Healthcare cybersecurity improves, but legacy risks persist – Fortified
TENNESSEE, UNITED STATES — A new report highlights cybersecurity improvements in risk management, governance, and response planning among healthcare organizations in 2025, while also warning of ongoing vulnerabilities.
According to the 2025 Mid-Year Horizon Report by Fortified Health Security, outdated systems and regulatory uncertainty continue to expose patient data and care to risks.
Progress in cybersecurity maturity, but critical gaps linger
Executive engagement is at an all-time high, with dedicated committees now common and 26% improvements in maintenance, security controls, and recovery processes.
However, legacy systems and fragmented asset management persist as high-risk areas, leaving organizations vulnerable.
Despite these benefits, problems still persist, including outdated Internet of Medical Things (IoMT) devices and decentralized patching.
According to the report, 92% of healthcare organizations experienced cyberattacks in 2024, with 70% of these attacks impacting patient care. In the absence of such gaps being addressed, other areas could be sabotaged.
AI augments but doesn’t replace human analysts
AI is transforming cybersecurity but falls short in the clinical context, where human judgment remains irreplaceable.
The report highlights that AI helps eliminate false alarms and accelerates tasks. Still, it cautions against relying too heavily on it—automated actions could interfere with important care, such as stopping a radiation therapy machine during treatment.
The unique aspects of the medical field, like the focus on availability rather than confidentiality, require careful decision-making in certain situations.
Vendor products, including those offered by CrowdStrike and SentinelOne, are important; therefore, Security Operations Center (SOC) teams must review the results and retain ultimate control.
Although artificial intelligence can perform tasks at a rapid rate, human flexibility is what ensures patient safety, as Preston Duren observes.
Regulatory uncertainty demands proactive measures
With federal oversight weakening, healthcare leaders must self-govern amid regulatory fog. President Trump’s Executive Order 14306 reversed Biden-era mandates, shifting responsibility to organizations. The Healthcare Cybersecurity Act of 2025 proposes to create a deeper collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Department of Health and Human Services (HHS), but delays leave hospitals in limbo.
Proactive resilience—through partnerships and continuous improvement—is now a strategic necessity.
Joshua Dostie, a senior IT analyst at Maine General Health, notes, “Every alert, every threat, and every action we take has the potential to impact someone’s life,” explaining that there is a bigger effect to every move they make.
“Yes, we need to protect the data and technology. But there are people connected to those computers. Before I take any action, we have to make sure it won’t impact a patient,” he added.
The report emphasizes that the balance between innovation and fundamentals, collaboration versus isolation, and action versus hesitation is crucial for the future cybersecurity of healthcare.
As Chief Executive Officer (CEO) of Fortified Health Security, Dan L. Dodson asserts, “Thinking differently isn’t just a catchphrase for my mid-year message; it’s a genuine commitment to being bold and leading with agility, creativity, and a deep understanding of the mission that drives healthcare cybersecurity forward.”
