When I was deployed, we operated under a simple assumption: the threat is real, the threat is present, and if you haven't been hit yet, it doesn't mean you're safe. It means you haven't been tested. Hospitals in 2026 should be operating under the same assumption, because the data says they are already under attack.
In 2024, healthcare experienced more combined cyberthreats than any other U.S. critical infrastructure sector, with 238 ransomware incidents and 206 data breaches totaling 444 reported events [1]. The FBI's Internet Crime Complaint Center confirmed that only critical manufacturing had more ransomware incidents, and even that sector had fewer data breaches [1]. Meanwhile, 592 regulatory filings of reported hacks of protected health information were submitted to HHS in 2024, impacting a record 259 million Americans [1].
This is not a trend that is slowing down. It is accelerating, and it is fundamentally changing how hospitals allocate their IT budgets.
The Financial Impact Is No Longer Theoretical
The Sophos "State of Ransomware in Healthcare 2024" report, based on a survey of 402 healthcare organizations across 14 countries, found that 67% of healthcare organizations were hit by ransomware in 2024, up from 60% in 2023 and nearly double the 34% reported in 2021 [2]. The mean recovery cost reached $2.57 million, up from $2.20 million the year before [2]. On average, 58% of computers within affected organizations were impacted, higher than the cross-sector average of 49% [2].
But recovery costs are just the beginning. IBM's 2024 Cost of a Data Breach Report found that healthcare remained the most expensive industry for breaches for the fourteenth consecutive year, averaging $9.77 million per incident [3]. That figure is growing at twice the rate of other industries, rising from $6.5 million in 2019 at an 8.7% compound annual growth rate [4].
The single most devastating example is the Change Healthcare attack in February 2024. A ransomware group known as BlackCat compromised the UnitedHealth Group subsidiary, ultimately exposing the protected health information of 190 million Americans [5]. The American Hospital Association reported that 94% of its member hospitals suffered a financial impact, with more than half describing the impact as "significant or serious" [5]. UnitedHealth Group's projected costs from the incident now exceed $2.4 billion [6].
That is a single attack on a single business associate. And it disrupted virtually every hospital in the country.
Budgets Are Rising, But Not Fast Enough
Hospitals have historically spent 6% or less of their IT budgets on cybersecurity, compared to roughly 15% in the financial sector [7]. That gap has been a known vulnerability for years, and it is finally starting to close, albeit slowly.
The 2024 HIMSS Healthcare Cybersecurity Survey, based on responses from 273 healthcare cybersecurity professionals, found that 55% anticipated cybersecurity budget increases for 2025, while only 4% expected a decrease [8]. About 19% of respondents reported spending 3-6% of their overall IT budget on cybersecurity, with 14% allocating 7-10% and 16% committing 11% or more [9].
A separate Bain & Company and KLAS Research report found that three-quarters of hospitals and health systems increased their IT spending in 2024, with cybersecurity and EHR modernization topping the priority list [5]. Cybersecurity spending as a percentage of total technology budgets climbed to an estimated 7% in 2023 from 5% in 2019 [10].
But here is where the spending picture gets complicated. The IANS Research and Artico Search 2025 benchmark report revealed that security budget growth actually shrunk by two percentage points in 2024, down to 4% growth compared to 6% in 2023, even as threats intensified [11]. More than 80% of CISOs in healthcare services reported flat or moderate budget growth [11]. Healthcare organizations are spending more, but the rate of increase is not keeping pace with the rate of threat escalation.
The Spending Is Going to Tools, Not People
Perhaps the most concerning finding from the 2024 HIMSS survey is where the increased spending is actually going. More than half of respondents (57%) reported significant increases in cybersecurity tools, including AI-powered defense technologies [9]. Nearly half (47%) reported substantial improvements to security policies [9].
But only one in three cybersecurity leaders (34%) reported significant increases to staff [9]. Lee Kim, senior principal of cybersecurity and privacy at HIMSS, noted this gap with concern at the HIMSS conference, pointing out that tools without skilled operators leave critical gaps in defense posture [9].
This mirrors a broader staffing crisis. CDW research found that just 14% of healthcare organizations say their IT security teams are fully staffed, with over half saying they need more help and 30% describing themselves as understaffed or severely understaffed [3]. Buying better tools while understaffing the teams that operate them is the cybersecurity equivalent of buying a fighter jet and not training a pilot.
The Third-Party Problem
One of the most significant budget implications comes from a threat vector that many hospitals are only now beginning to address: third-party vendor risk. The Change Healthcare attack was not a direct attack on a hospital. It was an attack on a business associate, a single vendor that processed billing and claims for much of the industry.
Comparitech's 2025 healthcare ransomware analysis found that while attacks on healthcare providers remained roughly flat compared to 2024, attacks on healthcare businesses, including pharmaceutical manufacturers, medical billing providers, and healthcare tech companies, increased by 25% [12]. The AHA's national cybersecurity advisor noted that the vast majority of patient records in recent years have been stolen from third parties, not from hospitals directly [1].
This means hospitals need to budget not just for their own defenses, but for vendor risk assessment, BAA enforcement, and contingency planning for when a critical vendor goes down. The Change Healthcare incident forced many hospitals to engage alternative liquidity sources and develop redundancy plans for services they had previously concentrated in a single provider [5].
