资源描述
2024 HIMSS Healthcare Cybersecurity Survey
Table of Contents
33
2024 HIMSS Healthcare Cybersecurity Survey | © 2025 Healthcare Information and Management Systems Society
Executive Summary 3
Methodology and Demographics 4
Methodology 4
Demographics 4
Levels of Responsibility 5
Types of Organizations Represented 5
Economics of Healthcare Cybersecurity 6
Budgets are Improving 6
Overall IT Budgets are Modestly Improving 6
Allocation of current IT budget to cybersecurity 7
Comparing 2023 to 2024: Cybersecurity Budget Allocations 8
Trends in Cybersecurity Budget Allocations 9
Cybersecurity Budgets Projected to Rise 10
Changes to cybersecurity budget in 2025 10
Effect of Cybersecurity Budget Increases in 2025 11
Security Awareness 12
Security Awareness Programs 12
Effectiveness of security awareness programs 13
Security Incidents 14
Significant Security Incidents 14
Initial Points of Compromise 14
Testing of Incident Response Plans 15
Stakeholder Participation in Tabletop Exercises 16
What’s Happening with Ransomware 17
Present State 17
2024 Ransomware Trends 17
Ransomware Trends: 2022-2024 18
To Pay or Not to Pay – Ransomware Payments 19
Proactive vs. Reactive Security Measures 20
Future State 21
AI Adoption in Healthcare 22
Allowing the Use of AI in Healthcare 22
To Govern or Not: Organizational Approaches to AI 22
AI Technology Use Cases 23
AI Guardrails 24
Approval Process for AI Technology 24
Active Monitoring of AI Technology 25
Acceptable Use Policy for AI Technology 25
Future Concerns Regarding AI 26
Managing Third-Party Risks 27
Third-Party Risk Management Programs 27
Third-Party Security Incidents 28
Impacts of Third-Party Security Incidents 29
Insider Threat Programs 30
Formal Insider Threat Programs 30
Insider Threat and AI 31
Insider Threat Activity Involving Third Parties 32
Conclusion 33
About HIMSS 34
How to Cite this Survey 34
How to Request Additional Information 34
Executive Summary
Cybersecurity Budgets
📈 Investments - Organizations are dedicating more resources to fortify defenses.
📊 Strategic Focus - Budgets are increasingly aligned with critical vulnerabilities.
Security Awareness
📧 Phishing Mitigation - Programs target phishing, the leading attack vector.
🧩 Innovative Training - Gamification and scenario-based training boost engagement.
Security Incidents
🐟 Phishing Dominance - Phishing is the top method of compromise.
💀 AI-Driven Attacks - Deepfakes are an emerging threat.
Ransomware
🛡️ Combatting Ransomware - Ransomware defense continues to be a priority.
❌ Fewer Ransom Payments - Fewer ransomware victims are reporting paying ransom.
Artificial Intelligence
📃 Policy Shortfalls - A lack of formal AI governance increases risk.
🔍 Limited Oversight - There is limited monitoring of AI usage.
Third-Party Risks
🔗 Third-Party Incidents - Significant incidents involving third-parties are notable.
⚡ Impacts - Third-party incidents cause disruption and other impacts.
Insider Threats
📋 Formal Programs - Formal programs are needed to manage insider threats.
Methodology and Demographics
The 2024 HIMSS Healthcare Cybersecurity Survey reflects the responses of 273 healthcare cybersecurity professionals. These professionals had at least some responsibility for day-to- day cybersecurity operations or oversight of the healthcare organization’s cybersecurity program. Respondents who indicated they did not have any level of responsibility for either day-to-day cybersecurity operations or oversight were not eligible to take the survey.
Methodology
The data for this survey was collected between November 6 and December 16, 2024. Questions asked respondents about their perspectives, knowledge, and experiences over the past 12 months. For simplicity, we refer to this data as "2024" throughout this report.
Similarly, data from previous surveys is identified by the year in which it was collected .
Demographics
As shown in Figure 1 below, respondents held various roles, including executive management (50%), non-executive management (37%), and non-management (13%). Executive management included individuals in the C-suite, non-executive management comprised senior management, and non-management encompassed analysts and specialists.
Figure 1: Respondent Roles
Levels of Responsibility
As shown in Figure 2 below, respondents reported varying levels of involvement in their organization's cybersecurity programs. 46% had primary responsibility, 30% shared responsibility, and 24% were involved as needed in the day-to-day operations or oversight.
