Dive Brief:
- The healthcare sector experienced twice as many breaches in 2025 as it did in 2024, but the number of exposed patient records dropped precipitously, according to a new report from Fortified Health Security.
- Ransomware attacks and third-party risk are powering the surge in breaches, with many of those intrusions now threatening operations more than data privacy.
- “The industry has shifted from major, headline events to a more taxing state of constant disruption,” Fortified said in its report.
Dive Insight:
Fortified’s report paints a picture of a healthcare sector that recognizes the risks it faces but isn’t confident in its ability to combat them.
On the issue of third-party risk, for example, only 4% of healthcare organizations expressed high confidence in the adequacy of their vendor risk assessments. Nearly two-thirds said they were somewhat confident, but almost 30% said they weren’t confident at all.
And when it came to incident response, only 6% of organizations said they were very confident that they could quickly identify, contain and recover from an incident. A larger share said they were somewhat confident. Fortified said the data showed “progress without full trust in speed or consistency under pressure.”
Healthcare organizations need to design cybersecurity programs that can withstand the constant turnover in the stressful profession, according to Fortified. Many healthcare organizations rely on veteran staff to explain and implement cybersecurity practices, and when those people leave, they take crucial knowledge with them.
“Programs designed around perfect staffing conditions rarely survive contact with reality,” the report said. “Strong programs do not assume stability. They assume change and plan for it by strengthening the people who stay, preserving institutional knowledge, and ensuring that capability does not disappear when individuals do.”
In addition to building durable programs, Fortified urged healthcare organizations to “operationalize lessons learned” to avoid “fight[ing] the same fires again and again” and improve visibility into overlapping technology stacks. The report noted that healthcare organizations often resist cybersecurity spending because they see it as detracting from patient care: “Each dollar invested in security is a dollar not spent at the bedside.”
Shadow AI threatens healthcare organizations just as it threatens other critical infrastructure. “The adoption of AI tools is happening faster than healthcare organizations can write policies,” Fortified said in its report. But instead of blocking the technology, organizations should “establish visibility frameworks that identify when and where employees are using AI tools, detect large or unusual data uploads, and educate staff on safe prompting techniques that minimize exposure.” To accomplish this, the report said, executives “must treat AI governance as a core business initiative.”