Healthcare is one of the largest industries in the world. In the US, healthcare spending accounts for about 17% of the country’s gross domestic product (GDP) and is expected to increase to over 20% by the early 2030s. Recent data (2025 projections) also indicates that health and medical insurance accounts for $1.54 trillion in revenue while hospitals bring in $1.52 trillion, the top two industries by revenue.
With all this money, you’d think hospitals would be swimming in cash, but that’s not the case. Median hospital operating margins — revenue from patient care and related services, minus all operating expenses — were just under 5% in 2024, and early indications point to a downward trend this year. Not surprisingly, for-profit hospitals do much better than nonprofits, and urban hospitals are far more financially successful than rural ones. Recent cuts to federal programs such as Medicare and Medicaid will aggravate financial woes.
An industry transforms
Margin pressure aside, the healthcare industry is experiencing a series of profound, technology-driven changes as providers evolve from a fee-for-service to a value-based business model. These technology changes include:
- Digital transformation of business processes. Examples include telehealth, remote patient monitoring, e-prescribing, and ambient listening/note taking. These systems require new equipment, such as internet of medical things (IoMT), high-speed networks, cloud services, APIs, and tightly integrated applications.
- Aggressive adoption of AI. AI diagnostics are gaining popularity in areas such as cardiology, oncology, and radiology — especially at large teaching hospitals. On the administrative front, healthcare organizations are using AI for medical coding, claims processing, optimizing appointment scheduling, and patient communications.
- Massive data generation. Data from systems such as electronic health records (EHR), medical images, lab tests, genomics, and administrative systems generate about 50 petabytes of data annually for an average hospital. In total, healthcare organizations produce exabytes of data each year with a compound annual growth rate of over 20%. Of that data, around 90% is regulated or considered sensitive — a far higher percentage than most industries.
Driven by such technology investments, the healthcare industry will look vastly different by the end of the decade. Care will become more personalized and proactive, driven by genomics, AI, and 24/7 patient monitoring. Drug discovery will accelerate on the back of AI and (possibly) quantum computing. Robots will perform routine surgeries while smart hospitals will be highly automated with streamlined processes for admittance, patient monitoring, records management, and billing.
Innovation in an industry rife with cybersecurity issues
Before I get too carried away with visions of healthcare Xanadu, I’m quite worried that these initiatives will make the healthcare industry an even bigger poster child for cyberattacks. Things are already bad. In 2024, the healthcare industry saw a record-breaking 276.7 million patient records compromised, representing over 80% of the US population. This was a 64% increase from the previous year. Among these breaches was a doozy: the Change Healthcare ransomware attack in February 2024, which impacted an estimated 190 million individuals while disrupting a good portion of the healthcare supply chain.
The tsunami of new technologies headed for the healthcare industry will only make the situation that much worse. Increasing reliance on IoMT devices, which have been noted for critical flaws, backdoors, and dependence on poor firmware development practices, will only bring greater risks, not to mention the perpetually increasing troves of data that CISOs will need to protect, all while navigating the risks inherent in diving headlong into AI for innovation’s sake.
What healthcare CISOs can do to prepare
To mitigate cyber risks while protecting the digital goodies of their organizations, CISOs must:
Take a leadership role in AI governance. Before going gaga on AI in clinical and administrative areas, healthcare organizations need to establish a governance framework across the lifecycle from business use case identification to development, deployment, risk management, and continuous security.
To do so, AI governance development should contain a cross-functional executive team and include a risk framework, strict data oversight, ethical/legal considerations, software development, employee training, and continuous monitoring. Look for guidance from organizations such as the American Medical Association (AMA), the World Health Organization (WHO), government agencies (HHS, NIST, etc.), and leading healthcare organizations (Cleveland Clinic, Kaiser Permanente, Mass General Brigham, Mayo Clinic, among others).
Accurately gauge staffing and budget needs. CISOs must make executives and boards aware that digital transformation, remote patient care, and AI deployment demands additional cybersecurity budget and staffing investment.
It’s important to get the security team involved early in new technology-driven initiatives to create risk models and ensure that the security team has the right training and skills. To supplement limited staff, CISOs should look to service providers such as Fortified Health Services, Clearwater Compliance, Censinet, and others that focus specifically on healthcare.
Bone up on attack surface management. The healthcare IT infrastructure of the (near) future will include IoMT systems, remote consumer devices, AI applications, highly decentralized health networks, and lots of third-party connections. Networks will be busy with API calls, AI agent communications, and data transfer. This has all the properties of a vulnerability and exposure management nightmare.
To get ahead of this, CISOs need continuous and pervasive visibility, accurate and timely risk scoring/prioritization, and automated remediation. Tools from Axonious, Nucleus Security, and ServiceNow can help here.
Get your arms around the data. Healthcare organizations already create, process, and store a lot of data today, but this will increase significantly as new technologies mushroom. This means data security should be a top priority.
Along with governance, CISOs must focus on data discovery, classification, encryption, access controls, continuous monitoring and logging, and regulatory compliance. Immutable backups with regular testing are an absolute requirement. CISOs should also expand their definition of data integrity to include AI model integrity, not just unauthorized data alteration.
Think ‘threat-informed defense.’ To quote Sun Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
CISOs should follow this sage advice by understanding cyber adversaries targeting healthcare along with their campaigns, and the tactics, techniques, and procedures (TTPs) they use. Understanding this threat intelligence will help them build, test, and tune their defenses. Cyberthreat intelligence (CTI) specialists such as Google/Mandiant, Ticura, and ZeroFox may be helpful. Threat intelligence platforms can also be explored.
Finally, a note to government agencies and regulators: Digital transformation and a technology explosion will exacerbate the digital health equity gap between well-resourced urban and smaller or rural healthcare organizations across all areas, including cybersecurity. Without government assistance, they will become easy marks for cybercriminals.