State of Healthcare Cybersecurity: 50 Facts

Posted By Dr. Rebecca Murray-Watson on May 26, 2025

50+ Facts and Statistics about the State of Cybersecurity in the US Healthcare Industry

Spending and Resources

1. Cybersecurity Ventures predicts that the healthcare industry will spend upwards of $125 billion on cybersecurity products and services from 2020-2025, growth on 15 percent year-over-year from 2020-2025 (Herjavec Group)
2. 56% of healthcare organizations report allocating less than 10% of their IT budget to cybersecurity (HIMSS)
3. Acquiring the appropriate talent is considered a major hurdle for tackling cybersecurity issues, with 53% of organizations saying they lack in-house expertise and 46% generally have insufficient IT staffing (Proofpoint)
4. 41% of healthcare IT professionals believe that their organizations allocate insufficient financial resources to make their cybersecurity strategy effective (Proofpoint)
5. When considering the most severe security incident experienced by a healthcare organization, outdated IT equipment such as legacy operating systems or unsupported software were cited as the initial point of access in 24% of cases. (HIMSS)
   1. Such legacy technology was cited as a top cybersecurity concern by 39% of healthcare cybersecurity professionals.
   2. Nearly half reported that more than 10% of their infrastructure was legacy

Phishing

6. More than 90% of all cyberattacks against healthcare industries take the form of phishing scams (Herjavec Group)
7. 45% of healthcare cybersecurity professionals stated that a phishing attack was responsible for the most severe data breach experienced by their organization (HIMSS).
   1. 71% of incidents involved general email phishing, 67% involved spear-phishing, 27% voice phishing (vishing), 27% whaling, 23% business email compromise, 21% SMS phishing, 20% phishing website, 16% social media phishing, 3% pharming and 2% deepfakes
8. In a study simulating phishing campaigns against US healthcare organizations, nearly 1 in 7 of the fake phishing emails sent were clicked on by healthcare employees (JAMA Network Open)
9. Only 16% of healthcare employees believe that they understand the risks posed by social engineering cybersecurity threats (such as phishing) “very well”, lower than most other industries (KnowBe4)
10. 64% of healthcare IT professionals believe that their organizations is vulnerable to business email compromise/spoofing phishing (Proofpoint)
11. Over two thirds (67%) of organizations believe that phishing and business email compromise attacks compromised the quality of patient care (Proofpoint)
12. Only 48% of healthcare providers have included steps on preventing and responding to a business email compromise of phishing attack in their cybersecurity strategy (Proofpoint)
    1. 62% of organizations include ransomware threats in their cybersecurity strategy
13. 41% of healthcare providers simulate phishing attacks to train their staff about cybersecurity risks (Proofpoint)
14. The number of phishing incidents increased 220% year-on-year at the height of the COVID-19 pandemic in 2020 (F5)

Employee Training and Awareness

15. Over three quarters of healthcare employees report receiving cybersecurity awareness training (KnowBe4)
16. Only 37% of hospitals perform annual cybersecurity incident response exercises (Journal of Medical Internet Research)
17. Only 51% of organizations considered medical device security in their cybersecurity strategy (Proofpoint)
18. Nearly 1 in 5 insiders who committed data breaches at healthcare organizations were not directly employed by the organization itself, but through a business partner or as a contractor (Carnegie Mellon)
19. One in four of US healthcare workers who believe they should have been given cybersecurity training were never offered any (Kaspersky)
20. 34% of healthcare employees did not know if their workplace had a cybersecurity policy (Kaspersky)

