Skip to main content

More Than One-Third of Organizations Lack Cybersecurity Response Plan

Analysis  |  By Jay Asser  
   May 31, 2024

A new survey highlights the importance of being prepared to deal with a cyberattack and data breach.

With cyberattacks in healthcare on the rise, it’s vital that practices have security measures in place to protect patient data.

Yet, only 63% of organizations have a cybersecurity plan in place, according to a survey by Software Advice, which means many are vulnerable to potentially crippling attacks that can be costly and damaging to patient trust.

The survey fielded answers from 296 respondents with IT management, data security, data management, or security training or audit responsibilities at healthcare organizations around the country.

The data revealed that half of organizations have experienced a data breach, with 32% dealing with one in the past three years.

More than one in four practices (42%) has experienced a ransomware attack, with nearly half (48%) reporting the attack impacted customer data, while 27% said it impacted patient care.

After a ransomware attack has taken place, a third of respondents (34%) failed to recover patient data from their attackers.

With 55% of practices allowing access to more data than employees need to their job, it introduces greater human error into the mix.

To counter the increase in threats, CEOs at both provider and payer organizations must take a proactive approach to cybersecurity.

That includes putting preventative measures in place, such as more training for employees handling data to help them identify scams and attacks, as well as limiting certain data to the employees that need it.

Preventative measures, however, aren’t effective for attacks that have already happened, which is why it’s crucial for CEOs to implement a response plan “that includes defined roles and responsibilities, communication protocols, and a prioritization list,” the report said.

Not every organization that is prepared to prevent and respond to a cyberattack will be safe though.

Banner Health’s next CEO, Amy Perry, recently told HealthLeaders that it’s difficult to protect yourself again bad actors that are coming at you from all different angles.

Do I see a solution? Not an easy solution,” Perry said. “All of the health systems, including Banner, have multiple, multiple investments in protection. But again, moving at the speed that the people that are working on the other side of this in the dark corners of the world, I think we've got a long way to go before we figure out how we keep ourselves safer every day.”

Jay Asser is the contributing editor for strategy at HealthLeaders. 


Of nearly 300 respondents working at healthcare organizations surveyed by Software Advice, 37% report not having a cybersecurity response plan in place.

CEOs must institute measures to prevent data breaches, such as training staff to recognize scams and attacks, and have a response plan that includes protocols and responsibilities.

Get the latest on healthcare leadership in your inbox.