25325: EY x KLAS Survey Report 2025

EY and KLAS Research surveyed healthcare execs on cyber strategy.Findings: Cybersecurity is a shared responsibility and strategic enabler.Ransomware. Third-party breaches. Identity access management attacks. The threats are everywhere, yet this new healthcare survey shows that the best defense may not be more technology but rather aligning priorities across the organization. By revealing the full picture, cybersecurity leaders can shift from reactive defense to enterprise-wide resilience. Because when leaders see what others miss, they don’t just respond — they reshape the future with confidence.Survey overviewTo understand where gaps remain in cyber strategy and execution, the EY organization and KLAS Research surveyed 100 health executives responsible for cybersecurity decisions within their organization. In addition, the teams interviewed a panel of executives to bring in voices from health cyber professionals.Implementing AI and analytics without considering cyber is like buying a car without seatbelts. A properly secured technology function allows the organization to go fast and pursue technological advances without threatening its future.65% Healthcare executives reported feeling empowered to make decisions regarding the allocation of funds and resources for cybersecurity initiativesSurvey findingsCyber needs to be a shared responsibility across the organization and the health ecosystem. In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs. Health executives must pivot from viewing cyber as a cost center to a strategic enabler of the business.Discover the six areas of focus for health executives to create cyber strategies to accelerate their success.

Cyber is a strategic imperative for the entire business

Cyber as an innovation enabler

Beyond the cyber compliance checkbox

New digital identity challenges call for a new playbook

Wanted: Future ready talent and a workforce evolution

Why third-party risk needs disruption

View the full findings from the US Healthcare Cyber Resilience Survey64% of respondents cited either competing organizational priorities or budget constraints as a top challenge to meeting their goals. Clear barriers exist that keep resources and investments from aligning with cybersecurity needs.56% flagged regulatory concerns over third-party security. Cyber executives said they want compliance policies that also allow them to be strategic and deliver better outcomes. Identifying intersection points in compliance requirements (regulatory, customer or contractual) and unifying related controls could also help reduce the burden.In interviews, leaders cited attacks exploiting stolen credentials, weak verification processes and over-provisioned accounts. 68% of survey respondents said identity & access management would be the top priority for increasing investments in the coming fiscal year.52% said training and upskilling personnel is another effective tool in the arsenal to overcome cyber challenges. As part of prioritizing cybersecurity within the overall business, cyber expectations and training should be baked into more roles that are traditionally viewed as noncyber.68% said enforcing cybersecurity requirements in vendor contracts was a top challengeUS Healthcare Cyber Resilience SurveyAccess the report now