1 in 5 health care leaders say cyberattacks have already impacted patient care

Cyberattacks are no longer a theoretical concern for health care leaders, they’re a daily threat with real-world consequences.

According to the 2025 Healthcare IT Landscape Report from Omega Systems, nearly 1 in 5 health care leaders (19%) say a cyberattack has already disrupted patient care within their organization. More than half (52%) fear a fatal cyber incident is not just likely, but inevitable in the next five years.

The report, based on a national survey of 250 health care business leaders, paints a picture of a sector caught between digital innovation and persistent security gaps.

Disconnect between confidence and readiness

A full 80% of surveyed health care executives expressed confidence in their teams’ ability to defend against AI-powered cyberattacks. Yet, that confidence is largely undermined by their own admissions.

Nearly one-third of organizations don’t conduct regular employee training on cybersecurity, and only 53% run phishing simulations.

What’s more alarming, almost 1 in 5 respondents said they lack an effective incident response plan, and nearly a quarter admitted it could take up to a month to detect and contain a data breach. That kind of delay could put patients and whole organizations at risk.

Outdated infrastructure, incomplete visibility

More than half of the respondents (56%) said outdated systems would delay breach recovery. Meanwhile, 36% acknowledged their current cybersecurity tools are insufficient to protect cloud-based patient data — a critical issue as more health systems migrate to hybrid cloud environments.

Just 46% of health care leaders reported having adopted next-gen endpoint detection and response (EDR) tools with moving threat defense, and the same percentage have implemented data discovery technologies.

Perhaps most concerning: 34% of leaders don’t know what data is at risk across their network.

Thinly stretched staff

Although 65% of health care organizations maintain in-house cybersecurity staff, nearly a quarter (23%) say their teams are understaffed. One in five respondents believe a lack of experienced personnel or access to around-the-clock security options would delay recovery from a cyberattack.

“Health care teams are under immense pressure, and internal resources alone aren’t enough to stay ahead of today’s threats,” said Mike Fuhrman, CEO of Omega Systems. “Leading organizations are leveraging [Managed Security Service Providers (MSSPs)] to gain a competitive advantage through advanced tools, continuous monitoring and regulatory expertise for a new level of security.”

Even as health care organizations prepare for changes to HIPAA and other regulations, many are still falling short in execution. The report found that 54% of organizations still rely on manual, in-house processes to manage compliance, while 60% cited staying current with regulations as their biggest challenge.

Though 80% said they feel prepared for upcoming HIPAA changes, 57% acknowledged they lack the time and resources to keep up.

MSSPs show an edge

Despite mounting challenges, 55% of surveyed organizations are not working with a MSSP. Those that do, however, report stronger outcomes.

According to the report, organizations that co-manage IT with an MSSP perform better in threat detection speed, HIPAA control adoption and vulnerability assessments.

Looking ahead

As ransomware and social engineering attacks continue to target health care systems — 48% and 34% of respondents, respectively, reported being hit by those tactics in the past year — many leaders appear to recognize the need for urgent change.

“The data shows that although leaders don’t report cybersecurity as a top challenge, it’s directly impacting their highest priorities — from patient safety to regulatory compliance,” said Fuhrman. “This disconnect is a growing risk across the health care industry that needs to be addressed with better visibility, readiness and resources.”