New Year’s Resolutions for Healthcare Organization Cybersecurity in 2025

By Lee Kim JD CISSP CIPP/US FHIMSS, Senior Principal, Cybersecurity & Privacy

Looking to 2025, healthcare organizations have a fresh opportunity to reassess their cybersecurity programs and posture. Think of it like new year’s resolutions for healthcare organizations. No matter where an organization may be in its cybersecurity journey, there is always room for improvement. The stakes are very high — patient safety is of the utmost importance.

Engaging executives and boards of directors

Within many organizations, cybersecurity professionals wish to forge more collaborative relationships and greater information sharing across the enterprise as a whole. More frequent and in-depth briefings of executives and the boards of directors at healthcare organizations are likely on the wish lists of many cybersecurity leaders.

When engaging with executives and boards of directors, tell an impactful story about why they need to know about healthcare cybersecurity. Deliver to them information that is meaningful and relevant in their world. Align the organization’s goals with the cybersecurity program’s goals.

Advancing interoperability while promoting cybersecurity and privacy

Advancing interoperability while promoting cybersecurity and privacy is especially challenging in healthcare, particularly when data must move through various points and places to deliver meaningful, effective and high-quality care for the patient. Clear standards are critical to improving the maturity of these efforts, ensuring that data is shared securely and safely, while appropriately protecting patient privacy and building trust across the healthcare ecosystem.

To advance interoperability while promoting cybersecurity and privacy, healthcare organizations must adopt well-accepted industry frameworks, invest in robust security measures and prioritize privacy-by-design principles. Collaboration across stakeholders is essential to ensure consistent practices and encourage trust.

Safe and ethical artificial intelligence

Many healthcare organizations are adopting artificial intelligence (AI) but are still figuring out how to use it effectively. As we do so, we must ensure that AI is used securely, safely and ethically. Healthcare has always been built on human relationships — between clinicians, patients and everyone who makes care possible. Human judgment, discernment and values must remain central, not just in the use of AI but throughout its entire lifecycle — from design and testing to training, implementation and beyond. Ensuring this human oversight is critical to maintaining trust and ensuring the safe and ethical use of AI in healthcare.

To ensure safe and ethical AI, healthcare organizations must establish clear guidelines and governance structures that prioritize security, safety and equity at every stage. This includes embedding ethical considerations into AI design, testing for bias and fairness, maintaining transparency in AI decisions and regularly auditing systems for compliance and performance. Listening to stakeholders is vital to refine policies, processes and technology to ensure they address requirements, concerns and challenges.

Medical device security

Medical device security is critical because these devices often play a life-sustaining or life-saving role for patients. Ensuring their safe and secure operation is essential. As more medical devices connect online, the threat landscape grows significantly. Healthcare organizations must proactively monitor these devices to ensure they operate safely and normally while addressing any issues that arise. This includes applying patches in a timely manner as part of a robust cybersecurity program.

To ensure medical device security, healthcare organizations must establish strong governance frameworks, implement continuous monitoring systems and collaborate closely with manufacturers to address vulnerabilities. Participating in coordinated vulnerability disclosure programs is key to identifying and mitigating potential threats effectively. Listening to frontline clinicians and technical staff can provide valuable insights to improve security practices and ensure devices meet the needs of patient care. Regular training, incident response planning and alignment with industry standards are also essential to safeguarding these critical systems.

Human security

Human security remains a critical aspect of any cybersecurity program, as humans are often the weakest link. Social engineering continues to be a primary method attackers use to access networks, systems and assets, while insider threats — whether malicious or negligent — pose additional risks to a healthcare organization’s security posture. Addressing these threats requires a combination of technical and human controls. Tools like robust endpoint detection and response (EDR) systems and data loss prevention (DLP) solutions are essential technical safeguards.

To bolster human security, organizations must invest in security awareness training, foster a culture of good cybersecurity hygiene, and implement formal insider threat programs and policies to identify, mitigate and respond to risks from those with trusted access — whether virtually or physically. Empowering the workforce to recognize and respond to threats effectively is key to strengthening the human element in cybersecurity.

Preparedness and resilience

Preparedness and resilience are critical for healthcare organizations as they face a rising number of cyberattacks and compromises. The speed and impact of these attacks are growing. Additionally, many healthcare organizations are relying more heavily on third parties — introducing additional complexities and risks.

To strengthen preparedness and resilience, organizations should prioritize robust business continuity and disaster recovery plans. Aligning cybersecurity goals with broader business objectives is essential, as close collaboration can aid in the development, implementation and refinement of these plans. This alignment ensures that disruptions are minimized and that the organization as a whole is better equipped to respond to and recover from incidents.

Take a bite out of cybercrime

Engaging with law enforcement when appropriate is critical to disrupting criminal activities and holding bad actors accountable.

Reporting incidents not only supports investigations but also helps build a broader understanding of threats to protect others from similar attacks. Healthcare organizations should encourage their workforces to report any unusual or suspicious events that may occur — when you see something, say something. Individuals should be empowered with knowing who to call and understanding what to do. By taking these proactive steps, organizations can strengthen their response efforts and contribute to the fight against cybercrime.

Resolution

As healthcare organizations work to navigate an ever-changing cybersecurity landscape, strengthening preparedness, resilience and alignment between cybersecurity and business goals is more important than ever. For more actionable insights and strategies, be sure to check out the 2025 HIMSS Healthcare Cybersecurity Report, coming in the first quarter of 2025.