Healthcare Cybersecurity Gaps Remain Despite Massive Spending Increases

The following is a guest article by Rob Shavell, CEO at DeleteMe

Healthcare cybersecurity is currently experiencing explosive growth. Experts believe that the size of the market will reach $35.3 billion by 2028. Unfortunately, this spending hasn’t always produced the desired results. Healthcare was the most breached industry in 2024, and UnitedHealth is still sending breach notices about the Change Healthcare attack, which exposed the data of over 190 million people last year.

Why has the healthcare industry struggled to secure critical systems despite this rapid increase in cybersecurity investment? The reality is that simply spending more doesn’t guarantee protection. There are no easy answers, but there are ways for healthcare companies to protect against most attacks, even with a limited budget.

The Difficulty in Securing Health Data

There are several reasons that healthcare organizations have found it particularly difficult to maintain security, despite the billions spent on cybersecurity. First, protected health information (PHI) is a valuable target for cybercriminals, more so than other types of data. Bad actors can exploit PHI to commit medical fraud, insurance fraud, and identity theft. In addition, cybercriminals can sell health records on the dark web and get a better price than for credit card numbers, because there are so many ways to manipulate those personal details for long-term fraud.

A second major issue is the relentless nature, and extreme profitability, of ransomware. Cybercriminals use ransomware to attack healthcare systems, holding mission-critical software hostage and disrupting hospital operations, ambulance response times, and other essential services. These attacks directly impair patient outcomes and safety.

For example, earlier this year, both Frederick Health and New York Blood Center Enterprises (NYBCe) experienced ransomware attacks that forced laboratory closures and delayed patient care. NYBCe struggled to become operational again after the attack, and in the meantime, processing times for blood donations increased. Because the stakes are so high, healthcare organizations often feel they have no choice but to pay the ransom. Cybercriminals recognize this and continue to exploit this vulnerability, draining billions from the healthcare industry every year.

The challenge is compounded by the difficulty of ensuring the security of third-party vendors, such as Electronic health records software or billing providers. Even if hospitals invest heavily in protecting their own systems, third parties often introduce weak points that are difficult to monitor. The sheer number of vendors in healthcare creates more access points and more opportunities for breaches than in many other industries.

Another ongoing issue is inadequate employee training. In many cases, ransomware and other cyber threats succeed simply because a hospital worker clicks the wrong link or unknowingly provides login credentials in response to a phishing email. The rise of AI-generated phishing attacks has made these scams harder to detect. Hackers can now create mass campaigns that are automatically personalized using publicly available data, making them increasingly difficult to filter out. As a result, no matter how much money is spent on security tools, human error remains one of the biggest vulnerabilities, accounting for 68 percent of breaches. 

Securing Systems at a Lower Cost

For many healthcare companies and hospitals, throwing money at the cybersecurity problem hasn’t produced a great return on investment. But while no single investment can eliminate all cyber threats, healthcare organizations can significantly reduce their exposure to attacks, especially phishing and basic software vulnerabilities, at a relatively low cost. The key is to prioritize measures that offer the most protection per dollar spent.

One of the simplest and most overlooked ways to reduce phishing attacks is to make sure that employees’ personal information isn’t readily available on the web. This means getting employees to opt out of data broker databases. Cybercriminals rely on publicly available personal information to craft highly convincing phishing and social engineering attempts, often pulling phone numbers, email addresses, and job titles from these sources. When healthcare organizations work to remove employee data from broker sites, they make it harder for attackers to personalize phishing messages, reducing the likelihood of successful breaches. This approach costs relatively little but provides significant protection against one of the most common attack methods.

Another high-ROI security measure is strict access control. Many healthcare breaches occur because attackers gain entry through a single compromised account, which then grants them access to an entire system. Enforcing least-privilege access, in which employees only have permissions necessary for their roles, limits the damage of a breached credential. Multi-factor authentication (MFA) should also be mandatory for all employees, especially for accounts with access to protected health information. These controls don’t require massive budgets but can dramatically reduce risk.

Routine software patching and vulnerability management are also essential but often neglected due to resource constraints. Many attacks exploit outdated software, yet healthcare organizations frequently delay updates due to concerns over compatibility with legacy systems. Investing in a structured patch management process to test and deploy updates systematically helps close security gaps without requiring major new expenditures.

When healthcare organizations focus on security measures that cover a big surface area without requiring enormous spending, they can ensure strong protection against the most common attack vectors while maximizing their return on investment. 

The Future of Healthcare Cybersecurity

Instead of relying solely on bigger budgets and more complex software, the industry needs a smarter approach that ensures every dollar spent delivers real security improvements. Cybercriminals will continue evolving their tactics, but a focus on high-ROI security strategies can make everyday attacks harder to execute, improving both patient safety and financial sustainability.

About Rob Shavell

Rob Shavell is the CEO at DeleteMe,  an industry leader in personal data protection and the creator of the Privacy-as-a-Service industry category. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).