State of Health Security 2025

This document provides insights and analysis on research and trends in health security for the year 2025.

State of Health Security 2025 RESEARCH AND TRENDS

Contents Introduction 3 Key Findings 4 Rise of AI as a Solution 7 “Working Alongside AI” by Bunny Ellerin 8 More Data/Less Structure 9 Issues of Access 10 “Keeping Your Data Clean and Close” by Katherine Kelton 11 Responses to Regulation 13 Looking Ahead 14 Endnotes 15 State of Health Security 2025 | 2

Introduction The purpose of this report is to look back at research and news from the past year in order to identify key data points and trends that will be useful in driving healthcare security in the coming year. Healthcare leaders can use the data here to start conversations, build arguments, and develop strategy. Compiled by Thoropass, this report is meta-research that looks across multiple studies about a particular theme (in this case cybersecurity in healthcare) and pulls threads in order to point toward what will be most salient to healthcare organizations in the coming year. The research comes from a variety of government entities, journalists, and industry leaders, some reporting directly on security in healthcare and some on related topics over the last two years. Thoropass is a compliance and audit solution that eliminates the friction of infosec security so that organizations of every size and industry can aain scalable security across their systems. Thoropass Health—with the help of our Health Advisory Board—is a practice within Thoropass that works with healthcare-related organizations on compliance frameworks (such as HIPAA, HITRUST, and SOC 2), penetration testing, and the ethical use of AI (through ISO 42001, DDQs, etc.) State of Health Security 2025 | 3

Key Findings The amount and cost of cybersecurity events in healthcare-related organizations makes healthcare a unique industry. Only the ﬁnancial (including FinTech) industry comes close to the breadth and depth of aacks faced. Despite (over)conﬁdence of security leaders in healthcare, the data shows increasing need for vigilance. 10 $1.47 million years YoY increases in healthcare average cost of a cyberaack4 security breaches3 97% 10x 37% stolen healthcare data is 10x more of cyber events are email compromises, 1 of healthcare workers believe valuable than credit card data5 the most of any source in their org’s ability to defend against cyber aacks 1 24% 100,000,000 36% of all cyber events in ﬁrst half of 2024 were people aected by a single breach of the world’s data will be healthcare 2 at Change Healthcare6 related by end of 20257 healthcare-related State of Health Security 2025 | 4

AI use AI seen as most popular tech 8 IS GROWING #1for managing increased risk Artiﬁcial intelligence (AI) and Maching Learning (ML) have seen explosive growth since 2023. This will only continue into 2025 as healthcare orgs balance the data threats that come with it versus the automation eciencies it can provide to overtaxed workforces and budgets. 63% 59% say keeping org’s see a reduction in data safe on AI their risk workforce is dicult4 due to AI automation8 Data of healthcare data 9 NEEDS STRUCTURE 90%is unstructured Data creation and usage continues its exponential climb, yet most of it is unstructured (e.g. handwrien, siloed, not tagged, etc.) Many healthcare orgs are trying to catch up by addressing this trend internally, while many others see 1281% 78% AI as a solution. jump in direct tagging use AI and ML to healthcare data to automate over the last year in a data analysis8 sample cohort10 State of Health Security 2025 | 5

Controlling access IS KEY 71% Access control is the biggest threat to a healthcare organization’s of CROs believe security. In addition to threats from third parties and supply chain integrated systems make 8 issues, organizations are beginning to see legacy systems and siloed for safer orgs teams as a threat that needs to be consolidated. 68% #1 45+ reported 4 or more aacks on their supply credential access is biggest average number of security chain in last 2 years4 fear for healthcare orgs1 tools used in enterprises11 Need to react QUICKLY 53% Urgency is the number one issue facing healthcare of healthcare orgs have documented plans to organizations’ responses to cyber threats. Bad actors are address vulnerabilities13 moving faster, and regulatory acts are asking for near real-time response and notiﬁcation. 28% 62 minutes 72 hours of orgs are only set up to average time it takes an amount of time US monitor (not react) to cyber adversary to move from initial host government wants health vulnerabilities1 11 to another once in a system orgs to report cyber events12 State of Health Security 2025 | 6