What Smart Spending Looks Like
The Netwrix 2025 Cybersecurity Trends Report, based on a survey of 2,150 IT professionals from 121 countries, found that 48% of healthcare organizations experienced at least one security incident in the past twelve months requiring a dedicated response [13]. Four times as many healthcare organizations suffered financial losses of at least $200,000 in 2025 compared to 2024, and 12% reported losses exceeding $500,000, double the cross-industry average of 6% [13].
These numbers make the budget conversation straightforward: every dollar spent on prevention is worth multiple dollars saved in breach response. But prevention requires more than purchasing software licenses. It requires multi-factor authentication across all critical systems, a failure that enabled the Change Healthcare breach in the first place [11]. It requires incident response plans that are tested, not just documented. It requires staff who are trained to identify phishing, which remains the most prevalent threat vector at 76% of cloud incidents and 69% of on-premises incidents [13]. And it requires business continuity planning that assumes a critical vendor will go down, because the data says one eventually will.
The White House's 2025 budget proposed $800 million to help high-need, low-resourced hospitals cover the costs of implementing cybersecurity practices, plus $500 million for an incentive program for all hospitals [14]. Whether that funding materializes or not, the message is clear: cybersecurity spending in healthcare is no longer optional. It is an operational requirement on the same level as staffing and facilities maintenance.
Build Security Into the Foundation
At Kortex Digital Labs, we build healthcare platforms with security as a structural requirement, not a line item that competes with features for budget allocation. Row-Level Security, encrypted data storage, audit logging, and webhook-only payment processing are not add-ons in our architecture. They are the architecture.
Because the research is unambiguous: hospitals that treat cybersecurity as a cost center will eventually pay far more than those that treat it as a core capability. And in healthcare, the cost is measured in more than dollars.
Kortex Digital Labs builds security-first healthcare platforms and patient portals. Start a project to discuss your requirements.
References
[1] American Hospital Association, "Report: Health Care Had Most Reported Cyberthreats in 2024," AHA News, May 2025. [Online]. Available: https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024
[2] Sophos, "The State of Ransomware in Healthcare 2024," Sophos Ltd., Jul. 2024. [Online]. Available: https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-healthcare-2024
[3] IBM Security, "Ransomware on the Rise: Healthcare Industry Attack Trends 2024," IBM Corp., Nov. 2025. [Online]. Available: https://www.ibm.com/think/insights/healthcare-industry-attack-trends-2024
[4] ScienceSoft, "Ransomware Tops Growing Cyber Threats in Healthcare, Driving Up Breach Costs," ScienceSoft, Aug. 2025. [Online]. Available: https://www.scnsoft.com/healthcare/cybersecurity-statistics
[5] American Hospital Association, "Providers Boost Cybersecurity Spending in Wake of Change Healthcare Breach," AHA Center for Health Innovation, Oct. 2024. [Online]. Available: https://www.aha.org/aha-center-health-innovation-market-scan/2024-10-01-providers-boost-cybersecurity-spending-wake-change-healthcare-breach
[6] J. X. Jiang et al., "Ransomware Attacks and Data Breaches in US Health Care Systems," JAMA Network Open, 2025, doi: 10.1001/jamanetworkopen.2025. [Online]. Available: https://pmc.ncbi.nlm.nih.gov/articles/PMC12079295/
[7] Cybersecurity Ventures, "Healthcare Industry To Spend $125 Billion On Cybersecurity From 2020 to 2025," Nov. 2024. [Online]. Available: https://cybersecurityventures.com/healthcare-industry-to-spend-125-billion-on-cybersecurity-from-2020-to-2025/
[8] TechTarget, "Healthcare Cybersecurity Budgets Expected to Rise in 2025," TechTarget HealthTech Security, 2025. [Online]. Available: https://www.techtarget.com/healthtechsecurity/news/366620136/Healthcare-cybersecurity-budgets-expected-to-rise-in-2025
[9] Chief Healthcare Executive, "Some Hospitals Are Spending More on Cybersecurity, But Not Always on Staff," HIMSS 2025, Dec. 2025. [Online]. Available: https://www.chiefhealthcareexecutive.com/view/some-hospitals-are-spending-more-on-cybersecurity-but-not-always-on-staff-himss-2025
[10] Becker's Hospital Review, "Hospital Cybersecurity Spend to Rise in 2025: 4 Details," Nov. 2024. [Online]. Available: https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/hospital-cybersecurity-spend-to-rise-in-2025-4-details/
[11] IANS Research and Artico Search, "2025 Compensation and Budget for CISOs in Healthcare Benchmark Report," IANS Research, Mar. 2025. [Online]. Available: https://www.iansresearch.com/resources/all-blogs/post/security-blog/2025/03/27/healthcare-security-comp-and-budgets-decline--access-key-report-data-and-trends
[12] Comparitech, "Healthcare Ransomware Roundup: 2025 Stats on Attacks, Ransoms, and Data Breaches," Comparitech, Jan. 2026. [Online]. Available: https://www.comparitech.com/news/healthcare-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/
[13] HIPAA Journal, "Healthcare Cyberattacks Costing $200K+ Rise 400% in a Year," HIPAA Journal, Oct. 2025. [Online]. Available: https://www.hipaajournal.com/healthcare-cyberattacks-200k-increase-400pc/
[14] Asimily, "Unpacking the White House's 2025 Hospital Cybersecurity Budget," Asimily, Mar. 2024. [Online]. Available: https://asimily.com/blog/white-houses-hospital-cybersecurity-budget-2025/