Part one of this blog reviewed the number of cyberattacks the health care field endured this year compared to last; provided an overview of the lessons learned from these attacks; and outlined the defensive measures every hospital or health system should take against cyberattacks, beginning with understanding your risk environment.
Looking back at 2025’s health care cybersecurity landscape, we’ve made three observations.
1. Third-party Cyber Risk Continues to Increase
We’ve seen from Change Healthcare and other recent cyberattacks that over 80% of the stolen protected health information records were not stolen from hospitals — they were stolen from third-party vendors, business associates, and nonhospital providers and health plans like the Centers for Medicare & Medicaid Services.
2. Business Continuity versus Clinical Continuity: Understanding the Difference and Preparing for the Worst
In 2025 and the years preceding, we have become acutely aware of the need to reassess how hospitals and health systems define and implement downtime procedures to account for a loss of internal and third-party technology and data. Often, in the context of preparation of downtime procedures, we also refer to “business continuity” in health care. It is true that at its core, hospitals’ business is indeed health care. Over time, however, we have seen that hospital leadership and staff tend to interpret the concept of business continuity as more related to an IT function and responsibility, rather than a clinical function and responsibility. The impact of ongoing ransomware against health care demonstrates that it must be both a clinical function and an IT function.
3. AI as Both a Cyber Tool and a Weapon
Click here to read full the AHA Blog post.