Rise of AI as #1 a Solution 8 AI seen as the most popular tech for managing increased risk Every new phone, computer, and medical device is likely to be embedded with AI or machine learning capabilities in 2025. While the gains in automation are promising, the threats to data privacy $156 billion and friction between new and legacy systems can’t be overlooked. 10 For now, healthcare orgs seem more excited than nervous about new to be saved in healthcare automation through 2026 AI technology. 4 have embedded AI in cybersecurity and patient care planning to spend more than half of their risk management 8 budget on technology in the next 12 months 4 think AI is very eective in improving organizations’ think keeping org’s data safe on AI is dicult 4 cybersecurity posture 8 think AI-based security tools will increase productivity see a reduction in their risk workforce due to AI automation 4 for IT security personnel State of Health Security 2025 | 7

Working Alongside AI Bunny Ellerin is the co-founder and CEO of Digital Health New York (DHNY). She also Bunny Ellerin serves on Thoropass’ Health Advisory Board. New can be scary. And in any industry other than Yes, health leaders should be careful in protecting propriety and technology, AI–its use and regulation–is still very much patient data that is entered into LLMs. Frameworks like HIPAA and NIST new. Health industry observers would be right to be are as important as ever for protecting PHI. But as health-related careful (if not skeptical) of AI’s use in our highly companies face projected budgeting and stang limitations regulated industry. But as the data in this report shows, (especially in rural or aging seings), AI is rightfully stepping in to instead of running away from AI, many insiders are automate some of the most burdensome data-related work needed running toward it for one really good reason: its ability for companies to keep up. to help the health industry take control of its data. One way to ensure that AI works ethically with current systems is to follow guidelines related to ISO 42001, an updated compliance According to RBC Capital Markets, an estimated 36% of the world’s framework speciﬁc to AI adoption and use. Likewise, regular 7 pentesting (including pentesting speciﬁc to AI systems) can help data will be health-related by the end of 2025 . But lots of that data–up to 90%--is unstructured. All of the handwrien reports, untagged ﬁelds, ensure that data leakage and ethical best practices are in use. and information shared between new and legacy systems could be le behind, as good as useless. What’s become clear since ChatGPT took over the tech world’s conversations in 2023 is that AI is not fading away any time soon. As This is why so many executives are seeing AI (and closely related our phones and cars utilize this world-changing technology, it’s now machine learning) as a solution to help them keep up. At a time where inevitable that our health-related companies, too, will be altered health data is rising (and aackers are seeing it as 10x as valuable as forever. The opportunity for us all is to learn as quickly as possible how credit card data), the industry is also seeing more mergers and to harness them to make us even more ecient and eective. acquisitions, more third parties entering the supply chain, and more legacy systems working alongside the most cuing edge Internet of Things medical devices. State of Health Security 2025 | 8

More Data/Less Structure The move to digitize healthcare data will not slow down in 2025. Healthcare orgs are looking to AI and ML to help them with this inﬂux by converting unstructured data into usable data that can drive patient care and business decisions. of all data is 9 unstructured increase in direct tagging to healthcare data in a sample cohort over the last year8 use AI and ML to automate data analysis 8 increased use of Python, which is widely used to organize data in AI, 10 within a sample cohort increase in data tagging related to using data for 10 governance in a sample cohort over the last year believe data fragmentation and poor data quality 8 can prevent eective decision-making and collaboration State of Health Security 2025 | 9

Issues of Access credential access is the biggest 1 #1fear for healthcare orgs Credential access was the biggest concern for healthcare orgs as they looked to 2025. The reason this threat outpaces ransomware, phishing, and email-related issues is that healthcare orgs face unique challenges average number of security tools in siloed information, third party vendors, supply chains, and multiple 11 45+used in enterprises security solutions spanning new and legacy systems. Of the hundreds of healthcare orgs polled about access: reported 4+ aacks on their supply chain 4 in last 2 years of CROs believe integrated systems 8 make for safer orgs of hospitals state they have adequate coverage in managing risks to supply chain risk management13 reported a ransomware aack; 46% of those stated it was caused by a third party 13 of hospitals are considering risks to patient care in their evaluations of new suppliers’ products 13 State of Health Security 2025 | 10

