By CHRIS WRIGHT

Record-breaking, complex, high-stakes…How will the health care sector define the cybersecurity landscape of 2025? And what do these descriptors forecast for what’s ahead? This year, we saw the industry grapple with hard-learned lessons, such as lingering fallout from the Change Healthcare cyberattack. Despite this periodic, and at times painful, turbulence, we’ve also witnessed promising trends emerge. So, what are the top takeaways from 2025? And how will—or should—these developments guide organizations’ decision-making in the new year?

Rising third-party attacks reinforce the need for risk distribution.

The ongoing after-effects of the Change Healthcare breach reaffirmed the danger of health care organizations putting all their eggs in one basket. According to the U.S. Department of Health and Human Services (HHS), more than 80% of stolen protected health information records are now taken from “third-party vendors, software services, business associates and non-hospital providers and health plans.” The bottom line? No health care organization, no matter its size, can afford to have a single point of failure. That’s why we counsel clients to load balance by entering into agreements with primary, secondary or even tertiary vendors, following thorough due diligence. If establishing multiple relationships is infeasible, an experienced cybersecurity professional can also help organizations develop resiliency programs. In either scenario, if a failure occurs, operations won’t have to grind to a halt, ensuring entities can continue providing care.

Ransomware attacks highlight the value of comprehensive cybersecurity measures.

While these incidents have decreased across the industry overall, there’s been a surge in ransomware attacks among smaller health care organizations. And the impact can be painful for entities’ bottom lines and reputations. Today, ransomware is more akin to extortion. Foreign actors’ tactics have become more sophisticated, inflicting maximum pain to squeeze every possible penny from those affected. Organizations can’t stop attackers’ attempts, but they can mitigate the possibility of falling prey. That starts by designing and implementing a layered cybersecurity strategy that incorporates best practices, such as those outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to identify, protect, detect, respond to and recover from potential incidents.

Risk management practices indicate a shift away from compliance-only mindsets.

In 2025 and over the last several years, health care organizations have steadily moved away from checking the box with solely or primarily preventive-only controls. Thanks to the deployment of easily accessible programs, such as HHS’s 405(d) Program and Health Industry Cybersecurity Practices (HICP), entities now better understand the value of assessing their threat landscape for potential vulnerabilities to improve their security postures. Increasingly, organizations recognize the benefits of aligning their cybersecurity controls with industry frameworks to ensure continuity of operations and patient care.

If there’s one insight that 2025 will leave us with, it’s that the days of health care organizations overlooking their cyber risk are no more. In an ever-evolving digital world, these potential vulnerabilities have been elevated to the same level of importance for decision-makers as mitigating financial, operational or reputational threats. Now, perhaps more than ever, health care entities understand the downsides of failing to address pain points and are recommitting to strategic cybersecurity planning to build greater resiliency. Here’s to that continuing in 2026.

Chris Wright is co-founder and partner at Sullivan Wright Technologies, a Mid-South-based firm that provides tailored cybersecurity, IT and security compliance services. Email him at chris@swtechpartners.com.