Healthcare Organizations Prioritize Cost Savings Over Cybersecurity Measures

Post Views: 1

Healthcare Organizations Prioritize Cost Savings Over Cybersecurity, Exposing Sensitive Data to Risk

A recent survey of 381 global healthcare executives reveals a concerning trend: despite intensifying cyber threats, healthcare organizations are cutting cybersecurity budgets to reduce costs. The survey, conducted by PwC between May and July 2025, highlights the gap between the sector’s cybersecurity risks and its preparedness.

Data Protection and Cybersecurity Spending

Data protection is the primary driver of cybersecurity spending in the healthcare sector, yet only 35% of organizations have implemented data risk controls across the entire data life cycle. This falls short of the global average of 44% across all sectors.

Top Threats and Vulnerabilities

Healthcare leaders identified cloud-related threats, quantum computing risks, and attacks on connected products as the top threats they feel least prepared to address.

Pharmaceutical and life sciences companies are particularly vulnerable to quantum computing risks, with over half of respondents having not started implementing any quantum-resistant security measures. Only 7% of these companies are allocating budget toward quantum readiness in 2026.

Data Governance and Security Gaps

Healthcare payers and providers operate in fragmented systems, with data spread across multiple vendors, platforms, and repositories. This creates gaps in security coverage and complicates governance.

Data governance gaps are widespread, with only 39% of payers and providers implementing data minimization approaches across their organizations. Sensitive data, including extracts, spreadsheets, and historical records, often resides in uncontrolled environments outside primary systems, making it harder to protect and audit.

Operational Technology Challenges

The top challenge for providers is the lack of network segmentation, cited by 50% of respondents. Gaps in OT-specific skills and resources, as well as unclear governance and responsibility for OT cybersecurity, are also significant concerns.

Regulatory Requirements and Financial Context

Regulatory requirements are tightening, with proposed revisions to the HIPAA security rule mandating annual security risk assessments, encryption, and multi-factor authentication. India’s Digital Personal Data Protection Act imposes strict compliance requirements for processing health data and obtaining consent.

The financial context is significant, with healthcare costs estimated at $5 trillion annually and growing at nearly 8% per year. Some organizations are deliberately accepting greater cybersecurity exposure to avoid upfront spending.

Pharmaceutical and Life Sciences Companies’ Concerns

Pharmaceutical and life sciences companies are focused on protecting intellectual property, including proprietary formulas, research data, and clinical trial information. Third-party risk is a recurring concern, with a quarter of pharma leaders ranking third-party breaches among the top three threats their organization is least prepared to address.

Data controls in pharma are incomplete, with about half of companies surveyed implementing data classification policies and data loss prevention measures. Cloud and connected device vulnerabilities are also high on the list of concerns, with many pharma operations relying on cloud infrastructure to store clinical trial data and automate production lines.

Future Investment Plans

In 2026, payers and providers plan to increase cyber budgets, with AI named as the top investment category. Cloud security and threat management follow closely. However, only 24% of pharma and life sciences firms are allocating significantly more budget toward proactive measures such as monitoring, testing, training, and governance.