Kacey Wheeler
Cyber Specialist
Healthcare has been the costliest industry for data breaches for more than a decade, with the average breach now topping $9.77 million. This highlights the significant healthcare cybersecurity risk organizations face and underscores the importance of robust healthcare cybersecurity risk management strategies. But the bigger impact comes when an outage or cyberattack causes missed diagnoses, delayed treatments, or patient harm.
Today’s connected healthcare environment relies heavily on technology—not just to support care, but to deliver it. This reliance increases the risk of technology in healthcare, making effective healthcare cybersecurity risk management essential to safeguard patient safety and organizational integrity. AI-based diagnostics, wearable monitors, remote scheduling, and extensive networks of third-party vendors now play a key role in patient outcomes. When technology fails, care can slow down, and liability may rise.
The shift toward smarter, tech-enabled care isn’t slowing down. If anything, it’s speeding up as technology helps fill workforce gaps. As explored in our recent Healthcare Risk Report, organizations need to rethink what risks they face and make sure their protection strategies keep up with new tools and systems.
Four forces driving the risk of technology in healthcare and clinical safety
Technology has always had some level of reliability and vulnerability in healthcare. What’s changed is how quickly and how much those risks can affect care. Systems that used to run quietly in the background are now directly involved in diagnosis, treatment and patient monitoring. Because of that, disruptions that once caused just a few hours of administrative delays can now disrupt care, lead to legal issues, and shake patient trust.
As more systems that haven’t traditionally been connected to the internet become internet-enabled, the attack surface for healthcare continues to grow. Attack surface refers to all the points where an attacker could potentially gain access to an organization.
Four main forces are accelerating this shift and bringing technology risks into clinical care.
1. Cyber threats
Cybersecurity threats are a major concern for healthcare organizations. Addressing healthcare cybersecurity risk is vital, as cyber threats can directly impact patient safety and care delivery. As explored in our recent Healthcare Risk Report, the line between a “technical incident” and a “patient safety event” quickly blurs. Ransomware no longer just locks up administrative data. It can stop chemotherapy treatments, delay surgeries, or disable monitoring devices clinicians rely on for split-second decisions.
More attackers bypass secure core systems and target less protected, connected areas like billing companies, outsourced IT providers, or medical device vendors. Once inside, they can move laterally into critical systems and disrupt care directly.
These indirect attacks are especially risky because they take advantage of gaps in technology oversight and insurance coverage.
In one case, a long-term care facility’s outdated but still active vendor credentials gave attackers a way in, leading to a breach that affected multiple organizations. We see this far too often—hackers aren’t “hacking,” they’re simply logging in. The result was a costly, multi-region recovery effort with unclear insurance triggers and long-lasting operational impacts.
2. AI adoption
AI is quickly becoming a routine part of healthcare. It’s used in generative AI scribes that handle documentation, predictive algorithms that identify high-risk patients, and diagnostic tools driven by AI. But while the technology moves fast, governance hasn’t kept up. Many organizations don’t have a clear owner responsible for making sure AI tools are accurate, ethical, and safely integrated into care.
The legal questions are complicated. If an AI tool misdiagnoses a patient or misses a critical lab result, is that a clinical mistake, a software failure, or both? Without clear oversight and coverage—including malpractice, technology errors and omissions (E&O), and cyber issues—organizations could face lengthy disputes with insurers if something goes wrong. Even more, unclear governance can undermine trust among clinicians, making them hesitant to rely on AI outputs if they don’t know who’s accountable. It’s important to ask, “What are the consequences of incorrect output from an AI tool?”
Additionally, data leakage from inputting sensitive data, such as patient records, into AI tools can be a significant issue. Do you know how your data is being used by the AI models you’re working with? “Shadow AI” is also becoming a bigger concern. Employees might be using AI tools without organizational oversight, which can lead to data leaks or clinical consequences that the organization isn’t aware of. That’s why policies around AI use are essential as AI continues to be integrated into healthcare.
3. Operational dependencies
Healthcare’s shift to digital systems has created large, connected networks where even non-clinical tools are vital to patient care. This interconnectedness heightens the risk of technology in healthcare, emphasizing the need for diligent healthcare cybersecurity risk management. Scheduling systems, billing platforms, and pharmacy ordering tools might not interact with patients directly, but when they break down, the effects can ripple through the entire care process.
Think about what happens after a third-party system goes down: delayed discharges, crowded ERs, unfilled prescriptions, or missed follow-up visits. In value-based care models—where providers are paid based on patient results rather than the number of services—these disruptions can also hurt quality scores and reimbursement. Since many of these systems are managed by outside vendors, providers often have little control over security, uptime, or recovery plans. Still, they’re responsible for the clinical and financial fallout when outages happen.
4. Data privacy considerations
There have been proposed changes to HIPAA to further tighten data privacy regulations in healthcare. Regulation isn’t going away. The size of class-action lawsuits related to data privacy continues to shrink, with groups as small as 100 individuals filing a lawsuit. We’re seeing increased activity in this area.
Unintentional wrongful collection suits are also a concern, especially in healthcare. Ad tracking technology used to monitor online user behavior for targeted advertising can lead to data privacy lawsuits if proper user consent isn’t obtained. We’ve seen this happen with ad tracking on patient portals, where healthcare information was collected and shared without patients’ knowledge.
Understanding evolving regulatory requirements and the technology used to collect and share data is essential.
Turning convergence into a resilience advantage
When cyber, AI, and operational risks overlap, they don’t multiply—they compound. A ransomware attack could turn into a malpractice claim. An AI mistake might lead to a dispute over service denial. A vendor outage can disrupt patient care and affect reimbursement. Without a clear plan, these events could create gaps in coverage, increase regulatory risks, and even harm reputation—long after the initial problem is resolved.
