Healthcare cyber breaches are “fortified,” but hospitals still aren’t resilient

The headline statistic is blunt: the healthcare sector saw twice as many breaches in 2025 as in 2024—even while the number of exposed patient records dropped sharply. That combination matters. It signals that many events are no longer the “single massive database spill” type. Instead, hospitals and health systems are absorbing a steadier flow of intrusions that hit availability, operations, and clinical continuity.

That framing is right. The most damaging healthcare cyber events are increasingly measured in downtime, diversion, cancelled procedures, delayed imaging, medication workflow friction, and weeks of backlog—not just in the number of records posted online.

What changed: attackers are optimizing for operational leverage

The report highlights two accelerants behind the breach surge: ransomware and third-party risk. Both are “operational leverage” plays.

Ransomware isn’t simply a data-theft problem anymore. It’s a continuity problem. When clinical operations depend on tightly coupled systems—EHR, imaging, pharmacy, lab, identity, network segmentation, remote access—an attacker only needs one weak link to create enterprise-wide operational impact.

Third-party compromise increasingly acts as the initial foothold. The healthcare ecosystem is dense: billing, collections, transcription, imaging vendors, outsourced IT, medical device support, remote monitoring, MSPs, and a growing SaaS footprint. Every integration expands the trust boundary.

This is why breach counts can rise while exposed records fall. Many incidents don’t require large-scale exfiltration to cause maximum pain. They only require enough access to interrupt care delivery.

The real gap: “progress without trust” in the basics

The most actionable part of the Cybersecurity Dive coverage is the confidence data, because it maps directly to where programs fail under stress:

Vendor risk management: Only 4% of healthcare organizations reported high confidence in the adequacy of their vendor risk assessments; nearly 30% reported no confidence.

Incident response: Only 6% said they were very confident they could quickly identify, contain, and recover from an incident. Fortified summarized this as “progress without full trust in speed or consistency under pressure.”

That gap—between activity and confidence—explains why security “maturity” often doesn’t translate into resilience. A hospital can have policies, annual training, a risk register, and a patching process, yet still be slow to detect, uncertain in containment, and unable to sustain operations during recovery.

Turnover turns tribal knowledge into a security liability

Healthcare has high operational stress, and security programs often lean on a small set of experienced people who know where the bodies are buried: the legacy system that can’t be patched, the vendor tunnel no one owns, the radiology workflow that breaks if you enforce MFA the wrong way.

Fortified points out that constant turnover becomes a cybersecurity problem: when veteran staff leave, they take crucial operational knowledge with them. That means resilience cannot depend on heroics or a few long-tenured individuals. It has to be systematized.

InfoSight perspective: in healthcare, “security culture” is not posters and training modules. It’s repeatable operational playbooks that survive staffing changes:

standard build patterns

enforceable minimum baselines

clearly owned runbooks

measured remediation performance

documented recovery steps that are actually exercised

Shadow AI is not a future risk—it’s an immediate visibility problem

Cybersecurity Dive flags “shadow AI” alongside vendor risk as a proliferating threat surface. This isn’t about whether AI is good or bad. It’s about unmanaged data movement, unmanaged tool access, and unmanaged permissions.

In healthcare settings, the failure mode is predictable:

staff adopt AI tools to reduce documentation load, speed up communications, or summarize charts

data gets pasted into tools without durable governance

tokens, browser extensions, and third-party plug-ins become new access paths

the organization loses track of where PHI or sensitive operational data is flowing

The fix is not “ban AI.” The fix is visibility + policy + control:

approved tools list and access controls

DLP patterns and outbound monitoring where feasible

logging of AI tool access (SSO where possible)

training that focuses on real workflow decisions (what can/can’t be pasted)

vendor due diligence for AI tools as part of third-party risk

What “fortified” should mean in 2026: resilience you can prove

Hospitals don’t need another stack of disconnected point solutions. They need an operating model that reduces exposure continuously and performs under pressure.

At InfoSight, the strongest healthcare programs converge on five practical outcomes:

1) Shrink exposure windows (attack surface + vulnerabilities)

prioritize remediation by exploitability + asset criticality, not CVSS alone

drive measurable MTTR and SLA adherence

eliminate externally exposed management planes and stale remote access

continuously validate that fixes actually closed the window

2) Treat identity as the control plane

MFA everywhere it matters (admins, remote access, privileged actions)

remove shared accounts, fix privilege creep, enforce least privilege

harden AD/Entra ID paths because one identity compromise becomes enterprise compromise

3) Make third-party risk enforceable, not checkbox-based

maintain an integration inventory tied to data flows and access methods

require minimum controls for vendors (MFA, logging, breach notification SLAs, segmentation expectations)

monitor vendor access paths (especially remote support channels)

4) Operationalize detection and response

24x7 monitoring is only useful if response is real (containment, triage, escalation discipline)

runbooks must be built for hospital realities (clinical downtime procedures, comms, isolation sequencing, recovery priorities)

tabletop and recovery testing need to be recurring, not annual theater

5) Produce defensible evidence for auditors, regulators, and insurers

map controls to HIPAA Security Rule expectations and recognized frameworks

keep evidence in a repeatable format (policies, logs, remediation proof, test results)

report risk and improvement in metrics leadership can act on

Federal funding options hospitals can use to offset cybersecurity investment

Hospitals are being asked to modernize security while juggling thin margins and patient-care priorities. There is meaningful federal money in motion that can subsidize cybersecurity capability development—often through state-administered programs.

1) CMS Rural Health Transformation Program (RHT): $50B nationwide (FY 2026–2030)

CMS has launched the Rural Health Transformation Program, allocating $50 billion over five fiscal years (2026–2030) across all 50 states, with states receiving first-year awards in 2026 and plans explicitly including technology modernization that can strengthen cybersecurity.
RHT’s approved uses include technical assistance, software, and hardware to improve efficiency and enhance cybersecurity capability development—meaning cybersecurity can be a legitimate modernization workstream inside state RHT initiatives.

2) DHS State and Local Cybersecurity Grant Program (SLCGP): $1B over four years (state pass-through)

SLCGP provides $1 billion over four years to help state and local governments implement cybersecurity plans and resilience improvements; program design pushes funding downstream (local governments can receive a large share via pass-through or in-kind services), and a portion must benefit rural areas.
Public hospitals, county health systems, and state-run facilities often access this type of funding through state/local cybersecurity planning structures rather than applying directly.

3) USAC Rural Health Care Program (Healthcare Connect Fund): 65% discount on eligible connectivity + security components

The Healthcare Connect Fund provides a flat 65% discount on eligible broadband and network expenses for qualifying healthcare providers.
USAC guidance lists commonly eligible network/security items that can support modernization—examples include firewalls, VPN, and network security managed service provider offerings (in eligible contexts).

Use these funding streams to underwrite a defined cybersecurity uplift: baseline assessment, prioritized remediation plan, vendor-risk hardening, and an operational detection/response capability that reduces downtime risk and produces audit-ready evidence.

Source