2024年医疗保健行业网络安全调查（英）.docx

2024 HIMSS Healthcare Cybersecurity Survey Table of Contents 33 2024 HIMSS Healthcare Cybersecurity Survey | © 2025 Healthcare Information and Management Systems Society Executive Summary 3 Methodology and Demographics 4 Methodology 4 Demographics 4 Levels of Responsibility 5 Types of Organizations Represented 5 Economics of Healthcare Cybersecurity 6 Budgets are Improving 6 Overall IT Budgets are Modestly Improving 6 Allocation of current IT budget to cybersecurity 7 Comparing 2023 to 2024: Cybersecurity Budget Allocations 8 Trends in Cybersecurity Budget Allocations 9 Cybersecurity Budgets Projected to Rise 10 Changes to cybersecurity budget in 2025 10 Effect of Cybersecurity Budget Increases in 2025 11 Security Awareness 12 Security Awareness Programs 12 Effectiveness of security awareness programs 13 Security Incidents 14 Significant Security Incidents 14 Initial Points of Compromise 14 Testing of Incident Response Plans 15 Stakeholder Participation in Tabletop Exercises 16 What’s Happening with Ransomware 17 Present State 17 2024 Ransomware Trends 17 Ransomware Trends: 2022-2024 18 To Pay or Not to Pay – Ransomware Payments 19 Proactive vs. Reactive Security Measures 20 Future State 21 AI Adoption in Healthcare 22 Allowing the Use of AI in Healthcare 22 To Govern or Not: Organizational Approaches to AI 22 AI Technology Use Cases 23 AI Guardrails 24 Approval Process for AI Technology 24 Active Monitoring of AI Technology 25 Acceptable Use Policy for AI Technology 25 Future Concerns Regarding AI 26 Managing Third-Party Risks 27 Third-Party Risk Management Programs 27 Third-Party Security Incidents 28 Impacts of Third-Party Security Incidents 29 Insider Threat Programs 30 Formal Insider Threat Programs 30 Insider Threat and AI 31 Insider Threat Activity Involving Third Parties 32 Conclusion 33 About HIMSS 34 How to Cite this Survey 34 How to Request Additional Information 34 Executive Summary Cybersecurity Budgets 📈 Investments - Organizations are dedicating more resources to fortify defenses. 📊 Strategic Focus - Budgets are increasingly aligned with critical vulnerabilities. Security Awareness 📧 Phishing Mitigation - Programs target phishing, the leading attack vector. 🧩 Innovative Training - Gamification and scenario-based training boost engagement. Security Incidents 🐟 Phishing Dominance - Phishing is the top method of compromise. 💀 AI-Driven Attacks - Deepfakes are an emerging threat. Ransomware 🛡️ Combatting Ransomware - Ransomware defense continues to be a priority. ❌ Fewer Ransom Payments - Fewer ransomware victims are reporting paying ransom. Artificial Intelligence 📃 Policy Shortfalls - A lack of formal AI governance increases risk. 🔍 Limited Oversight - There is limited monitoring of AI usage. Third-Party Risks 🔗 Third-Party Incidents - Significant incidents involving third-parties are notable. ⚡ Impacts - Third-party incidents cause disruption and other impacts. Insider Threats 📋 Formal Programs - Formal programs are needed to manage insider threats. Methodology and Demographics The 2024 HIMSS Healthcare Cybersecurity Survey reflects the responses of 273 healthcare cybersecurity professionals. These professionals had at least some responsibility for day-to- day cybersecurity operations or oversight of the healthcare organization’s cybersecurity program. Respondents who indicated they did not have any level of responsibility for either day-to-day cybersecurity operations or oversight were not eligible to take the survey. Methodology The data for this survey was collected between November 6 and December 16, 2024. Questions asked respondents about their perspectives, knowledge, and experiences over the past 12 months. For simplicity, we refer to this data as "2024" throughout this report. Similarly, data from previous surveys is identified by the year in which it was collected . Demographics As shown in Figure 1 below, respondents held various roles, including executive management (50%), non-executive management (37%), and non-management (13%). Executive management included individuals in the C-suite, non-executive management comprised senior management, and non-management encompassed analysts and specialists. Figure 1: Respondent Roles Levels of Responsibility As shown in Figure 2 below, respondents reported varying levels of involvement in their organization's cybersecurity programs. 