Today, the latest findings from the 2025 US Healthcare Cyber Resilience Survey by EY cast a spotlight on a pressing challenge facing American hospitals and health systems: a widespread failure to integrate cybersecurity into core business strategy, with implications reaching far beyond IT departments. Based on responses from 100 healthcare executives, the report identifies six key areas in which organizations remain vulnerable—not simply to technical disruptions, but to threats capable of impeding hospital operations, patient care, and financial stability.

While cyberattacks and system breaches have escalated in scale and complexity in recent years, the survey underscores the fact that 81% of respondents now recognize cybersecurity as a business driver rather than a mere compliance checkbox. Yet, almost two-thirds cite persistent budget constraints, competing priorities, and lack of sustained executive commitment as the principal barriers to achieving measurable cyber resilience. Despite most leaders having authority to allocate resources for security initiatives, many hospitals still experience repeated and sometimes severe incidents, highlighting organizational inertia and gaps between intent and execution.

EY’s report emphasizes that cybersecurity must be tightly linked to business value: including reduced operational downtime, improved clinical workflows, and enhanced patient safety. Operational leaders are urged to adopt a strategic mindset—one in which proactive cyber risk management is treated with the same urgency and adaptability as patient care delivery or supply chain oversight. Inadequate cyber hygiene not only places electronic health records and devices at risk of intrusion but can also lead to regulatory penalties, reputational damage, and direct harm to patients if information systems fail during critical episodes.

A significant shift in investment focus is underway, with 68% of surveyed executives identifying Identity and Access Management (IAM) as their top priority for the coming fiscal year. Threats such as credential theft, improper account provisioning, and the proliferation of non-human identities—including bots and automated processes—have forced health systems to re-audit privileged accounts and revamp authentication protocols. Hospitals are increasingly implementing multifactor authentication (MFA), lifecycle management controls, and real-time monitoring for patient portals, clinician logins, and administrative interfaces. The objective is a robust ecosystem where workforce and patient identities are accurately verified, continuously tracked, and shielded from unauthorized exploitation.

However, the report also flags weaknesses in cross-departmental collaboration, where cybersecurity teams and hospital leadership may operate in silos. Bridging this gap requires investments not only in technical controls but also in culture change and risk awareness training at all staffing levels. EY recommends embedding cyber resilience metrics into organizational KPIs, fostering ongoing dialogue between CIOs, CISOs, and front-line clinical and administrative teams. The need for a system-wide transformation is especially acute as healthcare organizations confront rising threat vectors—from ransomware targeting critical care infrastructure to phishing campaigns that exploit clinical urgency and remote work vulnerabilities.

Healthcare organizations must act decisively, EY concludes, aligning cyber strategy with enterprise risk management to safeguard the continuity of care, maintain compliance with evolving regulations such as HIPAA and HITECH, and protect both operational and reputational assets. As the digital transformation of healthcare accelerates, the stakes for American hospitals have never been higher. The 2025 US Healthcare Cyber Resilience Survey stands as a call to action for boards, executives, and all hospital decision-makers: treat cybersecurity as an essential component of hospital management and clinical governance—not as a peripheral or after-the-fact concern.