Healthcare leaders continue to treat cybersecurity as a technical safeguard instead of a strategic business function, according to the 2025 US Healthcare Cyber Resilience Survey by EY. The study, based on responses from 100 healthcare executives, outlines six areas where hospitals and health systems must act to close resilience gaps that threaten patient care and operations.
Cybersecurity as a business driver
81% of respondents said that prioritizing cybersecurity within the business strategy helps overcome challenges. Nearly two-thirds cited budget limits or competing priorities as the main barriers to meeting their goals.
While 65% of executives said they have the authority to allocate funds, many still face moderate to severe cyber incidents. The gap between decision-making power and outcomes points to a lack of sustained commitment once budgets tighten.
Cybersecurity should link directly to measurable results such as reduced downtime, improved patient safety and financial stability. It must be treated as a core enabler of healthcare delivery, not a compliance task.
IAM tops spending priorities
68% of respondents identified IAM as their top investment area for the…
