Researchers have found that the average healthcare organization spends only about 5% of its IT budget on cybersecurity. By comparison, the financial sector dedicates at least twice as many resources to combatting cyberattacks—retail and corporate banking institutions spent 9.4% of their IT budgets on cybersecurity in 2020, while insurance companies dedicated 11.9%. Another report ranks healthcare 9th in security spending compared to other industries—and this reticence to prioritize security is one of the reasons why healthcare providers are being targeted with such ferocity.

Like any technology department in any other industry, neglect leads to stagnation. You can’t expect anyone to overcome new challenges and rapidly changing conditions using the same old tools, obsolete strategies, and outdated training. While I know many healthcare organizations that are starting to embrace a zero trust approach to security, there is a larger population within healthcare security teams that have become largely stagnant.


Without the necessary resources dedicated to their team year after year, it shouldn’t come as a surprise that healthcare security teams haven’t been able to keep up with the rest of the world in terms of modern cybersecurity strategies. And while the industry faces an acute cybersecurity crisis today, the conditions leading up to this stem from chronic neglect.

Surviving the storm means prioritizing security
Healthcare security leaders are facing a perfect storm of fewer budgetary resources and a “damned if I do, damned if I don’t” choice between ransomware and quality of care. Surviving these unprecedented conditions requires action and innovation—as opposed to a passive “ride it out” approach. But despite the exorbitant costs and high frequency of attacks, only 11% of healthcare IT executives said that cybersecurity is a high priority in a recent survey—and two out of three respondents said they didn’t even track return on investment (ROI) for cybersecurity spending.

Health IT Homepage