Risk management, legacy tech pose major threats to healthcare firms, report finds

Dive Brief:

• More than nine in 10 healthcare organizations experienced a cyberattack last year, and those attacks disrupted patient care at seven in 10 organizations, according to a report released Tuesday by managed security services provider Fortified Health Security.
• Fortified’s report lists the aspects of the NIST Cybersecurity Framework where healthcare organizations have seen the most improvement, as well as areas that continue to pose serious risks.
• The data helps illustrate why hospitals and other healthcare organizations remain top targets for ransomware criminals.

Dive Insight:

With healthcare facilities scrambling to identify and fix their top cyber risks, Fortified’s report provides some indications of where to begin.

According to the report, the five biggest security gaps among healthcare organizations are their lack of unified strategies for managing risks, lax attention to supply-chain vulnerabilities, a focus on installing new technology over maintaining legacy systems, incomplete asset inventories and poor employee training.

Major cyberattacks in recent years have illustrated how these risks are related. Weak supply-chain oversight is a particularly serious problem, given the interconnected nature of the healthcare ecosystem, including hospitals, pharmacies and speciality-care facilities. The 2024 Change Healthcare breach illustrated the industry’s dependence on a handful of obscure but ubiquitous vendors. Outdated asset inventories compound those vulnerabilities, making it more difficult to remediate the damage of a supply-chain attack. And those attacks often target the very legacy technologies that have been neglected in favor of new products.

While securing old systems remains a persistent challenge for healthcare organizations, Fortified also found that it represented the biggest area of improvement over the past year, followed by recovery process improvements, response planning, post-incident communications and threat analysis maturity.

Other areas of improvement included leadership engagement, maturity of risk assessments and identity management. The latter is particularly important given how many attacks begin with stolen or forged credentials.

Fortified’s report is based on its interactions with customers between 2023 and June 2025, including incident engagements and security scores based on the Cybersecurity Framework, according to a spokesperson. Fortified’s customers, all of which are in North America, range from rural community hospitals to large academic medical centers and integrated delivery networks, the spokesperson said.