Four years into our research with the Ponemon Institute, one reality is clearer than ever: cyber threats are no longer just operational concerns. They are clinical risks.
The 2025 edition of our Cyber Insecurity in Healthcare report captures the state of cyber risk across the U.S. healthcare sector. Based on insights from nearly 700 IT and security professionals, the report reveals a troubling but essential truth: when healthcare organizations are targeted, patient safety is at risk.
We’ve seen this play out in headlines—delayed treatments, compromised systems, and in some tragic cases, patient harm. For example, the 2024 Change Healthcare breach led to nationwide delays in prescriptions and patient discharges, and a UK cyberattack on pathology services was tied to a documented patient death.
But this year’s data shows just how deeply embedded cyber risk has become in the care delivery model.
This year’s report uncovers a widespread and persistent onslaught of cyberattacks against healthcare organizations, many of which go far beyond operational disruption.
What’s particularly concerning is how these attacks impact care quality, patient outcomes, and system resilience. Whether it’s a ransomware attack, a cloud compromise, or a breach in the supply chain, the downstream effects are real and measurable; and they’re increasingly affecting the bedside, not just the back office.
This year, 72% of U.S. healthcare organizations that suffered common cyberattacks—ransomware, cloud compromise, supply chain attacks, and business email compromise (BEC)—reported disruption to patient care. And the downstream effects were sobering:
- 54% saw increased complications in medical procedures
- 53% reported longer patient stays
- 29% experienced increased mortality rates
It's not just IT’s problem anymore
What stood out this year is how clearly respondents link cybersecurity failures to clinical consequences. It’s no longer about lost data or downtime; it trickles downstream, resulting in delayed procedures, diverted patients, and even worse outcomes for those receiving care.
This shift demands a mindset change. Cyber risk is no longer just a technical issue—it’s a clinical one.
That means cybersecurity isn’t just the responsibility of the CISO or IT team. It’s a concern that is shared by the board and the clinical leadership. It’s an organizational culture issue, and every stakeholder in a healthcare setting now plays a role in mitigating risk.
The human factor still dominates
While threat actors are growing more sophisticated, one thing hasn’t changed: people remain the primary vulnerability.
Our findings this year underscore that insider risk—whether accidental or malicious—is a key driver of incidents. From sending sensitive data to the wrong person to failing to follow basic security protocols, human error continues to jeopardize both data and patient safety. Among the healthcare organizations that experienced at least two data loss incidents in the past two years, more than half said the incidents disrupted patient care. The root causes? Employee negligence, abuse of privileged access, and emails sent to the wrong recipients—all preventable human errors.
Even with more organizations investing in training and awareness, many programs aren’t driving lasting behavior change. An organization’s security awareness solution needs to help reduce security incidents by cultivating real behavioral change and building a strong security culture.
The cloud conundrum
This year also marks a shift in how healthcare is embracing the cloud. More clinical systems are moving to cloud environments, and collaboration tools are now central to how providers work and communicate.
But this shift comes with risk. Cloud accounts and communication platforms have become prime targets for attackers, and breaches in these tools are increasingly tied to clinical disruption:
- 61% of cloud compromise incidents resulted in disrupted patient care
- 52% led to longer hospital stays
- 36% were linked to increased mortality
The more connected we become, the more important it is to secure every access point, especially those most used by people.
What about AI?
You can’t talk about technology in 2025 without talking about AI. This year’s report explores how healthcare organizations are adopting AI for both security and patient care, and the early results are optimistic but nuanced. More than half of the healthcare organizations polled have embedded AI in either cybersecurity or clinical care systems, and 55% believe AI has improved their cybersecurity posture.
But AI isn’t a magic wand. It introduces new challenges around data protection, governance, and oversight, especially in environments as sensitive as healthcare. 60% of respondents said protecting the sensitive data used in AI systems is difficult, and many cite interoperability and tool maturity as barriers.
Done right, AI can be a force multiplier for IT and security teams. But done hastily, it can widen the attack surface and increase the risk of error.
Cyber safety is patient safety
If there’s one message we hope readers take away from this year’s research, it’s this: cyber safety is patient safety.
The threats facing the healthcare industry are evolving, intensifying, and intersecting with every aspect of care delivery. We need to stop thinking of cybersecurity as a compliance exercise or an IT hygiene issue. It’s a patient care imperative.
Learn more
Want to learn more about this year’s findings? Download the Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2025 report.