Keeping Your Data Clean and Katherine Kelton is an executive, specializing in legal, If fragmented data can inhibit decision making, it can also hinder human resources, and global compliance. collaboration. But clearly collaboration is not without its risks, Close She also serves on Thoropass’ Health Advisory Board. according to Kroll. Because the healthcare industry can be both siloed and spread out by its very nature (not even considering the vast Katherine Kelton network of third party vendors on which most organizations rely), it’s both understandable and unfortunate that this one particular threat is still freed over, especially since email compromises continue to be Cleanliness is next to godliness, especially in The challenges to clean data aren’t just for the sake of security. KPMG the leading source of threat faced by healthcare organizations. health-related ﬁelds where our digital practices are reports that 42% of survey respondents believe “data fragmentation As a result, it’s up to us in the industry to confront these two still catching up to our physical ones. As pointed out and poor data quality can prevent eective decision making.” In other issues–data hygiene and data access–as one in 2025. Where AI and elsewhere in this report, the volume of health-related words, having usable data is crucial for companies to make strategic automation can help with data hygiene to a large degree, user access data continues to rise even as areas of the industry business decisions. As this report has detailed, AI and automation remains a unique cybersecurity concern that can be addressed experience consolidation. Our challenge, then, is to technology is helping some companies to corral and maintain through consolidated credentialing and monitoring. Maintaining your ensure that this data is as useful as possible while actionable data. For others, though, the ﬁrst step in data hygiene is myriad regulatory and compliance frameworks through a single being as secure as possible. understanding who has access to data. dashboard where you can also control user access at the employee What Kroll ﬁnds in their study speaks to this point: of every industry level remains the gold standard for addressing data hygiene and surveyed, credential (user) access to data was their perceived least access. Likewise, regular training and ensuring that any HIPAA security signiﬁcant security threat. The one exception was healthcare, where it controls (such as use of MFA) are enforced consistently across systems ranked #1 by a longshot. and end users is more important than ever. Healthcare is not unique in facing the growing importance of personal/patient data and working across dispersed teams. But given how valuable our data is, and how the frequency and severity of aacks are going up, it is more important than ever to look for technology solutions that enable secure, sustainable growth in 2025. State of Health Security 2025 | 11

If fragmented data can inhibit decision making, it can also hinder collaboration. But clearly collaboration is not without its risks, according to Kroll. Because the healthcare industry can be both siloed and spread out by its very nature (not even considering the vast network of third party vendors on which most organizations rely), it’s both understandable and unfortunate that this one particular threat is still freed over, especially since email compromises continue to be The challenges to clean data aren’t just for the sake of security. KPMG the leading source of threat faced by healthcare organizations. reports that 42% of survey respondents believe “data fragmentation As a result, it’s up to us in the industry to confront these two and poor data quality can prevent eective decision making.” In other issues–data hygiene and data access–as one in 2025. Where AI and words, having usable data is crucial for companies to make strategic automation can help with data hygiene to a large degree, user access business decisions. As this report has detailed, AI and automation remains a unique cybersecurity concern that can be addressed technology is helping some companies to corral and maintain through consolidated credentialing and monitoring. Maintaining your actionable data. For others, though, the ﬁrst step in data hygiene is myriad regulatory and compliance frameworks through a single understanding who has access to data.dashboard where you can also control user access at the employee What Kroll ﬁnds in their study speaks to this point: of every industry level remains the gold standard for addressing data hygiene and surveyed, credential (user) access to data was their perceived least access. Likewise, regular training and ensuring that any HIPAA security signiﬁcant security threat. The one exception was healthcare, where it controls (such as use of MFA) are enforced consistently across systems ranked #1 by a longshot.and end users is more important than ever. Healthcare is not unique in facing the growing importance of personal/patient data and working across dispersed teams. But given how valuable our data is, and how the frequency and severity of aacks are going up, it is more important than ever to look for technology solutions that enable secure, sustainable growth in 2025. State of Health Security 2025 | 12

