The 2026 Healthcare IT Landscape Report describes growing cybersecurity challenges across the healthcare sector, with survey results indicating that many organizations remain inadequately prepared to recover from cyberattacks. The report is based on responses from 200 healthcare business leaders at United States healthcare organizations with between 50 and 600 employees, including medical practices, clinics, ambulatory care centers, specialty service providers, and long-term care facilities.
Survey findings indicate greater potential impact of cyberattacks on patient safety. Sixty-one percent of respondents stated they believe a cyberattack on a healthcare facility could result in a patient fatality within the next five years. The previous year’s survey indicated only 52 percent expressed the same concern.
The report identifies substantial gaps in cyberattack recovery readiness. Eighty-two percent of surveyed organizations acknowledged meaningful deficiencies in their recovery capabilities. Thirty-one percent reported they cannot rapidly contain and resolve data breaches. Twenty-four percent do not regularly conduct incident response training. Twenty-one percent lack an independent electronic medical record recovery path or continuous access to a 24-hour security operations center. Thirteen percent reported having no documented recovery plan.
The survey results also showed the operational consequences of losing access to electronic medical record systems in times of a cyberattack. Forty-seven percent of respondents stated that patient records would affect patient safety and create malpractice liability. Fifty-three percent said that interruptions in billing, claims processing, and scheduling would affect revenue. Twenty-five percent indicated they would be unable to maintain baseline care standards, creating the possibility of temporary or permanent closure.
Artificial intelligence adoption continues to expand across healthcare organizations. 93 percent of healthcare practices have implemented artificial intelligence tools. But many organizations have not established secure infrastructure capable of supporting those technologies safely.
Third-party vendor risk remains a recurring concern. Eighty-five percent of respondents experienced at least one operational breakdown during the previous 12 months because of an attack on a third-party vendor or a vendor’s subcontractor. Twenty-four percent reported a third-party breach that directly impacted their data or operations.
Despite those incidents, the report found that 70 percent of respondents expressed confidence or strong confidence in their vendors’ cybersecurity posture. But 63 percent reported they do not consistently monitor their networks and digital supply chains. The report states that proposed updates to the HIPAA Security Rule would require annual reverification of business associate cybersecurity measures, resulting in more frequent evaluation of vendor security controls.
Sixty-two percent of surveyed healthcare leaders reported treating cybersecurity as a technical expense. According to the report, this influences funding decisions and contributes to unresolved cybersecurity gaps.
Compliance challenges also remain evident. The report states that six out of ten healthcare leaders have self-attested to HIPAA compliance despite knowing that their risk analyses identified unresolved vulnerabilities. Twenty-three percent of surveyed practices had filed a breach report with the Office for Civil Rights.
Preparation for anticipated HIPAA Security Rule revisions also appears limited. Only 24 percent of surveyed organizations reported that they are ready for the proposed changes. The report identifies staffing, funding, and technology limitations as contributing factors. Thirty-five percent described their cybersecurity or information technology teams as understaffed. Thirty-three percent reported underestimating the severity and frequency of cyberattacks. Twenty-six percent reported the lack of funding for cybersecurity teams, while 23 percent reported relying on outdated cybersecurity technology. Twenty-one percent acknowledged intentionally minimizing cyberattack risks to reduce reputational harm.
The report concludes that healthcare organizations continue to face problems with cybersecurity, HIPAA compliance, the use of artificial intelligence, and vendor management. It states that organizations making governance-level commitments to address these issues collectively, rather than separately, are positioned to respond more effectively to the evolving threat landscape.