IO’s latest State of Information Security Report paints a picture of a healthcare sector under sustained pressure. Organisations are responsible for protecting highly sensitive data, maintaining always-on services, and coordinating across complex clinical, operational and supplier ecosystems. When security controls fail, the consequences extend beyond financial loss to patient safety, service continuity and public trust.

The findings from this year’s report show healthcare security leaders balancing rising regulatory demands, persistent staffing and budget constraints, and growing third-party dependency. While AI-enabled threats are clearly emerging, the data suggests the sector’s defining challenges are more structural: resilience, governance, workforce capacity and the difficulty of scaling security and compliance in complex environments.

Our respondents included senior cyber and information security leaders across the UK and US healthcare ecosystem. Their responses reveal where risk is concentrating, how incidents are materialising, and what’s shaping priorities for the year ahead.

Below, we unpack 11 key statistics every healthcare leader should understand from this year’s Report.

 

Key Information Security Statistics for the Healthcare Sector

  1. 67% say the nature of the healthcare industry makes it particularly challenging to implement effective information security measures.
  2. 77% say the speed and volume of regulatory change makes it increasingly difficult to stay compliant with information security standards.
  3. Budget constraints are the most cited challenge, affecting 51% of organisations, followed closely by an information security skills gap (47%).
  4. 32% report burnout within infosec and compliance teams, while 32% also struggle with staff turnover and retention.
  5. Only 8% say they experienced no cybersecurity incidents in the last 12 months.
  6. 55% have been impacted by a third-party or supply chain security incident in the past year, with 20% affected multiple times.
  7. Data breaches remain widespread: 37% report breaches overall, with employee data (30%), partner data (28%) and financial data (27%) most frequently compromised.
  8. 45% say senior leadership still treats information security compliance as an afterthought, despite 83% reporting a clear security strategy and 85% supporting board-level accountability.
  9. 40% cite lack of employee awareness as a key security challenge, with common mistakes including public Wi-Fi use (40%) and clicking suspicious links (35%).
  10. Time savings from more efficient security processes are the strongest reported ROI from compliance, cited by 47% of organisations.
  11. 95% are confident in their ability to respond to a major cybersecurity incident, and 68% say that confidence has increased over the last year.

Third-Party Dependency and Supply Chain Risk

Healthcare’s dependency on third parties is structural. Clinical systems, managed IT, cloud services, specialist software, medical devices and outsourced operations all expand the attack surface. It’s therefore unsurprising that half of respondents (50%) agree supply chain risks are now “innumerable and unmanageable”, and the incident data supports that concern.

55% of healthcare organisations were impacted by a third-party incident in the last 12 months, with one in five (20%) affected multiple times. What stands out is the nature of the fallout. Supplier incidents do not simply create compliance work; they disrupt delivery. Respondents most commonly reported delays or disruption across service delivery (36%), loss of key partnerships or contracts (36%), and temporary operational disruption (33%). In nearly a third of cases, organisations terminated the vendor entirely (30%), signalling that supplier trust is increasingly conditional.

Supplier expectations are hardening accordingly. Healthcare organisations now require a blend of sector-specific and general frameworks from partners, including HIPAA (35%), Cyber Essentials (37%), NIST (29%), alongside ISO standards such as 27001, 27701 and 42001 (20% each). Specialist regimes like HITRUST (23%) and ISO 13485 (20%) are also increasingly common. Only 3% report requiring no standards at all.

The direction of travel is clear: third-party assurance is moving from due diligence to operational resilience control, with stricter requirements, more frequent validation and a tighter link between supplier posture and continuity planning.

A Persistent Incident Environment

Another clear insight from the report is that healthcare organisations are operating in a high-incident baseline environment rather than facing isolated events. Only 8% report avoiding cybersecurity incidents altogether in the last 12 months. Data breaches affected 37% of organisations, while phishing or vishing (32%), malware infections (27%), cloud breaches (25%) and network intrusions (22%) remain common.

The breadth of compromised data reflects healthcare’s complex information flows. Employee data was compromised in 30% of organisations, followed by partner data (28%), financial data (27%), research data (27%) and product data (23%). Personally identifiable information (PII) was compromised less frequently (20%), but its impact is disproportionate.

Where PII breaches occurred, 75% resulted in legal or regulatory fines or costs, and half (50%) contributed to business closure or a strategic pivot. This highlights the uniquely high stakes of data compromise in healthcare, where regulatory, reputational and operational consequences converge.

