Photo: Christina Morillo/Pexels
The 2025 Travelers Risk Index survey polled healthcare leaders and others about the cyberattacks they suffered, their organization's vulnerability mitigation steps and cyber insurance purchases.
Its findings show that despite deep security concerns for many hospitals and health systems – many of which reported feelings of inadequacy in responding to threats – these concerns didn't always prompt a commensurate increase in preventive activities.
While the majority of healthcare decision-makers Travelers surveyed believe they have adequate cybersecurity controls, barely half (51%) are confident that their organizations have best practices in place to prevent or mitigate a cyber event, according to the new report.
Additional findings show that 62% said their organizations do not have a post-breach team, 51% do not use endpoint detection and response tools, and 46% do not have an incident response plan.
Startlingly, 37% of healthcare organizations do not use multifactor authentication for remote access.
John Menefee, Travelers' enterprise cyber lead, says healthcare organizations are worried that they're neither prepared for the regulatory environment nor able to recover from an attack. And those concerns are only growing, he told Healthcare IT News last week.
"They worry about a system glitch and being the victim of ransomware or other cyber extortion," said Menefee, who spoke with us to offer more insights on cyber incident prevention and some recommendations for actions healthcare organizations should take heading into 2026.
Q. What are the key cybersecurity gaps in 2025, and why do they persist?
A. Healthcare organizations are facing similar challenges to many different industries. Whether it’s a lack of resources, a lack of visibility into their entire IT infrastructure, challenges with prioritization or challenges with attracting and maintaining top IT security staff, it all plays a part.
While more than 80% of healthcare organizations believe having proper cybersecurity controls in place is critical and recognize the damage that cyberattacks can cause, many of them aren’t taking the preventive steps to adequately protect themselves.
The basics we’d like to see more widely implemented include backing up data, regularly changing computer passwords, filtering and scanning email, and keeping software strictly up to date.
Multifactor authentication, another important tool, is also underutilized. This year, only 67% of survey participants from the healthcare industry reported using MFA.
Q. How are healthcare organizations specifically viewing cyber threats this year? What threats, trends and variables are they most concerned about?
A. For the ninth time in the last 10 years of our survey, cyber victimization has increased. More businesses are falling victim to cyber events, with 25% now reporting breaches and 60% of victims being hit multiple times.
We saw a notable increase this year in the percentage of survey respondents from the healthcare space who said that they worry about cyber threats.
Their top concern was a security breach, followed by the potential compromise, theft or loss of control of customer/client records. Several healthcare respondents fear their organizations don’t have an adequate understanding of the legal environment related to privacy laws and new federal cybersecurity regulations.
What makes healthcare unique from other sectors is the complexity of the IT environment and the sensitivity of the data they must protect.
Electronic health record and billing systems, medical devices, interconnected clinical systems and extensive vendor networks combine to create a large and fragmented attack surface. Even fundamental controls like MFA, regular patching and secure backups can be challenging to deploy consistently across these complex environments.
Q. Are healthcare leaders worried about their ability to recover from a security breach? Are more provider organizations – small, medium and large – seeking cybersecurity coverage to aid in recovery?
A: Nearly two-thirds – 64% – of survey participants from the healthcare industry said they worry about their organizations having the necessary resources and know-how to recover from a cyber event.
The vast majority also admitted that having proper cybersecurity controls in place is critical to their organization’s well-being. Yet, the percentage who said their organization has a cyber insurance policy was down from a year ago (70% in 2024 to 65% in 2025).
Q. How can these organizations best mitigate cyber risks and threats on the horizon in 2026?
A. Implementing MFA is key; according to the U.S. Cybersecurity & Infrastructure Security Agency, the use of MFA makes a company 99% less likely to be hacked.
In addition:
- Utilize endpoint detection and response technologies that monitor for anomalous behavior on each system rather than simply searching for malware.
- Back up all important data frequently, regularly and systematically and use firewall protection.
- Put in place a clearly defined, focused and coordinated incident response plan to deal with cyber events, if and when they occur, and to get your organization back to normal as quickly as possible.
- Consider cyber risk insurance coverage.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS AI & Cybersecurity Virtual Forum is free to attend on Nov. 18. Learn more and register.