46% had primary responsibility, 30% shared responsibility, and 24% were involved as needed in the day-to-day operations or oversight. Figure 2: Respondent Cybersecurity Responsibility Types of Organizations Represented As shown in Figure 3 below, respondents represented a diverse range of organizations, including healthcare providers (50%), vendors (18%), consulting firms (13%), government entities (8%), and other organizations (11%). Other organizations included academic institutions, non-profits, payors, and life sciences companies. Figure 3: Types of Organizations Economics of Healthcare Cybersecurity Investing in robust cybersecurity measures is no longer optional for healthcare organizations — it is essential. Yet, achieving a strong cybersecurity posture requires sufficient resources, which are often limited by budgetary constraints. Chief Information Security Officers and their teams frequently find themselves balancing the need to address evolving threats with the reality of tight financial resources. Healthcare organizations with greater financial resources are better equipped to leverage robust cybersecurity solutions. Sufficient cybersecurity funding enables organizations to access advanced tools, hire skilled personnel, and implement comprehensive strategies. Conversely, limited budgets can pose challenges, making it more difficult to address the ever-evolving cyber threat landscape effectively. However, even with modest resources, strategic planning and prioritization can play a critical role. Budgets are Improving Overall IT Budgets are Modestly Improving Traditionally, healthcare organizations have generally allocated 6% or less of their IT budgets to cybersecurity, according to aggregate data from the 2018 to 2022 and 2024 HIMSS Healthcare Cybersecurity Surveys. Since cybersecurity budgets are typically carved out of overall IT budgets, this survey examined both the expected changes in overall IT budgets from fiscal year 2024 to fiscal year 2025 and the current allocation of those budgets to cybersecurity. As shown in Figure 4 below, a slight majority of respondents (52%) reported that their organizations’ overall IT budgets would increase during this period, while 10% indicated a decrease. 28% of respondents reported no change in their overall IT budgets. Ten percent of respondents did not know about the anticipated change in IT budget from 2024 to 2025. Figure 4: Anticipated Change in IT Budget 2024 to 2025 Allocation of current IT budget to cybersecurity Understanding how organizations allocate their IT budgets to cybersecurity provides valuable insight into their prioritization of security measures. Variability in spending levels highlights differences in how organizations approach protecting their system s and data. These budgetary decisions present opportunities to strengthen defenses and enhance preparedness against evolving threats. When asked about organizational allocation of the current IT budget to cybersecurity, 20% of respondents indicated that their organization had no specific carve-out but spent money on cybersecurity, as shown in Figure 5 below. However, 19% of respondents reported their organizations allocated 3-6% of the overall IT budget to cybersecurity; 14% reported 7-10%; 7% reported 11-14%; 9% reported more than 14%; and 7% reported 1-2%. One percent of respondents — several vendors and a healthcare provider — indicated their organizations do not spend any money on cybersecurity. Notably, 23% of respondents did not know what percentage of their organizations’ IT budgets were allocated to cybersecurity. Figure 5: Percent of Organization’s IT Budget Spent on Cybersecurity Comparing 2023 to 2024: Cybersecurity Budget Allocations Data from the 2023 and 2024 HIMSS Healthcare Cybersecurity Surveys reveal a notable shift in cybersecurity budget allocations. The percentage of organizations allocating 3-6% of their IT budgets to cybersecurity increased from 13% in 2023 to 18% in 2024, while those allocating 1-2% decreased from 10% to 7%, as shown below in Figure 6. Allocations between 7-10% were similar, decreasing slightly from 15% of organizations in 2023 to 14% in 2024, while above 10% dropped significantly, from 21% of organizations in 2023 to 16% in 2024, reflecting a possible redistribution of resources or more strategic spending. The percentage of organizations without a specific carve-out for cybersecurity increased slightly, from 19% in 2023 to 20% in 2024. Additionally, respondents unaware of their organizations’ cybersecurity budget allocations rose from 19% in 2023 to 23% in 2024, pointing to potential gaps in communication or governance over cybersecurity spending. These findings suggest that organizations are optimizing cybersecurity investments, moving toward more moderate budget allocations. However, the increase in respondents unaware of their organizations’ cybersecurity budget allocations underscores the need for improved communication around cybersecurity priorities. While executive management respondents were generally aware of cybersecurity budget allocations, non -management and non-executive management respondents demonstrated limited awareness, highlighting an opportunity for better information sharing about organizational cybersecurity programs. Figure 6: Cybersecurity Budget Allocation, 2023 vs. 2024 Trends in Cybersecurity Budget Allocations Over the