Incidents, in other words, are no longer exceptional failures. They are a recurring operational risk that must be anticipated, absorbed and recovered from as part of normal service delivery.

Workforce Capacity and Operational Strain

Behind the incident data sits a picture of a sector under sustained operational pressure. Budget constraints affect 51% of healthcare organisations, making it the most commonly cited challenge. At the same time, 47% report an information security skills gap, while 32% cite burnout within infosec and compliance teams and 32% struggle with staff turnover and retention.

These pressures are compounded by structural complexity. 37% cite IT and technology sprawl as a challenge, and 33% struggle to determine which security processes can be safely automated. As tooling proliferates and responsibilities expand, teams are increasingly forced to manage fragmented workflows, overlapping dashboards and inconsistent evidence.

For healthcare organisations operating under constant service pressure, this lack of coherence translates directly into risk: gaps in visibility, delayed response and heavier reliance on individual expertise. Over time, this is not a sustainable operating model.

Regulatory Pressure and Compliance Execution

Regulatory complexity was also one of the defining features of the healthcare security landscape from our report. 77% say the speed and volume of regulatory change makes it increasingly difficult to stay compliant, while 39% cite compliance with regulations and standards as a direct operational challenge.

Capability is uneven. Only 27% feel fully equipped to manage overlapping regulations and frameworks such as GDPR, NIS 2 and HIPAA, while 33% require external help occasionally. The remainder report gaps in time, specialist skill sets or board-level support.

This gap between obligation and execution is reflected in outcomes. 70% of organisations have received at least one data protection fine in the past year, with a significant proportion facing six-figure penalties. Yet the data also shows that structure matters. One in five report no major challenges complying with ISO 27001, suggesting that where controls, evidence and review processes are systematised, compliance becomes more predictable and less burdensome.

Where compliance is executed well, it delivers tangible benefits. 47% cite time savings from more efficient security processes, 38% improved decision-making, and 37% reduced incident-related costs, reinforcing the argument that when organisations shift from compliance as obligation to compliance as operational discipline the payoff is significant.

Human Behaviour and Embedded Risk

Employee behaviour continues to expose healthcare organisations to avoidable risk. 40% cite lack of employee awareness as a current challenge, and reported behaviours reflect this gap. 40% report staff using public Wi-Fi for work, 35% report clicking suspicious links, and 32% report unsanctioned use of generative AI tools. Weak password practices and unsecured personal devices each affect 28% of organisations.

These behaviours are rarely the result of indifference. They reflect environments where secure processes are fragmented, inconsistent or difficult to follow. When security controls add friction or slow delivery, staff default to convenience.

In healthcare settings, where employees often have access to clinical systems and sensitive data, embedding secure behaviour into everyday workflows is becoming as important as formal awareness training.

AI as an Amplifier, Not the Core Constraint

AI does feature prominently in healthcare’s emerging threat landscape. 51% cite AI-generated misinformation and disinformation as a top concern, while 47% point to AI-driven phishing. Internally, 33% are concerned about misuse of generative AI tools, and 52% agree they adopted AI too quickly and are now struggling to govern it responsibly.

At the same time, 45% say AI and machine learning technologies are currently hindering their information security capabilities, and 63% believe advances in AI are blurring traditional security roles.

However, the data suggests AI is amplifying existing weaknesses rather than creating entirely new ones. Governance gaps, workforce constraints, third-party dependency and regulatory complexity remain the dominant pressures. AI increases the speed and scale of risk, but it does not replace the need for structured controls, clear accountability and integrated oversight.

Confidence, Preparedness and the Path Ahead

Despite high incident volumes and mounting pressure, confidence levels in healthcare remain strikingly high. 95% say they are confident in their ability to respond to a major cybersecurity incident, and 68% report that their confidence has increased over the last year.

That confidence is grounded in concrete capability. Nearly half conduct regular incident response testing (47%), 49% have clearly defined roles during incidents, and 42% maintain documented response plans. Many integrate response with business continuity and disaster recovery (33%) and rely on external support such as MSSPs or legal counsel (30%).

The remaining challenge is consistency. Confidence is strongest where incident response is rehearsed, supplier scenarios are included and leadership is actively engaged before, during and after incidents.

Across this year’s findings, one theme is consistent: manual, fragmented and person-dependent approaches are reaching their limits. Healthcare organisations that adopt integrated, repeatable systems for managing security, risk and compliance, across internal teams and third-party ecosystems, will be best placed to sustain resilience without overwhelming already stretched resources

Read the full State of Information Security Report.