Figure 2: Respondent Cybersecurity Responsibility
Types of Organizations Represented
As shown in Figure 3 below, respondents represented a diverse range of organizations, including healthcare providers (50%), vendors (18%), consulting firms (13%), government entities (8%), and other organizations (11%). Other organizations included academic institutions, non-profits, payors, and life sciences companies.
Figure 3: Types of Organizations
Economics of Healthcare Cybersecurity
Investing in robust cybersecurity measures is no longer optional for healthcare organizations — it is essential. Yet, achieving a strong cybersecurity posture requires sufficient resources, which are often limited by budgetary constraints. Chief Information Security Officers and their teams frequently find themselves balancing the need to address evolving threats with the reality of tight financial resources.
Healthcare organizations with greater financial resources are better equipped to leverage robust cybersecurity solutions. Sufficient cybersecurity funding enables organizations to access advanced tools, hire skilled personnel, and implement comprehensive strategies.
Conversely, limited budgets can pose challenges, making it more difficult to address the ever-evolving cyber threat landscape effectively. However, even with modest resources, strategic planning and prioritization can play a critical role.
Budgets are Improving
Overall IT Budgets are Modestly Improving
Traditionally, healthcare organizations have generally allocated 6% or less of their IT budgets to cybersecurity, according to aggregate data from the 2018 to 2022 and 2024 HIMSS Healthcare Cybersecurity Surveys. Since cybersecurity budgets are typically carved out of overall IT budgets, this survey examined both the expected changes in overall IT budgets from fiscal year 2024 to fiscal year 2025 and the current allocation of those budgets to cybersecurity.
As shown in Figure 4 below, a slight majority of respondents (52%) reported that their
organizations’ overall IT budgets would increase during this period, while 10% indicated a decrease. 28% of respondents reported no change in their overall IT budgets. Ten percent of respondents did not know about the anticipated change in IT budget from 2024 to 2025.
Figure 4: Anticipated Change in IT Budget 2024 to 2025
Allocation of current IT budget to cybersecurity
Understanding how organizations allocate their IT budgets to cybersecurity provides valuable insight into their prioritization of security measures. Variability in spending levels highlights differences in how organizations approach protecting their system s and data. These budgetary decisions present opportunities to strengthen defenses and enhance preparedness against evolving threats.
When asked about organizational allocation of the current IT budget to cybersecurity, 20% of respondents indicated that their organization had no specific carve-out but spent money on cybersecurity, as shown in Figure 5 below. However, 19% of respondents reported their organizations allocated 3-6% of the overall IT budget to cybersecurity; 14% reported 7-10%; 7% reported 11-14%; 9% reported more than 14%; and 7% reported 1-2%.
One percent of respondents — several vendors and a healthcare provider — indicated their organizations do not spend any money on cybersecurity. Notably, 23% of respondents did not know what percentage of their organizations’ IT budgets were allocated to cybersecurity.
Figure 5: Percent of Organization’s IT Budget Spent on Cybersecurity
Comparing 2023 to 2024: Cybersecurity Budget Allocations
Data from the 2023 and 2024 HIMSS Healthcare Cybersecurity Surveys reveal a notable shift in cybersecurity budget allocations. The percentage of organizations allocating 3-6% of their IT budgets to cybersecurity increased from 13% in 2023 to 18% in 2024, while those allocating 1-2% decreased from 10% to 7%, as shown below in Figure 6. Allocations between 7-10% were similar, decreasing slightly from 15% of organizations in 2023 to 14% in 2024, while above 10% dropped significantly, from 21% of organizations in 2023 to 16% in 2024, reflecting a possible redistribution of resources or more strategic spending.
The percentage of organizations without a specific carve-out for cybersecurity increased slightly, from 19% in 2023 to 20% in 2024. Additionally, respondents unaware of their organizations’ cybersecurity budget allocations rose from 19% in 2023 to 23% in 2024, pointing to potential gaps in communication or governance over cybersecurity spending.
These findings suggest that organizations are optimizing cybersecurity investments, moving toward more moderate budget allocations. However, the increase in respondents unaware of their organizations’ cybersecurity budget allocations underscores the need for improved communication around cybersecurity priorities. While executive management respondents were generally aware of cybersecurity budget allocations, non -management and non-executive management respondents demonstrated limited awareness, highlighting an opportunity for better information sharing about organizational cybersecurity programs.
