HIMSS Cybersecurity: Latest Trends, Survey Insights & Best Practices

Healthcare continues to modernize care delivery while defending high-value clinical systems and protected health information. Drawing on HIMSS Cybersecurity survey insights, this guide distills what leaders are prioritizing now and how you can translate those trends into practical steps—covering cybersecurity budget allocation, insider threat mitigation, third-party vendor risk, AI technology governance, ransomware defense strategies, legacy system vulnerabilities, and cybersecurity program assessment.

Cybersecurity Budget Trends

Where budgets are moving

Budgets are shifting from pure perimeter tools toward identity-first security, endpoint detection and response, email and web threat protection, and cloud posture management. Organizations also earmark funds for incident response readiness, immutable backups, and third-party risk oversight as supply-chain exposures rise. Medical device and OT network protections are gaining line items as care delivery increasingly depends on connected equipment.

Effective cybersecurity budget allocation

• Identity security: enterprise-wide MFA, phishing-resistant authentication, privileged access management, and continuous access reviews.
• Endpoint and workload protection: EDR/XDR, disk encryption, application control, and hardening baselines for servers, VDI, and clinical workstations.
• Network safeguards: segmentation and microsegmentation, secure remote access, DNS security, and east–west traffic controls.
• Cloud and data security: cloud security posture management, key management, tokenization, and data loss prevention tuned for PHI.
• Resilience: offline/immutable backups, tested recovery procedures, and tabletop exercises for clinical downtime.
• Governance and assurance: risk registers, third-party due diligence, and continuous monitoring to reduce third-party vendor risk.

Making the business case

Link each request to operational risk and patient safety. Quantify downtime impact on admissions, OR schedules, and revenue cycle. Show how controls reduce the likelihood and blast radius of incidents, and align spend to regulatory expectations and insurance requirements. Phase investments to deliver early, visible wins while building toward zero trust.

Metrics that demonstrate value

• Mean time to detect/contain and mean time to recover from security events.
• Phishing resilience rate, MFA coverage, and privileged account reduction.
• Patch and vulnerability SLA compliance for internet-facing assets and critical systems.
• Backup success rate and time-to-restore for Tier 0 and EHR components.
• Third-party risk closure rates and findings aging.

Insider Threat Programs

Program foundations

Build a cross-functional program with Security, Privacy, HR, Legal, Clinical Operations, and Compliance. Define acceptable use, data handling, and sanctions. Establish joiner–mover–leaver processes so access reflects current roles and rapidly revokes when employment status changes.

Insider threat mitigation controls

• Least-privilege access with role-based entitlements, just-in-time elevation, and session recording for high-risk tasks.
• Data protections: DLP, encryption at rest/in transit, watermarking for exports, and contextual controls in collaboration tools.
• User and entity behavior analytics to baseline normal activity and surface anomalous data access, printing, or exfiltration.
• Segmentation that prevents broad lateral movement from a single compromised account or workstation.

Detection and response playbooks

Codify triage for anomalous access, mass downloads, or unusual after-hours activity. Automate containment steps—temporary account disablement, token revocation, and device isolation—while preserving evidence. Coordinate with HR and Privacy for fair investigations and regulatory notifications when PHI is at risk.

Culture and privacy

Pair monitoring with transparent communication about what is observed and why. Reinforce secure habits through role-specific training and simulated scenarios in clinical and back-office settings. Measure maturity via reduced high-risk behaviors, faster incident handling, and improved user report quality.

Third-Party Risk Management

Risk-tiering and due diligence

Inventory vendors and classify them by data sensitivity, criticality to care delivery, connectivity, and blast radius. For higher tiers, require evidence such as independent assessments, penetration testing summaries, secure development practices, and SBOMs for supplied software. Validate HIPAA obligations and limit data sharing to the minimum necessary.

Contracts that reduce exposure

• Security addendum with explicit controls (encryption, MFA, logging, vulnerability management, and breach notification timelines).
• Right-to-audit or attestations, incident cooperation clauses, and requirements for subcontractor flow-down.
• Data handling terms: geographic restrictions, retention and deletion, key management, and secure return/erasure at contract end.

Continuous oversight

Move beyond annual questionnaires. Monitor external attack surface, leaked credentials, certificate hygiene, and exploitable exposures. Track remediation SLAs and age of open findings. For integrated vendors, verify secure connectivity, least-privilege service accounts, and segregation between environments.

Onboarding and offboarding

Standardize provisioning for vendor personnel and service accounts, bind access to tickets or approvals, and enforce time-bound access. At exit, verify credential revocation, data return/erasure, and removal of network tunnels and API keys.

Artificial Intelligence Governance

Establish AI technology governance

Create a multi-disciplinary council to approve AI use cases, assess risk, and set guardrails. Maintain an inventory of AI systems—commercial, open-source, and in-house—and document purpose, data sources, PHI usage, and model lineage. Integrate AI governance with existing risk, privacy, and change-management processes.

Control themes for healthcare AI

• Data minimization and de-identification where feasible; prohibit feeding PHI into unsanctioned tools.
• Security-by-design for model pipelines, including secrets management, dependency hygiene, and environment isolation.
• Bias, safety, and performance testing with human-in-the-loop for clinical decisions; escalation paths for uncertain outputs.
• Auditability and monitoring for model drift, prompt injection, data leakage, and anomalous behavior.

