Healthcare’s Cost-Cutting Compromises Cybersecurity
▼ Summary
– Healthcare organizations are cutting cybersecurity budgets despite increasing threats, with a PwC survey revealing a significant gap between risks and implemented controls.
– Data protection is the top spending driver, but only 35% of healthcare organizations have implemented data risk controls across the entire data life cycle, below the 44% global average.
– Healthcare leaders feel least prepared for cloud-related threats, quantum computing risks, and attacks on connected products, with over half of pharma firms not starting quantum-resistant measures.
– Fragmented data systems and weak identity management in payers and providers drive up fraud, while only about 37-39% have implemented key data governance measures like minimization and full-lifecycle controls.
– For 2026, payers and providers plan budget increases prioritizing AI and cloud security, while only 24% of pharma firms are significantly boosting proactive cybersecurity investments like monitoring and training.
Financial pressures are forcing healthcare organizations to reduce cybersecurity spending, a dangerous trend that coincides with a sharp increase in sophisticated threats targeting the sector. A recent global survey of healthcare executives reveals a troubling gap between the escalating risks and the security controls currently in place. As healthcare costs balloon, driven by insurance claims, administrative burdens, and chronic care needs, some institutions are making a calculated gamble to accept greater cyber risk in exchange for immediate financial relief, potentially jeopardizing patient data and critical operations.
Data protection remains the primary catalyst for cybersecurity investment, yet only 35% of healthcare organizations have established comprehensive data risk controls throughout the entire data life cycle. This figure lags significantly behind the 44% average observed across all other industries. Sensitive information, including patient records, research extracts, and historical data, often resides in uncontrolled environments like spreadsheets outside of primary systems, making it vulnerable and difficult to audit.
The survey identified several areas where healthcare leaders feel particularly exposed. Cloud-related threats, quantum computing risks, and attacks on connected medical products represent the top three threats where preparedness is lowest. This sentiment is consistent across different segments of the industry, though the specifics vary. For pharmaceutical and life sciences companies, the outlook on quantum readiness is especially concerning; over half have not begun implementing any quantum-resistant security measures, and a mere 7% are budgeting for this critical need in the coming year.
For insurance payers and healthcare providers, fragmented digital environments create major security challenges. Their systems typically span numerous vendors, platforms, and data repositories, leading to coverage gaps and complex governance. This fragmentation, combined with weak identity management, has fueled a rise in fraud, particularly targeting online health accounts and wellness incentive programs. In response, these organizations are prioritizing investments in data protection and comprehensive security awareness training for staff.
Widespread data governance shortcomings persist. Only 39% of payers and providers have adopted data minimization strategies, and just 37% enforce controls across the full data lifecycle. On the operational technology front, which includes medical and building management systems, the top challenge is a lack of network segmentation, cited by half of provider respondents. This is followed closely by shortages in specialized OT skills and unclear governance for OT cybersecurity.
Regulatory landscapes are also becoming more demanding. In the United States, proposed updates to HIPAA would mandate annual risk assessments while requiring encryption and multi-factor authentication. India’s new data protection law imposes strict rules for handling health data and obtaining consent, adding another layer of compliance complexity for organizations operating globally.
Pharmaceutical and life sciences firms face distinct pressures, with protecting high-value intellectual property like proprietary formulas and clinical trial data being the paramount concern. A breach here can derail regulatory approvals, delay trials, and inflict severe financial and reputational harm. These companies also grapple with significant third-party risk due to their extensive networks of contractors and vendors; a quarter of pharma leaders rank third-party breaches among their top three unprepared-for threats.
Security controls within pharma are inconsistent. While about half have implemented data classification and loss prevention tools, only 33% maintain controls across the entire data lifecycle. A scant 2% have adopted all core data risk measures. Reliance on cloud infrastructure for trial data and automated production, coupled with the convergence of IT and OT systems, introduces vulnerabilities where an attack could halt manufacturing and disrupt vital supply chains.
Looking ahead to 2026, investment priorities are shifting. Payers and providers intend to increase cybersecurity budgets, naming AI-driven security tools as their top investment category, followed by cloud security and threat management. In contrast, only 24% of pharma and life sciences companies are planning to allocate significantly more resources toward proactive measures like monitoring and training, compared to reactive spending on incident response. This disparity highlights a sector at a crossroads, balancing immense financial pressures against the non-negotiable need to safeguard sensitive health information and critical infrastructure.
(Source: HelpNet Security)
