Healthcare organizations are accepting cyber risk to cut costs

Healthcare organizations are cutting cybersecurity budgets under financial pressure even as the threats targeting their systems intensify. A PwC survey of 381 global healthcare executives, conducted between May and July 2025, puts numbers to the gap between the risks the sector faces and the controls it has in place.

Key findings (Source: PwC)

Data protection ranks as the single biggest driver of cybersecurity spending in the sector, yet only 35% of healthcare organizations have implemented data risk controls across the entire data life cycle. The global average across all sectors is 44%.

Cloud, quantum, and connected products top the list of unpreparedness

Healthcare leaders identified cloud-related threats, quantum computing risks, and attacks on connected products as the three threats they feel least prepared to address. The pattern holds across both payers and providers on one side, and pharmaceutical and life sciences companies on the other, with some variation in specifics.

For pharma and life sciences firms, the picture on quantum preparedness is particularly stark. More than half of respondents have not started implementing any quantum-resistant security measures. Only 7% are allocating budget toward quantum readiness in 2026.

Payers and providers: identity fraud and fragmented data environments

Healthcare payers and providers are operating in systems that run across multiple vendors, platforms, and data repositories. That fragmentation creates gaps in security coverage and complicates governance.

The exploitation of unsecured applications and weak identity management has driven up fraud, particularly in online healthcare accounts and incentive programs such as debit cards for preventive care. In response, payers and providers rank data protection and security awareness training among their top investment priorities for the coming year.

Data governance gaps remain widespread. Only 39% of payers and providers have implemented data minimization approaches across their organizations. Only 37% have implemented data controls across the entire data life cycle. Sensitive data including extracts, spreadsheets, and historical records often sits in uncontrolled environments outside primary systems, where it is harder to protect and audit.

On the operational technology side, the top challenge for providers is lack of network segmentation, cited by 50% of respondents. Gaps in OT-specific skills and resources followed at 47%, and lack of clear governance and responsibility for OT cybersecurity was cited by 45%.

Regulatory requirements are also tightening. In the United States, proposed revisions to the HIPAA security rule would require annual security risk assessments and mandate encryption and multi-factor authentication. India’s Digital Personal Data Protection Act imposes strict compliance requirements for processing health data and obtaining consent.

The financial context is significant. Healthcare costs are running at an estimated $5 trillion annually and growing at nearly 8% per year, driven by higher insurance claims, reduced government funding, increased administrative workload, and chronic and mental health conditions. Some organizations are deliberately accepting greater cybersecurity exposure to avoid upfront spending.

Pharma and life sciences: intellectual property and third-party risk

Pharmaceutical and life sciences companies are most focused on protecting intellectual property. Proprietary formulas, research data, and clinical trial information are high-value targets. Breaches in this space can delay regulatory approvals or clinical trials in addition to causing financial and reputational damage.

Third-party risk is a recurring concern. The sector operates through extensive networks of contract researchers, manufacturers, and vendors. A quarter of pharma leaders surveyed rank third-party breaches among the top three threats their organization is least prepared to address.

Data controls in pharma are incomplete across the board. About half of pharma and life sciences companies surveyed have implemented data classification policies and data loss prevention across key exit channels. Only 33% have implemented controls across the full data life cycle. Just 2% have implemented all eight data risk measures covered in the survey.

Cloud and connected device vulnerabilities also rank high on the list of concerns. Many pharma operations rely on cloud infrastructure to store clinical trial data and automate production lines, making secure-by-design architecture a recurring recommendation for the sector. IT/OT convergence creates additional exposure: attacks on smart manufacturing systems can halt production, disrupt supply chains, and affect drug quality.

Investment patterns and priorities for 2026

Payers and providers plan to increase cyber budgets in 2026, with AI named as the top investment category. Cloud security and threat management follow closely. Only 24% of pharma and life sciences firms are allocating significantly more budget toward proactive measures such as monitoring, testing, training, and governance, compared with reactive measures such as incident response and remediation.