Figure 6: Cybersecurity Budget Allocation, 2023 vs. 2024
Trends in Cybersecurity Budget Allocations
Over the years, cybersecurity budget allocation within IT budgets has shown notable fluctuations, reflecting changes in organizational priorities and resource allocation strategies. As shown in Table 1, organizations reporting no cybersecurity allocation remained steady at 1-3%, while allocations in the 1-2% range peaked at 18% in 2020 but dropped to 7% in 2024. Budgets in the 3 -6% range dipped to 13% in 2023 before recovering to 18% in 2024, indicating stability in moderate spending. Allocations in the 7 -10% range gradually increased from 10% in 2020 to 14% in 2024, showing growin g investment in higher cybersecurity budgets. Budgets exceeding 10% peaked at 21% in 2023 before falling to 16% in 2024, suggesting shifts toward more balanced spending.
The percentage of healthcare organizations with flexible or unspecified cybersecurity budgets declined from 26% in 2019 to 20% in 2024, reflecting improved budgeting practices. However, respondents unaware of their organizations’ cybersecurity budgets rose from 18% in 2020 to 23% in 2024, highlighting communication gaps. While modest increases in healthcare cybersecurity budgets are evident, additional investments are critical to address growing threats, protect sensitive assets, and support new technologies. Without sufficient funding, organizations risk disruptions to patient care, loss of trust, and significant financial and reputational harm.
Table 1: Cybersecurity Budget Allocation, 2019-2024
Budget Allocation
2019
2020
2021
2023
2024
No allocation 1%
1%
1%
3%
1%
1-2 percent
9%
18%
18%
10%
7%
3-6 percent 25%
24%
22%
13%
19%
7-10 percent
11%
10%
15%
15%
14%
More than 10 percent 10%
6%
11%
21%
16%
Flexible Allocation
26%
23%
24%
19%
20%
Don’t Know 18%
18%
10%
19%
23%
Cybersecurity Budgets Projected to Rise
Changes to cybersecurity budget in 2025
Anticipated changes to cybersecurity budgets provide insight into organizations’ evolving priorities and strategies. With the growing complexity of cyber threats, many organizations recognize the need to adjust their spending to stay ahead. These shifts hi ghlight an increasing focus on bolstering defenses and addressing emerging risks. As shown in Figure 7 below, among respondents who reported a specific allocation for their organizations ’ cybersecurity budgets, a slight majority (55%) anticipated an increase in 2025. Only 4% expected a decrease, while 21% stated their budgets would remain the same. Notably, 20% of respondents indicated they did not know.
Figure 7: Change to Cybersecurity Budget in 2025
Effect of Cybersecurity Budget Increases in 2025
Among respondents who indicated that their cybersecurity budgets would increase, we asked whether the increase enabled their organizations to make meaningful improvements, such as investing in additional staff, tools, and/or policies. As shown in Figure 8, a majority (57%) reported significant improvements to the tools they use, 47% reported significant improvements to policies, and 31% reported significant improvements to staff. Notably, 34% stated that the increase allowed for only some improvements across staff, tools, and policies. Three percent indicated that the increase merely maintained existing support for staff, tools, and policies, and 8% of respondents stated that they did not know.
Figure 8: Impact of Increase in Cybersecurity Budget for 2025
Security Awareness
Security Awareness Programs
Effective security awareness training is vital for helping employees recognize and respond to cybersecurity threats. Organizations use a variety of methods to engage their workforces and reinforce key concepts, tailoring their approaches to address their specific risks. Understanding the strategies employed provides valuable insight into how organizations prioritize education as part of their overall defense strategies.
As shown in Figure 9 below, respondents reported using a variety of methods for security awareness training, with 73% citing regular email alerts and communications, 63% using simulated phishing, 49% using interactive discussions, and 47% holding in -person or virtual workshops. Incident response exercises like tabletops were used by 38%, while 10% engaged in interactive games. Notably, 4% reported no training, 2% were unaware if training occurred, and 3% used alternate methods like video-based training or compliance activities, which are not equivalent to effective cybersecurity training. Only 40% addressed emerging threats like deepfakes, quishing (QR code phishing), and smishing (SMS phishing), highlighting the need for comprehensive, up-to-date training programs to counter evolving threats.
Organizations may need to develop custom training programs since off-the-shelf security awareness training might not adequately address emerging threats. Tailored approaches ensure that training is relevant and comprehensive, equipping teams to effectively identify and respond to sophist
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
