EY/KLAS Survey Finds US Health Systems Make Cybersecurity a Business Imperative

Executives prioritize identity-first spending to counter persistent disruptions from phishing across a broadening threat mix.

Overview

More than 70% reported financial, clinical or operational disruptions in the past year, with 72% citing moderate to severe financial impact over 24 months.
Organizations encountered an average of five distinct threat types in the last year, with phishing leading followed by third-party breaches and malware.
Identity and access management leads planned budget increases at 68%, with threat and vulnerability management next at 64%.
Leaders describe a resilience gap, as 65% feel empowered to fund cybersecurity initiatives yet major incidents continue.
Vendor exposure and talent shortages remain constraints, with 68% struggling to enforce vendor requirements, 56% noting regulatory concerns, and 52% viewing training and upskilling as effective.