Current Time 0:00

Duration 3:04

Loaded: 0.00%

Stream Type LIVE

Remaining Time 3:04

Responses to 62 minutes average time it takes an adversary to move from initial host 11 Regulation to another once in a system Time is becoming a bigger factor in healthcare cybersecurity. While regulators are asking organizations to respond to breaches 72 hours in days, bad actors are moving into systems in minutes. Most orgs amount of time US government wants health orgs are using immature security systems that monitor, but don’t react, to report cyber events12 when aacks occur. of hospitals that were conducting regular of orgs are only set up to monitor (not react) to cyber vulnerabilities 1 13 vulnerability scanning at least quarterly 13 of orgs have documented plans to address vulnerabilities go beyond scanning with use of penetration testing, 13 red/blue teams, etc. believe that integration and interconnection of risk management of small, medium, and large sized hospitals claim they systems, domains, and processes had a signiﬁcant enhancement were operating with end-of-life operating systems or 8 13 to eectiveness over risk-related decision making soware with known vulnerabilities State of Health Security 2025 | 13

Looking Ahead The data and perspectives in this report oer insights and trends that are more reliable than mere predictions. As you and your organization prepare for, and move through, 2025 and beyond, the following themes should be considered through the frame of cybersecurity: > Technology: > Compliance: As this report shows, the rewards outweigh the risks when investing in Basic frameworks like HIPAA, NIST, and HITRUST continue to evolve, new technology, especially in AI. As automation and machine learning requiring updating training, auditing, and (in some cases) pentesting. get faster and smarter, tech can save on headcount and make your As AI becomes more wide-spread, compliance with frameworks like company more secure. ISO 42001 become necessary. > M&A, TPRM, and Data Sharing: > Proactive Protection: Healthcare will continue its 30-year trend of consolidation, making it Basic monitoring and minimal preparations continue to be inecient. increasingly important that data is transportable across networks, and An increased eort to be audit-ready with compliance and regulation, access controls are in place for data to be used by those who need it. and to be ready with a reaction plan will be crucial to dealing with inevitable threats. > Global Risks: Geopolitical and economic risks will have primary and secondary eects on the healthcare industry as leaders grapple with local and international regulations, rising costs and inﬂation, and threats from bad actors in light of global conﬂicts and governmental changes. Thoropass facilitates the infosec compliance processes for businesses, delivering compliance automation soware and audit capabilities that enables its 1000+ customers to eciently increase supported compliance frameworks and accelerate their infosec audits. Thoropass integrates directly with its customers operational frameworks to automate evidence collection and enable continuous monitoring to ensure audit readiness. With a team of in-house, independent auditors proﬁcient in major compliance frameworks such as SOC 2, HITRUST, HIPAA, GDPR, PCI DSS, ISO 27001, and ISO 42001, among others, Thoropass conducts 500+ audits every year, with a commitment to supporting companies in maintaining high standards of compliance and security. Learn more at www.thoropass.com State of Health Security 2025 | 14

Endnotes Kroll. The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare. (2024) Amantha May. Tebra. The Intake. The major cyberaacks that have aected healthcare systems in 2024. (2024) Steve Alder. The HIPAA Journal. Healthcare Data Breach Statistics. (2024) Proofpoint. Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care. (2024) John Riggi. American Hospital Association. The importance of cybersecurity in protecting patient safety. (2024) U.S. Department of Health and Human Services. Breach Portal. (2024) RBC Capital Markets. The healthcare data explosion. (2024) KPMG. Future of Risk. (2024) IDC. Box. The untapped value of unstructured data. (2023) Snowﬂake. Data Trends 2024: Healthcare and Life Sciences. (2024) Crowdstrike. Global Threat Report. (2024) Cyber Incident Reporting for Critical Infrastructure Act of 2022. (2022) U.S. Department of Health and Human Services. Hospital Cyber Resiliency Landscape Analysis. (2024)