Procurement and vendor assurance

For AI suppliers, require transparency about training data provenance, PHI handling, vulnerability management, and incident response. Ask for evaluation artifacts—threat models, red-team results, and governance documentation—aligned to your risk appetite. Ensure contractual rights to disable or roll back models quickly if safety or privacy concerns arise.

Ransomware Attacks

Why healthcare is targeted

Providers operate time-sensitive, interconnected systems with valuable clinical and financial data. Adversaries exploit operational urgency, legacy platforms, and third-party dependencies to disrupt care and maximize leverage. Business email compromise and credential theft remain common precursors to ransomware deployment.

Ransomware defense strategies

• Backups: follow 3-2-1-1-0 principles (multiple copies, different media, one offline/immutable, routine restore testing with zero errors).
• Identity: MFA everywhere, phishing-resistant methods for admins, PAM, and rapid credential revocation.
• Endpoints and email: EDR with containment, macro and script control, sandboxing, and robust filtering for attachments and links.
• Network: segmentation of EHR, imaging, and OT networks; disable deprecated protocols; limit lateral movement.
• Exposure management: timely patching for internet-facing assets, attack surface monitoring, and hardening standards.
• Preparedness: tabletop exercises, downtime procedures for clinical services, and clear crisis communications.

Response and recovery

At first signs—mass file encryption, anomalous admin activity, or beaconing—execute isolation, cut persistence, and preserve forensics. Coordinate with legal and law enforcement, notify stakeholders per policy, and restore from clean, tested backups. Hunt for initial access vectors and close them before bringing production back online. Capture lessons learned and update playbooks, controls, and vendor requirements.

Legacy Systems

Typical legacy system vulnerabilities

Old operating systems, unpatched applications, unsupported medical devices, and flat networks increase risk. Many assets lack modern authentication, encryption, or secure update mechanisms and cannot be easily replaced due to clinical dependencies or vendor constraints.

Compensating controls that work

• Isolate legacy assets via VLANs or microsegments; restrict protocols and limit access through jump hosts.
• Apply virtual patching with IPS/WAF where code changes are impossible; enforce application allowlisting and device control.
• Implement NAC to verify posture before connecting; prefer read-only integrations and one-way data flows for monitoring.
• Adopt protective monitoring: high-fidelity logging, integrity checks, and anomaly detection focused on critical devices.

Lifecycle and modernization roadmap

Maintain a complete asset inventory with business owners, data classification, and end-of-support dates. Use risk registers and exception processes to document temporary controls and exit plans. Prioritize upgrades based on patient safety impact and external exposure, and embed security requirements in procurements to prevent tomorrow’s legacy debt.

Cybersecurity Confidence

From perception to measurement

Confidence grows when capability and performance are demonstrated. Conduct a cybersecurity program assessment against accepted frameworks to baseline maturity, prioritize gaps, and tie remediation to business outcomes. Refresh the assessment regularly and track progress with objective metrics.

Scorecards and KPIs

• Coverage: MFA, encryption, EDR, network segmentation, and backup immutability across asset classes.
• Effectiveness: phishing failure rate, incident containment times, blocked lateral movement attempts, and vulnerability backlog burn-down.
• Resilience: mean time to restore critical services, results of disaster recovery tests, and frequency of successful tabletop exercises.
• Third-party assurance: proportion of high-risk vendors with current assessments and closed action items.

Independent validation and culture

Use penetration tests, red/purple teaming, and IR retainers to validate readiness. Blend quantitative metrics with qualitative feedback from clinicians and operations to ensure security enables, not impedes, care. Report to leadership in business terms—downtime avoided, regulatory exposure reduced, and patient safety reinforced.

Conclusion

HIMSS Cybersecurity survey insights point to an identity-first, resilience-focused strategy that balances prevention with rapid recovery. By targeting budget to high-impact controls, institutionalizing insider and third-party safeguards, governing AI responsibly, hardening ransomware defenses, and managing legacy risk, you build measurable, durable confidence in your healthcare cybersecurity program.

FAQs.

What are the current cybersecurity budget trends in healthcare?

Budgets increasingly favor identity-first defenses, EDR/XDR, cloud posture management, and resilience investments like immutable backups and tabletop exercises. Leaders also reserve funds for third-party oversight and medical device protections. Effective cybersecurity budget allocation ties each dollar to reduced downtime, lower breach likelihood, and improved patient safety.

How can healthcare organizations manage insider threats effectively?

Start with strong joiner–mover–leaver governance and least-privilege access. Add insider threat mitigation controls such as DLP, UEBA, PAM, encryption, and segmentation. Build clear playbooks for anomalous access, coordinate with HR and Privacy, and foster a transparent culture where clinicians and staff understand monitoring goals and promptly report concerns.

What role does AI governance play in healthcare cybersecurity?

AI technology governance sets the guardrails for safe, compliant use of AI across clinical and operational workflows. It inventories AI systems, restricts PHI exposure, secures model pipelines, requires vendor transparency, and monitors for bias, drift, and data leakage. With clear approvals and human-in-the-loop controls, AI can augment care without expanding risk.

How are ransomware attacks impacting healthcare providers?

Ransomware disrupts patient services, delays procedures, and strains revenue cycle operations. Providers counter with layered ransomware defense strategies—secure, tested backups; MFA and PAM; EDR with rapid containment; segmentation; rigorous patching; and rehearsed downtime procedures. Effective preparation shortens outages and limits clinical impact.