The February 2024 Change Healthcare incident exposed 190 million patient records and disrupted healthcare operations nationwide, but it highlighted something far more concerning: the U.S. healthcare sector faces an unprecedented cybersecurity crisis. Healthcare is now the third most-targeted sector, experiencing a 32% surge in ransomware attacks last year. Cyber insurance claims tied to these incidents in healthcare are also becoming more severe. While we are still gathering data for the first half of 2025, early Resilience claims data is pointing upward with the average severity of cyber insurance claims topping $2 million, compared to an average of $800,000 in 2024.

Compliance Isn’t Security

Despite these major incidents making global headlines, there is still a clear gap in the sector’s own perceived cyber risk and the reality of its situation. More than half (52%) of healthcare leaders believe a fatal cyberattack is inevitable within five years, but only 33% of leaders list it as a primary concern for their business. The reality is that healthcare faces a perfect storm of cyber risk. Healthcare organizations host complex systems that can be hard to protect, and high-value patient data that attracts attackers. Their cybersecurity strategy overindexes on security compliance checklists that don’t actually keep organizations safe – this combination creates an environment that attackers can take advantage of.

As threats evolve and attacks become more frequent and harder to fight, reactive approaches and meeting compliance requirements cannot be considered effective on their own. While regulatory measures like HIPAA established baseline privacy protections, they weren’t designed for modern cyber threats.

Simply put, compliance is no longer a measure of security. Organizations must go beyond baseline requirements and manage their risk proactively, or they will remain vulnerable.

Effective healthcare cybersecurity takes many forms, but it should always require quantifying cyber risk strategically, rather than checking boxes using static measures of effectiveness. This type of approach moves security discussions from technical justifications and a checklist mentality to thoughtful investment decisions based on material risk. For example, understanding that a specific vulnerability could lead to a $5 million loss and a stall in a critical patient service can easily make the case for an investment in a system or process to ensure it is secure or backed up.

Reducing Risk Where It Matters Most

Cybersecurity investments should be evaluated based on their actual risk reduction, no matter how large or small a security budget might be. We often see healthcare organizations make meaningful improvements to their risk posture by focusing on comprehensive backup procedures for imaging files and databases, rigorous training to prevent human error, managing vendor risk, and quantifying cyber risk in financial terms.

Ensuring all critical systems and data are included in backup procedures is key to keeping essential operations running in case of an attack. These systems should be regularly tested to validate recovery capabilities and timeframes under realistic attack scenarios where primary systems are compromised. Human error, a significant vulnerability, should be mitigated through rigorous training programs that focus on identifying phishing and social engineering attempts and emphasize proper data handling to prevent accidental exposure of patient information.

Beyond internal measures, vendor risk management is crucial. Vendor-related vulnerabilities, exemplified by the Change Healthcare incident, represent a growing attack surface. Healthcare providers must continuously monitor the security of third-party vendors, as a single compromise can have a cascading effect across multiple organizations.

Building Cyber Resilience in Healthcare

While there is no one-size-fits-all approach for cybersecurity, organizations should adopt methods to quantify cyber risks based on their security profile and the crucial parts of their operation that must stay online to keep patients safe. This allows leadership to make data-driven investment decisions based on their own organization’s actual risk reduction. All these elements feed into a strong security plan that is regularly tested and accounts for the unique challenges of healthcare, such as patient safety and regulatory notification requirements.

Healthcare stands at a critical juncture. The Change Healthcare incident last year revealed how security challenges are growing more complex by the week. A change is needed in healthcare to stay ahead. Compliance is the first step in the journey to cyber resilience, not the destination.