Healthcare cybersecurity budgets and teams have grown significantly since 2019 as threats become more pronounced, according to an April 2024 report from Moody's Investors Service.
Moody's gathered 148 responses from healthcare organizations, with 77% being nonprofit or for profit hospitals. On average, respondents reported cybersecurity teams jumped headcount by 30% from 2019 to 2022 and cybersecurity spending hit 7% of the total IT budget last year, up from 5% in 2019.
Eighty-one percent of healthcare companies said cybersecurity was a line item in their budgets, which is higher than the 74% average across all industries.
While bringing cybersecurity expertise in house may reduce risk because it limits the number of third parties accessing data, the report noted hospitals are also turning to outsourcing partnerships. There was a 50% increase in the number of outsourced cybersecurity employees from 2019 to 2022, with for-profit hospitals increasing their outsourced or contract employees 67% and nonprofit hospitals bringing on 11% more outsourced or contracted cybersecurity employees.
Nonprofit and for-profit hospitals are spending 6% and 9% of their IT budgets on cybersecurity, according to the report. Nonprofit hospitals increased the percentage of in-house cybersecurity employees 25% and for-profit hospitals bumped their in-house teams by 50%.
Moody's also noted healthcare organizations are using cyber insurance to mitigate risk, with 95% of respondents carrying cyber insurance. Among medium and small healthcare companies, 23% and 16% respectively plan to increase coverage over the next year.
"Insurers have faced larger, more frequent claims due to ransomware attacks, significantly weakening their product's profitability. Tighter terms and conditions, as well as costlier premiums, have sent the cost of transferring risk higher," the report notes.