February 20, 2025
When I work with healthcare clients, one of the first things I tell them is that I completely understand how difficult it has been to prioritize cybersecurity updates when their values, their mission, and their budgets are entirely focused on serving their patients.
Unfortunately, after a series of ransomware attacks have disrupted hospitals, clinics, long-term care facilities, diagnostic labs, insurers, and pharmacies around the world, it’s increasingly clear in 2025 that cybercriminals won’t shy away from risking lives to make a profit.
Recent Healthcare Cybersecurity Statistics
Following cybersecurity best practices is fundamental in order to provide reliable care. And these recent statistics from the Ponemon Institute paint a grim picture of the catastrophic damage hackers can do to unsecured systems:
- 92% of healthcare organizations experienced a cyberattack in the past 12 months
- The average cost of the single most expensive attack topped $4.7 million
- 31% said careless users caused data loss and exfiltration
Why Is Healthcare a Top Target for Cybersecurity Threats?
Healthcare isn’t the only tempting target for a hacker. K-12 schools and universities are also popular targets. However, healthcare organizations present a perfect “golden triangle” of opportunity for criminals.
Healthcare organizations typically have:
- Highly valuable and private data
- Insufficient cybersecurity and IT staff
- Built-in catastrophic consequences
What Is the Biggest Threat to the Security of Healthcare Data?
Believe it or not, there’s both good and bad news here. The single biggest threat to healthcare data is actually phishing.
Here are the numbers:
- Last year alone, 88% of healthcare workers opened phishing emails
- Over 90% of all cyberattacks against healthcare industries are phishing scams
The bad news is that simple phishing scams can lead to far more devastating attacks. More than 90% of successful cyberattacks start with a phishing email. The good news? That means the vast majority of cyberattacks are entirely preventable with proper security awareness training.
The Importance of Employee Training
Currently, only 14% of healthcare organizations provide monthly security awareness training. 28% only offer it sporadically, and 10% provide none at all. That’s not entirely surprising, as regular and engaging cybersecurity training can take time. And that’s often time a hospital’s short-staffed IT department doesn’t have to give.
Therefore, it should come as no surprise that healthcare organization employees also tend to be some of the most phish-prone.
When employees are offered engaging and regular training, it’s been proven to be remarkably effective. However, sending out a memo every now and then isn’t going to cut it. Not all training is the same. Our security awareness training partner, KnowBe4, has been able to reduce employees’ phish-prone percentage (PPP) from 34.3% down to 4.6% over the course of a year.
Additional Healthcare Cybersecurity Best Practices
Security awareness training is incredibly important and incredibly effective, but as human beings, we all still will have careless moments from time to time.
If your organization hasn’t kept up with cybersecurity best practices, it’s time to get up to speed. The Cybersecurity and Infrastructure Security Agency (CISA) has put together a variety of helpful cybersecurity resources for healthcare organizations, and I’ve also put together a comprehensive blog on how to use the Center for Internet Security (CIS) cybersecurity controls for organizations of all types and sizes — including midsized to enterprise-scale healthcare organizations.
However, here’s a scaled-down list of must-haves in 2025:
- Require multifactor authentication and strong, unique passwords on all accounts
- Provide regular security awareness training for all employees
- Conduct regular security audits
- Use encryption technology to protect sensitive data
- Secure and regularly patch any and all networked devices, including medical devices and networked printers
- Protect your network from internal as well as external threats
- Don’t overlook physical security
- Conduct regular security tabletop exercises and update your incident response plans accordingly
- Foster a culture of security from the top down
- Perform regular vendor due diligence and end partnerships with vendors that don’t take security seriously
Cybersecurity Advisory Services
In an ideal world, every healthcare organization would have the resources to adopt cybersecurity best practices immediately. But that’s not the world we live in. Chief information security officers (CISOs) can provide expert advice on which updates to prioritize immediately, which can wait, and which tools and services offer the most ROI. Most healthcare organizations would benefit greatly from this type of advanced IT expertise, but it typically comes with a high price tag. Fortunately, many IT providers, including Marco, are now offering fractional CIO and CISO services.
However, if you’d like a few quick answers on where your organization might be falling short, I’d recommend an online resource my team recently put together. It’s an interactive cybersecurity checklist that you can use online or download, and it clarifies where your current cybersecurity posture is sufficient and where additional investments may be needed. Link below!
