Healthcare organizations are under increasing financial pressure, leading to significant cuts in cybersecurity budgets. This trend is concerning, especially as the threats targeting their systems continue to escalate. A recent survey conducted by PwC, involving 381 healthcare executives globally from May to July 2025, highlights the stark gap between the risks the sector faces and the controls currently in place.
Key Findings from the PwC Survey
Data protection remains the primary driver for cybersecurity spending within the healthcare sector. However, only 35% of healthcare organizations have implemented data risk controls throughout the entire data life cycle. In comparison, the global average across all sectors is 44%.
Unpreparedness in Addressing Emerging Threats
Healthcare leaders have identified cloud-related threats, risks associated with quantum computing, and attacks on connected products as the three areas where they feel the least prepared. This sentiment is consistent among payers and providers, as well as pharmaceutical and life sciences companies, despite some variations in specifics.
For pharmaceutical and life sciences firms, the situation regarding quantum preparedness is particularly alarming. More than half of the respondents indicated they have not begun implementing any quantum-resistant security measures, and only 7% plan to allocate a budget for quantum readiness in 2026.
Challenges Faced by Payers and Providers
Healthcare payers and providers operate within fragmented systems that span multiple vendors, platforms, and data repositories. This fragmentation creates security gaps and complicates governance. The rise in fraud, especially through unsecured applications and inadequate identity management, has particularly impacted online healthcare accounts and incentive programs, such as preventive care debit cards. Consequently, data protection and security awareness training have emerged as top investment priorities for these organizations in the upcoming year.
Unfortunately, data governance gaps remain prevalent. Only 39% of payers and providers have adopted data minimization strategies across their organizations, and just 37% have implemented comprehensive data controls. Often, sensitive data, including extracts and historical records, resides in uncontrolled environments, making it more difficult to protect and audit.
On the operational technology front, lack of network segmentation is the primary challenge for providers, cited by 50% of respondents. Following closely are gaps in operational technology-specific skills and resources at 47%, along with unclear governance related to OT cybersecurity, which affects 45% of respondents.
As regulatory requirements tighten, organizations must adapt. Proposed revisions to the HIPAA security rule in the United States would mandate annual security risk assessments, encryption, and multi-factor authentication. In India, the Digital Personal Data Protection Act imposes strict compliance obligations for processing health data and obtaining consent.
The financial landscape is critical, with healthcare costs estimated at $5 trillion annually and increasing at nearly 8% each year. Factors such as rising insurance claims, reduced government funding, and the prevalence of chronic and mental health conditions contribute to this growth. Many organizations are now opting to accept higher cybersecurity risks to avoid upfront spending.
Intellectual Property and Third-Party Risks in Pharma and Life Sciences
Pharmaceutical and life sciences companies prioritize the protection of intellectual property, including proprietary formulas, research data, and clinical trial information. Breaches in this area can lead to delays in regulatory approvals or clinical trials, alongside financial and reputational damage.
Third-party risk remains a significant concern. The sector relies on extensive networks of contract researchers, manufacturers, and vendors. A quarter of surveyed pharmaceutical leaders identified third-party breaches as one of the top three threats their organizations are least prepared to manage.
Data controls in the pharmaceutical sector are often inadequate. Approximately half of the surveyed companies have implemented data classification policies and data loss prevention measures across key exit channels. Only 33% have established controls throughout the entire data life cycle, and merely 2% have implemented all eight data risk measures outlined in the survey.
Vulnerabilities related to cloud and connected devices are also high on the list of concerns. Many pharmaceutical operations depend on cloud infrastructure for storing clinical trial data and automating production lines, emphasizing the need for secure-by-design architectures. The convergence of IT and operational technology increases exposure to risks, as attacks on smart manufacturing systems can disrupt production, supply chains, and drug quality.
Investment Priorities for 2026
In light of these challenges, healthcare payers and providers are planning to increase their cybersecurity budgets in 2026. Artificial intelligence has been identified as the top investment category, followed closely by cloud security and threat management. However, only 24% of pharmaceutical and life sciences firms are significantly increasing their budgets for proactive measures, such as monitoring and training, compared to reactive measures like incident response and remediation.
