HIMSS+HEALTHCARESURVEY2024 HIMSS Healthcare Cybersecurity SurveyTable of ContentsExecutive Summary.…3Methodology and Demographics................4Methodology.…Demographics.Levels of Responsibility............Types of Organizations Represented...Economics of Healthcare Cybersecurity......6Budgets are Improving.............Overall IT Budgets are Modestly Improving.....Allocation of current IT budget to cybersecurity..............Comparing 2023 to 2024:Cybersecurity Budget Allocations..................8Trends in Cybersecurity Budget Allocations.............9Cybersecurity Budgets Projected to Rise..........Changes to cybersecurity budget in 2025.....Effect of Cybersecurity Budget Increases in 2025.1.1Security Awareness...............12Security Awareness Programs.......Effectiveness of security awareness programs...13.14Significant Security Incidents........Initial Points of Compromise......Testing of Incident Response Plans.15Stakeholder Participation in Tabletop Exercises..16What's Happening with Ransomware17Present State…2024 Ransomware Trends ........17Ransomware Trends:2022-2024........18To Pay or Not to Pay-Ransomware Payments.Proactive vs.Reactive Security Measures.......Future State.…Al Adoption in Healthcare......22Allowing the Use of Al in Healthcare................To Govern or Not:Organizational Approaches to Al...AI Technology Use Cases.......AlGuardrails..Approval Process for Al Technology ....Active Monitoring of Al Technology ...25Acceptable Use Policy for Al Technology....Future Concerns Regarding Al ...............26Managing Third-Party Risks .............27Third-Party Risk Management Programs.....Third-Party Security Incidents...........28Impacts of Third-Party Security Incidents..............29Insider Threat Programs.............30Formal Insider Threat Programs.........Insider Threat and Al.............31Insider Threat Activity Involving Third Parties.Conclusion..........33About HIMSS...How to Cite this Survey......34How to Request Additional Information...Executive SummaryCybersecurity BudgetsInvestments-Organizations are dedicating more resources to fortify defenses.Strategic Focus-Budgets are increasingly aligned with critical vulnerabilities.Security AwarenessPhishing Mitigation-Programs target phishing,the leading attack vector.Innovative Training-Gamification and scenario-based training boost engagement.Security IncidentsPhishing Dominance -Phishing is the top method of compromise.Al-Driven Attacks-Deepfakes are an emerging threat.RansomwareD Combatting Ransomware-Ransomware defense continues to be a priority.XFewer Ransom Payments-Fewer ransomware victims are reporting paying ransom.Artificial IntelligencePolicy Shortfalls-A lack of formal Al governance increases risk.Limited Oversight-There is limited monitoring of Al usage.Third-Party RisksThird-Party Incidents-Significant incidents involving third-parties are notable.Impacts -Third-party incidents cause disruption and other impacts.Insider ThreatsFormal Programs-Formal programs are needed to manage insider threats.3Methodology and DemographicsThe 2024 HIMSS Healthcare Cybersecurity Survey reflects the responses of 273 healthcarecybersecurity professionals.These professionals had at least some responsibility for day-to-day cybersecurity operations or oversight of the healthcare organization's cybersecurityprogram.Respondents who indicated they did not have any level of responsibility foreither day-to-day cybersecurity operations or oversight were not eligible to take thesurvey.MethodologyThe data for this survey was collected between November 6 and December 16,2024.Questions asked respondents about their perspectives,knowledge,and experiences overthe past 12 months.For simplicity,we refer to this data as "2024"throughout this report.Similarly,data from previous surveys is identified by the year in which it was collected.DemographicsAs shown in Figure 1 below,respondents held various roles,including executivemanagement(50%),non-executive management(37%),and non-management (13%).Executive management included individuals in the C-suite,non-executive managementcomprised senior management,and non-management encompassed analysts andspecialists.Figure 1:Respondent Roles50%37%13%ExecutiveNon-ExecutiveNon-ManagementManagementManagement4Levels of ResponsibilityAs shown in Figure 2 below,respondents reported varying levels of involvement in theirorganization's cybersecurity programs.46%had primary responsibility,30%sharedresponsibility,and 24%were involved as needed in the day-to-day operations or oversight.Figure 2:Respondent Cybersecurity Responsibility46%30%24%Primary responsibilitySome