years, cybersecurity budget allocation within IT budgets has shown notable fluctuations, reflecting changes in organizational priorities and resource allocation strategies. As shown in Table 1, organizations reporting no cybersecurity allocation remained steady at 1-3%, while allocations in the 1-2% range peaked at 18% in 2020 but dropped to 7% in 2024. Budgets in the 3 -6% range dipped to 13% in 2023 before recovering to 18% in 2024, indicating stability in moderate spending. Allocations in the 7 -10% range gradually increased from 10% in 2020 to 14% in 2024, showing growin g investment in higher cybersecurity budgets. Budgets exceeding 10% peaked at 21% in 2023 before falling to 16% in 2024, suggesting shifts toward more balanced spending. The percentage of healthcare organizations with flexible or unspecified cybersecurity budgets declined from 26% in 2019 to 20% in 2024, reflecting improved budgeting practices. However, respondents unaware of their organizations’ cybersecurity budgets rose from 18% in 2020 to 23% in 2024, highlighting communication gaps. While modest increases in healthcare cybersecurity budgets are evident, additional investments are critical to address growing threats, protect sensitive assets, and support new technologies. Without sufficient funding, organizations risk disruptions to patient care, loss of trust, and significant financial and reputational harm. Table 1: Cybersecurity Budget Allocation, 2019-2024 Budget Allocation 2019 2020 2021 2023 2024 No allocation 1% 1% 1% 3% 1% 1-2 percent 9% 18% 18% 10% 7% 3-6 percent 25% 24% 22% 13% 19% 7-10 percent 11% 10% 15% 15% 14% More than 10 percent 10% 6% 11% 21% 16% Flexible Allocation 26% 23% 24% 19% 20% Don’t Know 18% 18% 10% 19% 23% Cybersecurity Budgets Projected to Rise Changes to cybersecurity budget in 2025 Anticipated changes to cybersecurity budgets provide insight into organizations’ evolving priorities and strategies. With the growing complexity of cyber threats, many organizations recognize the need to adjust their spending to stay ahead. These shifts hi ghlight an increasing focus on bolstering defenses and addressing emerging risks. As shown in Figure 7 below, among respondents who reported a specific allocation for their organizations ’ cybersecurity budgets, a slight majority (55%) anticipated an increase in 2025. Only 4% expected a decrease, while 21% stated their budgets would remain the same. Notably, 20% of respondents indicated they did not know. Figure 7: Change to Cybersecurity Budget in 2025 Effect of Cybersecurity Budget Increases in 2025 Among respondents who indicated that their cybersecurity budgets would increase, we asked whether the increase enabled their organizations to make meaningful improvements, such as investing in additional staff, tools, and/or policies. As shown in Figure 8, a majority (57%) reported significant improvements to the tools they use, 47% reported significant improvements to policies, and 31% reported significant improvements to staff. Notably, 34% stated that the increase allowed for only some improvements across staff, tools, and policies. Three percent indicated that the increase merely maintained existing support for staff, tools, and policies, and 8% of respondents stated that they did not know. Figure 8: Impact of Increase in Cybersecurity Budget for 2025 Security Awareness Security Awareness Programs Effective security awareness training is vital for helping employees recognize and respond to cybersecurity threats. Organizations use a variety of methods to engage their workforces and reinforce key concepts, tailoring their approaches to address their specific risks. Understanding the strategies employed provides valuable insight into how organizations prioritize education as part of their overall defense strategies. As shown in Figure 9 below, respondents reported using a variety of methods for security awareness training, with 73% citing regular email alerts and communications, 63% using simulated phishing, 49% using interactive discussions, and 47% holding in -person or virtual workshops. Incident response exercises like tabletops were used by 38%, while 10% engaged in interactive games. Notably, 4% reported no training, 2% were unaware if training occurred, and 3% used alternate methods like video-based training or compliance activities, which are not equivalent to effective cybersecurity training. Only 40% addressed emerging threats like deepfakes, quishing (QR code phishing), and smishing (SMS phishing), highlighting the need for comprehensive, up-to-date training programs to counter evolving threats. Organizations may need to develop custom training programs since off-the-shelf security awareness training might not adequately address emerging threats. Tailored approaches ensure that training is relevant and comprehensive, equipping teams to effectively identify and respond to sophist