Cyberattacks on the healthcare industry have been on the rise. Worldwide ransomware incidents have steadily increased year over year and nearly doubled in 2023 compared with 2022. In the United States, attacks rose 128 percent between those two years. The outages that result from these attacks can have severe, long-lasting effects on health systems and patients. Globally, healthcare provider organizations incur the highest cost for data breaches of any industry, averaging $9.8 million per incident—more than 1.5 times the financial-services industry’s $6.1 million, according to IBM’s Cost of a data breach report 2024. Beyond financial losses, cyberattacks can also disrupt patient care. In 2023, 12 percent of surveyed healthcare organizations that had experienced a cyberattack by email reported an increase in mortality, up from 21 percent in 2022. Also, 71 percent reported poor patient outcomes because of delays in procedures and tests, compared with 60 percent the prior year.

Challenges Faced by Healthcare Organizations

Underinvestment in technology and infrastructure

The escalating severity, sophistication, and frequency of outages is threatening to outpace healthcare organizations’ cybersecurity and resiliency spend. In 2023, healthcare organizations spent, on average, 7 percent of their IT budgets on cybersecurity, according to McKinsey analysis. And in a 2023 survey, 47 percent of respondents said they don’t have enough budget for an effective cybersecurity strategy. With inadequate investment, many providers’ software, firmware, and hardware is at risk of becoming incompatible, fallible, insufficient, or obsolete. For example, a lack of continued maintenance or investment to upgrade power backup equipment for data centers can result in a catastrophic failure to recover.

The healthcare industry is a huge and growing target for cyberattacks; it has held the number-one position for data breaches from 2019 through 2023. In 2023, there were more than 800 publicly reported compromises (including data breaches, data exposures, and data leaks) at healthcare organizations. While the industry dropped to the number-two spot in 2024—behind financial services, with 536 compromises versus 737 compromises—it still needs to ensure that its tech security investments can keep up with existing and emerging risks.

Strategies for Building Technology Resilience

Solve for journeys and workflows, not applications

To achieve IT resilience, organizations should consider the entire patient journey and clinician workflow, instead of solely remediating individual parts, such as an application or specific infrastructure. For example, consider a patient going through emergency department triage. EHRs are at the core of those protocols and should be resilient; however, there are several other parts in the tech ecosystem that, if not designed for resilience, can cause a disruption in the triaging process, such as identity access management systems, which authenticate and authorize the provider employee to access the EHR system, or the printer that prints the bands for admitting the patient.

Take a risk-based approach

The investments that providers’ IT departments receive can be prioritized so that areas that have the highest risk exposure or are the most important for patient care and the business are fortified first. Best-in-class organizations typically group clinician workflows and patient journeys into four tiers: mission critical (such as acute-care coordination, records access, and decision-making in intensive-care units), business critical (for instance, patient registration), business operational (for example, clinician credentialing), and administrative (such as payroll processing).

Conclusion

With cyberthreats increasing, and with growing concerns about outages from natural disasters, provider organizations cannot afford to put off assessing and strengthening their technology resilience. They will need to establish a culture that makes business continuity a central consideration, because outages are disruptive to their core goal of delivering patient care. To engrain business continuity in the organization’s DNA, leaders (both business and IT) should consistently and comprehensively test and build capabilities via simulations and disaster recovery drills. As with many types of protection, it’s not only “you get what you pay for” but also “you get what you prepare for.”