responsibility Sometimes,as neededTypes of Organizations RepresentedAs shown in Figure 3 below,respondents represented a diverse range of organizations,including healthcare providers(50%),vendors (18%),consulting firms (13%),governmententities (8%),and other organizations (11%).Other organizations included academicinstitutions,non-profits,payors,and life sciences companies.Figure 3:Types of Organizations50%18%13%11%8%HealthcareVendorConsulting firmGovernmentOtherproviderentity5Economics of Healthcare CybersecurityInvesting in robust cybersecurity measures is no longer optional for healthcareorganizations-it is essential.Yet,achieving a strong cybersecurity posture requiressufficient resources,which are often limited by budgetary constraints.Chief InformationSecurity Officers and their teams frequently find themselves balancing the need toaddress evolving threats with the reality of tight financial resources.Healthcare organizations with greater financial resources are better equipped to leveragerobust cybersecurity solutions.Sufficient cybersecurity funding enables organizations toaccess advanced tools,hire skilled personnel,and implement comprehensive strategies.Conversely,limited budgets can pose challenges,making it more difficult to address theever-evolving cyber threat landscape effectively.However,even with modest resources,strategic planning and prioritization can play a critical roleBudgets are ImprovingOverall IT Budgets are Modestly ImprovingTraditionally,healthcare org anizations have generally allocated 6%or less of their ITbudgets to cybersecurity,according to aggregate data from the 2018 to 2022 and 2024HIMSS Healthcare Cybersecurity Surveys.Since cybersecurity budgets are typically carvedout of overall IT budgets,this survey examined both the expected changes in overall ITbudgets from fiscal year 2024 to fiscal year 2025 and the current allocation of thosebudgets to cybersecurity.As shown in Figure 4 below,a slight majority of respondents(52%)reported that theirorganizations'overall IT budgets would increase during this period,while 10%indicated adecrease.28%of respondents reported no change in their overall IT budgets.Ten percentof respondents did not know about the anticipated change in IT budget from 2024 to2025.Figure 4:Anticipated Change in IT Budget 2024 to 202552%28%10%10%IncreasedNo changeDecreasedDon't know6Allocation of current IT budget to cybersecurityUnderstanding how organizations allocate their IT budgets to cybersecurity providesvaluable insight into their prioritization of security measures.Variability in spending levelshighlights differences in how organizations approach protecting their systems and data.These budgetary decisions present opportunities to strengthen defenses and enhancepreparedness against evolving threats.When asked about org anizational allocation of the current IT budget to cybersecurity,20%of respondents indicated that their organization had no specific carve-out but spentmoney on cybersecurity,as shown in Figure 5 below.However,19%of respondentsreported their organizations allocated 3-6%of the overall IT budget to cybersecurity:14%reported 7-10%;7%reported 11-14%;9%reported more than 14%;and 7%reported 1-2%One percent of respondents-several vendors and a healthcare provider-indicatedtheir organizations do not spend any money on cybersecurity.Notably,23%ofrespondents did not know what percentage of their organizations'IT budgets wereallocated to cybersecurity.Figure 5:Percent of Organization's IT Budget Spent on Cybersecurity23%19%20%14%7%7%1%No1-2367-1011-14 More than Flexible Don't knowallocationpercentpercentpercentpercent14 percent allocationComparing 2023 to 2024:Cybersecurity Budget AllocationsData from the 2023 and 2024 HIMSS Healthcare Cybersecurity Surveys reveal a notableshift in cybersecurity budget allocations.The percentage of organizations allocating 3-6%of their IT budgets to cybersecurity increased from 13%in 2023 to 18%in 2024,while thoseallocating 1-2%decreased from 10%to 7%,as shown below in Figure 6.Allocationsbetween 7-10%were similar,decreasing slightly from 15%of organizations in 2023 to 14%in2024,while above 10%dropped significantly,from 21%of organizations in 2023 to 16%in2024,reflecting a possible redistribution of resources or more strategic spending.The percentage of organizations without a specific carve-out for cybersecurity increasedslightly,from 19%in 2023 to 20%in 2024.Additionally,respondents unaware of theirorganizations'cybersecurity budget allocations rose from 19%in 2023 to 23%in 2024pointing to potential gaps in communication or governance over cybersecurity