician access.

Cybersecurity as an enabler of innovation

Healthcare is moving beyond hospital walls, and technologies like remote monitoring, AI-assisted diagnostics, and patient wearables now depend on secure, seamless data exchange.

Findings show that cybersecurity teams contribute between 11% and 20% of the value generated by large-scale enterprise initiatives. Health systems planning geographic expansion or digital integration must treat cyber capabilities as core infrastructure.

Linking cybersecurity to strategic initiatives such as AI operations or virtual care can shift its perception from cost center to value creator. Secure systems protect not only patient data but also the ability to deliver uninterrupted care.

Building a sustainable cyber workforce

While 52% of respondents said that training and upskilling personnel help address cyber challenges, yet many still prioritize funding tools over staffing. Human oversight remains critical for validation and incident response.

To build a sustainable workforce, healthcare leaders will need internal training pipelines, cross-functional engineering roles and partnerships with managed security providers.

“Healthcare leaders must prioritize workforce cyber training and readiness to unlock the full value of cybersecurity investments, ensuring safe patient care and strengthening system resilience,” said Nana Ahwoi, EY Americas Consumer and Health Cybersecurity Industry Leader.

Compliance burden limits strategic progress

Cyber executives in the study expressed concern that compliance-heavy workloads divert focus from meaningful risk reduction. They said that regulators move slower than attackers, leaving organizations trapped in a cycle of audits and paperwork.

Compliance should align with strategic risk management, unifying overlapping regulatory and contractual requirements to reduce complexity.

Executives also said legal constraints often prevent them from sharing breach insights that could benefit peers. Greater collaboration and shared understanding of risk across boards, regulators and executives would improve resilience.

Third-party and supply chain risks are rising

Many damaging incidents in healthcare originate in third-party or fourth-party environments. Vendors that support clinical, administrative and technical operations have become high-value targets.

68% of respondents said enforcing cybersecurity requirements in vendor contracts is their top challenge, and 56% cited regulatory concerns tied to third-party security.

Despite this, only 11% of executives ranked vendor and supply chain risk among their top strategic influences for the year. This disconnect leaves organizations exposed. Even when a breach starts with a vendor, the healthcare provider remains responsible for assessing its impact and maintaining care delivery.