Some hospitals are spending more on cybersecurity, but not always on staff | HIMSS 2025

Las Vegas – With more hospitals being disrupted by cyberattacks, it’s not surprising that more health systems are investing in cybersecurity.

Hospitals are spending more on cybersecurity, but it's not always on staff. Lee Kim, senior principal of cybersecurity and privacy of HIMSS, talks about attack on healthcare organizations at the HIMSS Conference.

The new HIMSS cybersecurity survey, which was released last week, shows that more hospitals are spending more to defend against cyberattacks. But it’s not an overwhelming majority.

Slightly more than half (52%) of the respondents to the HIMSS survey said their organizations were increasing spending on cybersecurity. An additional 28% said that their cybersecurity budgets are holding steady. One in 10 (10%) said they were spending less.

Surprisingly, some cybersecurity professionals don’t have a good handle on how much they are spending in that area. The survey found 23% of respondents said they didn’t have good information on their cybersecurity budget allocations, up from 19% in 2023.

In a briefing at the HIMSS conference Tuesday, Lee Kim, senior principal of cybersecurity and privacy of HIMSS said it’s concerning that such a substantial portion of cybersecurity leaders don’t have a good handle on their spending allocation. “If that were much lower, that would be better,” Kim said.

She the lack of awareness of cybersecurity spending indicates “so many challenges in terms of communication, both within teams and also with the hospital.”

Some hospitals are taking a flexible approach to investing in cybersecurity, with 20% saying they don’t have a set amount but the ability to allocate more as needed.

The report found about 1 in 5 (19%) respondents said their organizations spent 3-6% of their IT budget on cybersecurity, and 14% allocated 7-10%, with 16% devoting 11% of more of their IT budgets on cybersecurity.

Kim also said it’s interesting to see where healthcare organizations that are spending more in cybersecurity are directing those additional funds. More than half (57%) report a significant increase in the tools, such as AI technologies to improve defenses. And nearly half (47%) reported substantial improvement to organizational security policies.

But only about one in three cybersecurity leaders (34%) reported significant increases to staff, the survey found. Kim said she was surprised by that number.

Hospitals and health systems have said they have struggled to recruit and retain talented cybersecurity pros, who can command more impressive salaries in other sectors. But Kim said suggested that some hospital systems could be doing a better job reaching out to experienced cybersecurity professionals who want to work in health care.

“I have personal knowledge of many colleagues that are looking for work that are very experienced in healthcare,” Kim said, adding, “Why are they not necessarily connecting with the jobs where they would be easily qualified with … that's kind of puzzling to me.”

Kim said she sees healthcare organizations taking the threat of privacy more seriously. She said she’s seeing more investment from the top leaders in the organization.

“Boards of directors are getting more informed in terms of overseeing cybersecurity risk,” Kim said.

The HIMSS conference comes one year after the Change Healthcare cyberattack, which impacted 190 million Americans and became the most disruptive breach ever in the U.S. healthcare industry.

In the wake of the attack, hospitals and health systems have taken a closer look at their vulnerabilities related to the business partners. Most hospitals and medical groups were affected by the Change Healthcare attack, because the company provides so many services to providers.

Kim also said more health systems are taking a closer look at their plans to respond to cyberattacks and their ability to provide services in the event of a breach.

“If there's one thing that was really badly needed in health care, it was looking at business continuity programs,” Kim said.

• Read more: Cybersecurity panel: How hospitals can protect their systems