spending.These findings suggest that organizations are optimizing cybersecurity investments,movingtoward more moderate budget allocations.However,the increase in respondentsunaware of their organizations'cybersec urity budget allocations underscores the need forimproved communication around cybersecurity priorities.While executive managementrespondents were generally aware of cybersecurity budget allocations,non-managementand non-executive management respondents demonstrated limited awareness,highlig hting an opportunity for better information sharing about organization alcybersecurity programs.Figure 6:Cybersecurity Budget Allocation,2023 vs.202423%21%20%18%19%19%16%14%10%13%%371%No1-23-67-10More thanFlexible Don't knowallocation percentpercentpercent10 percent allocation8Trends in Cybersecurity Budget AllocationsOver the years,cybersecurity budget allocation within IT budgets has shown notablefluctuations,reflecting changes in organizational priorities and resource allocationstrategies.As shown in Table 1,organizations reporting no cybersecurity allocationremained steady at 1-3%,while allocations in the 1-2%range peaked at 18%in 2020 butdropped to 7%in 2024.Budgets in the 3-6%range dipped to 13%in 2023 before recoveringto 18%in 2024,indicating stability in moderate spending.Allocations in the 7-10%rangegradually increased from 10%in 2020 to 14%in 2024,showing growing investment in highercybersecurity budgets.Budgets exceeding 10%peaked at 21%in 2023 before falling to16%in 2024,suggesting shifts toward more balanced spending.The percentage of healthcare organizations with flexible or unspecified cybersecuritybudgets declined from 26%in 2019 to 20%in 2024,reflecting improved budgetingpractices.However,respondents unaware of their organizations'cybersecurity budgetsrose from 18%in 2020 to 23%in 2024,highlighting communication gaps.While modestincreases in healthcare cybersecurity budgets are evident,additional investments arecritical to address growing threats,protect sensitive assets,and support new technologies.Without sufficient funding,organizations risk disruptions to patient care,loss of trust,andsignificant financial and reputational harmTable 1:Cybersecurity Budget Allocation,2019-2024Budget Allocation20192020202120232024No allocation1%1%1%3%1%1-2 percent9%18%18%10%7%3-6 percent25%24%22%13%19%7-10 percent11%10%15%15%14%More than 10 percent10%6%11%21%16%Flexible Allocation26%23%24%19%20%Don't Know18%18%10%19%23%9Cybersecurity Budgets Projected to RiseChanges to cybersecurity budget in 2025Anticipated changes to cybersecurity budgets provide insight into organizations'evolvingpriorities and strategies.With the growing complexity of cyber threats,many organizationsrecognize the need to adjust their spending to stay ahead.These shifts highlight anincreasing focus on bolstering defenses and addressing emerging risks.As shown in Figure7 below,among respondents who reported a specific allocation for their organizations'cybersecurity budgets,a slight majority (55%)anticipated an increase in 2025.Only 4%expected a decrease,while 21%stated their budgets would remain the same.Notably,20%of respondents indicated they did not know.Figure 7:Change to Cybersecurity Budget in 2025No Change21%Increase55%Don't know20%Decrease4%10Effect of Cybersecurity Budget Increases in 2025Among respondents who indicated that their cybersecurity budgets would increase,weasked whether the increase enabled their organizations to make meaningfulimprovements,such as investing in additional staff,tools,and/or policies.As shown inFigure 8,a majority (57%)reported significant improvements to the tools they use.47%reported significant improvements to policies,and 31%reported significant improvementsto staff.Notably,34%stated that the increase allowed for only some improvements acrossstaff,tools,and policies.Three percent indicated that the increase merely maintainedexisting support for staff,tools,and policies,and 8%of respondents stated that they didnot know.Figure 8:Impact of Increase in Cybersecurity Budget for 2025Significant improvement to toolsSignificant improvements to policies47%Some improvements tostaff/tools/policies34%Significant improvements to staff31%Don't know8%Only to support existingstaff/tools/policies3%11Security AwarenessSecurity Awareness ProgramsEffective security awareness training is vital for helping employees recognize and respondto cybersecurity threats.Organizations use a variety of methods to engage theirworkforces and reinforce key concepts,tailoring their approaches to address their specificrisks.Understanding the strategies employed provides valuable