Ransomware

21. The number of ransomware attacks against healthcare entities doubled from 2016 to 2021 (JAMA Health Forum)
22. Two in three healthcare facilities reported experiencing a ransomware attack in 2022 (Global; Sophos)
23. In 2021, average ransomware payment in the healthcare industry was $197,000, an increase of 33% relative to 2020 (Globally; Sophos)
24. Even when healthcare organizations paid up in the wake of a ransomware attack, on average only 64.8% of their data was restored (Globally; Sophos and Sophos Healthcare)
    1. Only 2% of organizations that paid the ransom got all of their data restored
25. In 2021, 61% of healthcare organizations reported paying the ransom when subject to a ransomware attack, up from 34% in 2020 and higher than the industry-wide average of 46% (Sophos Healthcare)
26. Following a ransomware attack, only 72% of providers were able to use back ups to regain access to their data (Globally; Sophos)
27. Only 47% of healthcare facilities reported their ransom payment being covered by their cybersecurity insurance policy (Globally; Sophos)
28. When surveyed, 90% of private sector healthcare organizations stated that ransomware attacks cost their organization business and revenue (Sophos Heatlhcare)
29. On average, it cost healthcare providers $1.85 million to recover from a ransomware attack (Sophos Healthcare)
30. One in four healthcare organizations subject to a ransomware attack in 2021 reported taking more than a month to recover from the effects of an attack. The average recovery time was one week (Sophos Healthcare)
31. Nearly a quarter of healthcare IT staff stated that ransomware attacks increased patient mortality rates (Proofpoint)
    1. Other side effects included delays in procedures (64%) and increase in complications from medical procedures (48%)

General Cybersecurity

32. More than a third (37%) of surveyed IT and security professionals at healthcare entities state that they do not back up sensitive data (ClearData)
33. Only half of healthcare organizations regularly conduct cybersecurity audits (ClearData)
34. Only 38% of organizations had fully implemented encryption safety controls on their data at rest (HIMSS)
    1. This increased to 50% for data in transit
35. When surveyed, 43% of patients stated that they had privacy and cybersecurity concerns regarding receiving treatment via telehealth (Harmony Healthcare IT)
36. According to Verizon, basic web application attacks, system intrusions and miscellaneous errors were behind 76% of healthcare data breaches  (VDBIR)
37. Since 2008, 47% of data breaches reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) were attributed to hacking/IT incidents (OCR Data Breach Report)
38. This has changed drastically over time; in 2010, only 4% cases were classified as hacking/IT incidents, which increased by a factor of 20 to 80% of cases in 2022 (OCR Data Breach Report)
39. Since 2014, hacking/IT incidents have been the leading cause of data breaches in US Healthcare organizations (OCR Data Breach Report)
40. In 2022, 44 million individuals were affected by hacking/IT data breaches against the healthcare industry, up from 900,000 in 2012 (OCR Data Breach Report)
41. Since 2009, healthcare breaches due attributed to hacking/IT events have affected 319 million individuals, equivalent to 96% of the US population (OCR Data Breach Report)
42. The average hacking/IT breach involved 131,100 records (OCR Data Breach Report)
43. Each of the top five largest healthcare data breaches reported to OCR were due attributed to hacking/IT incidents:
    1. Anthem Inc., 78.8 million records (2015)
    2. Optum 360, LLC, 11.5 million records (2019)
    3. Premera Blue Cross, 11 million records (2015)
    4. Laboratory Corporation of America Holdings, 10.3 million records (2019)
    5. Excellus Health Plan Inc., 9.3 million records (2015)
44. Breached healthcare information is up to 50 times more valuable than financial information (DMagazine)
    1. Medical information can sell for up to $1000 if complete
45. Seventy percent of surveyed healthcare IT professionals stated that cybersecurity attacks against their supply chains disrupted patient care (Proofpoint)
46. The average cost of the most expensive healthcare breach in the US experienced by an organization was $4.4 million (Proofpoint), broken down into:
    1. Lost off productivity due to system downtime and delays ($1.1 million)
    2. Disruption to healthcare operations ($1 million)
    3. Damage to IT infrastructure ($930 K)
    4. Remediation activities ($708 K)
    5. Mitigating impacts on patient care ($664 K)
47. 67% of IT professionals believe that technologies including the cloud, big data and the Internet of Things amplify threats to patient safety and information integrity (Proofpoint)
48. About 50% of healthcare data breaches result in identity theft, resulting in an average out-of-pocket-cost of $2,500 for each victim (Accenture)
49. 38% of organizations experienced between 50-350 cybersecurity attacks a year (KPMG)
    1. A further 13% experience above 350, nearly one a day
50. Small healthcare providers are more likely to be targeted by cybercriminals as they are perceived to have weaker defenses (Wall Street Journal)