The latest Healthcare Cybersecurity Survey Report from the Healthcare Information Management Systems Society (HIMSS) reveals a sector in transition. Healthcare organizations are investing more heavily in security tools, yet the rapid adoption of artificial intelligence is outpacing governance frameworks, leaving critical vulnerabilities exposed. Now in its 16th year, the survey draws on the experiences of 273 professionals with daily cybersecurity responsibilities, offering a detailed view of ransomware trends, budget allocations, and emerging AI-related risks.
“This year’s survey shows that tools alone are not enough – stronger governance is essential, with critical areas including artificial intelligence, insider threat management and third-party risk management,” HIMSS stated. Lee Kim, HIMSS senior principal of cybersecurity and privacy, underscored the urgency: “Money supports security, but without governance, AI-related risks remain unchecked.” She emphasized that these risks extend beyond the healthcare organization itself to contractors, subcontractors, and vendors handling sensitive patient data.
One notable shift is in ransomware response. Fewer victims report paying ransom, a change attributed in part to increased IT security investments. Budget allocations for cybersecurity have risen steadily, with the proportion of organizations dedicating 7% to 10% of IT budgets climbing from 10% in 2020 to 14% in 2024. A slight majority—52%—expect further IT budget growth in 2025, though HIMSS cautions that increases since 2019 remain modest relative to the expanding threat landscape.
AI’s role in healthcare cybersecurity is a double-edged sword. While machine learning offers powerful diagnostic and operational tools, its misuse can enable sophisticated attacks such as deepfakes, AI-driven phishing, and data exfiltration. “Effective AI governance requires appropriate policies, staff and ongoing monitoring to address risks like data leaks, breaches, social engineering – which includes without limitation, deepfakes and AI-driven phishing attacks, insider threats, etc.,” Kim said. Yet the survey found that only 47% of organizations have formal approval processes for AI technologies, 42% operate without such processes, and 11% are unsure. Half of respondents permit only approved AI tools, while 30% allow unrestricted use and 16% prohibit AI entirely. Strikingly, just 1% have taken concrete steps such as developing AI policies or implementing guardrails.
Security tool upgrades emerged as the most tangible benefit of increased budgets. Fifty-seven percent of respondents reported significant improvements to tools, 47% to policies, and 31% to staff capabilities. Workforce challenges, however, persist. Retention, hiring, and upskilling of cybersecurity personnel remain slow due to constrained budgets, a problem consistently highlighted in previous HIMSS surveys. “The weakest link in any security program is the people, which is why education, tools and policies remain the most important lines of defense,” researchers noted.
The survey also points to communication gaps within organizations. Executive managers generally understand cybersecurity budget allocations, but nonmanagement staff often lack visibility, limiting their ability to align daily practices with strategic priorities. This disconnect suggests a need for better information sharing to strengthen organizational resilience.
Phishing remains the most common vector for significant security incidents. To counter it, respondents cite the value of interactive training methods—gamification, tabletop exercises, and workshops—that enhance engagement and retention of threat awareness. Such approaches reflect a broader trend in cybersecurity: integrating human factors into technical defenses.
HIMSS researchers warn that as the threat landscape evolves, vigilance must be paired with adaptability. “As the threat landscape evolves, healthcare organizations must stay vigilant while ensuring cybersecurity enables business and clinical care,” the organization stated. The report frames cybersecurity not merely as a defensive necessity but as an enabler of trust and operational continuity in an increasingly digital healthcare ecosystem.