insight into howorganizations prioritize education as part of their overall defense strategies.As shown in Figure 9 below,respondents reported using a variety of methods for securityawareness training,with 73%citing regular email alerts and communications,63%usingsimulated phishing,49%using interactive discussions,and 47%holding in-person or virtualworkshops.Incident response exercises like tabletops were used by 38%,while 10%engaged in interactive games.Notably,4%reported no training,2%were unaware iftraining occurred,and 3%used alternate methods like video-based training orcompliance activities,which are not equivalent to effective cybersecurity training.Only40%addressed emerging threats like deepfakes,quishing (QR code phishing),andsmishing (SMS phishing),highlighting the need for comprehensive,up-to-date trainingprograms to counter evolving threats.Organizations may need to develop custom training programs since off-the-shelf securityawareness training might not adequately address emerging threats.Tailored approachesensure that training is relevant and comprehensive,equipping teams to effectively identifyand respond to sophisticated attacks.Figure 9:Methods for Sec urity Awareness TrainingEmail updates/alerts73%Simulated phishing attacks63%Interactive discussions49%In-person or virtual workshops47%Training on emerging threats40%Tabletops38%Interactive games10%No training■4%OtherDon't know2%12Effectiveness of security awareness programsSecurity awareness programs are a key element of organizational defense,designed toeducate employees on recognizing and responding to potential threats.As cybersecurityrisks continue to evolve,the effectiveness of these programs is critical in reducingvulnerabilities and preventing incidents.Evaluating how well these programs perform canhighlight areas for improvement and ensure they remain aligned with the changing threatlandscape.As shown in Figure 10 below,we asked respondents whose organizations conduct securityawareness programs to assess the effectiveness of these programs.A majority (62%)indicated their programs are somewhat effective,while 18%described them as veryeffective.Another 18%reported their programs are only slightly effective,and 2%statedthey are not effective at all.The relatively low percentage of respondents rating theirprograms as very effective(18%)suggests a need for enhanced strategies.It is suggestedthat organizations focus on key areas for improvement,including addressing emergingthreats and mitigating risks from new and emerging technologies.Strengthening thesesecurity awareness programs could better equip organizations to stay ahead of evolvingcybersecurity challenges and bolster their overall defenses.Proactive measures,such as gamification,tabletop exercises,and interactive workshops,can help educate the workforce about both basic and advanced threats.Theseapproaches can engage employees effectively,fostering practical skills and awareness.Social engineering remains a dominant attack method,making it crucial for securityawareness programs in healthcare organizations to address emerging threats such asdeepfakes (image,audio,video),smishing,and quishing.Figure 10:Effectiveness of Security Awareness Training ProgramsVeryNot at all18%effective2%Somewhateffective62%18%13Security IncidentsSignificant Security IncidentsInitial Points of CompromiseUnderstanding initial points of compromise is key to identifying vulnerabilities andstrengthening defenses since they often serve as gateways for attackers.Addressing theseweaknesses can significantly reduce the risk of breaches and improve security posture.Asshown in Figure 11 below,we asked respondents to identify initial points of compromise forsignificant security incidents in the past year.General email phishing (63%),SMS phishingand targeted spear-phishing (each 34%),business email compromise (31%),phishingwebsites(21%),malicious ads (20%),social media phishing (19%),vishing (voice phishing)(17%),and whaling (also known as executive impersonation)(16%),deepfake images (6%).audio deepfakes (4%),video deepfakes(3%),distributed denial of service (DDoS)attacks(3%),and privacy breaches(3%)were reported.Eight percent did not know.Eighteenpercent reported no significant security incidents,Figure 11:Initial Points of Compromise for Significant Security Incidents in the Past 12 MonthsGeneralemai phishing63%SMS phishing34%Spear-phishing34%Business e-mailcompromise31%Phishing website21%Malicious ador pop-up20%Social mediaphishing19%Voicephishing/vishing17%Whaling16%Deepfakephoto/image6%Deepfake audio4%Deepfake video3%Other3%Don't know8%Does not apply18%14