January 15, 2025 | Keavy Murphy
5 min read
2025 Healthcare Security and Compliance: Trends and Threats in the Cyber Landscape
By Keavy Murphy, VP, Information Security

Cybersecurity is a field of constant changes and emerging threats. Regardless, in healthcare, the core challenges and patterns of risk and security remain unchanged. Many professionals regularly refer to security as a “shifting landscape.” However, due to the heavily regulated healthcare environment and the primary focus being patient care, this industry does not see massive change from a risk management or threat perspective.
As a result, 2025 will include some new trends (including HIPAA risk analysis enforcement and the HISAA proposal). Even so, more will remain unchanged (like cautious artificial intelligence (AI) adoption and phishing exploitation remaining the top threat).
Slow AI Adoption in Healthcare
AI has been the most discussed technology trend in 2024, though its impact on healthcare and public health has been minimal, especially compared to other verticals like retail, financial services or data analytics. This lack of investment and non-prioritization will continue in 2025 for most healthcare-related businesses. The precipitating factor is that the priority for this field remains, as always, patient care. This is why the healthcare space often is the last to innovate – the number one focus is keeping patients safe and healthy, as opposed to adopting the latest trending tech strategies.
Separately, the heavy regulations that keep order in the healthcare space, from HIPAA to HITECH, lead to worries about personal health information (PHI) risk, which means minimal AI adoption in hospitals or private practices. Another complicating factor is that the HIPAA Security and Privacy Rules were written to be technology agnostic so that they could be used even when new platforms or devices emerged. Since generative AI is considered a breakthrough technology, the Department of Health and Human Services (HHS) has published minimal communication or guidelines for using it and being HIPAA-compliant, which no doubt makes adoption of it by healthcare organizations slow.
This combination of patient care being the central focus, heavy regulation, and worry about risk to PHI means AI will remain largely unprioritized by healthcare businesses in 2025. However, that doesn’t mean the technology isn’t continuing to develop. Many companies will work on the efficacy and security of AI features in the meantime while attitudes and regulations catch up.
Exploitation via Phishing Remains
The cybersecurity field often uses the cliche phrase “the evolving threat landscape” to describe the emerging risks and constant new exploitation methods that pop up. While new trends in exploitation surface daily, phishing in the healthcare vertical is here to stay and will remain, in 2025, the most popular form of attack by malicious actors. Current metrics state that over 90% of healthcare cyberattacks are phishing attempts.
The standard method of exploitation via a phish or a smish (text-based phishing attempts) is successful – bad actors do not need to employ the latest new threat vector (AI, for example) when they continue to see success by convincing those working in healthcare or public health to click a fraudulent email or text. Per the Verizon Data Breach Investigations (DBIR) Report, users often fall for phishing emails in less than 60 seconds.
Increase in Financial Penalty under HIPAA Risk Analysis Enforcement Initiative
On November 1st, The HHS Office for Civil Rights (OCR) released details on their first HIPAA enforcement action under their new “risk analysis enforcement initiative.” Though risk analyses have always been a requirement under the HIPAA Security Rule, parties often see them as wasteful due diligence and unnecessary paper pushing. As a result, many companies do not complete them, and to date, these businesses have not been targeted with penalties for noncompliance. With the increase in healthcare data breaches, the OCR has taken action to address the risk analysis violations.
Per the OCR, “Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held, and the security measures in place to protect that information is essential for compliance with HIPAA.” In 2025, these enforcements, specifically for risk analysis, will continue. The OCR sees this due diligence step of assessing risk to PHI as critical due to the significant increase in ransomware within the healthcare space.
As such, this first enforcement will not be the only one, and we will see similar penalties happening to other businesses that fail to conduct proper governance, risk, and compliance due diligence in 2025.
Health Infrastructure Security and Accountability Act (HISAA)
In September 2024, Senators introduced the Health Infrastructure Security and Accountability Act to improve cybersecurity baselines in the healthcare space. If passed, this legislation will require healthcare providers, plan owners, or “entities that are of systematic importance” to regularly test their security posture, sign statements of compliance, and implement robust business resiliency controls. Noncompliance would lead to significant penalties, not unlike the ones enforced by OCR under HIPAA.
To date, the healthcare space has not seen such a stringent legislative proposal, nor one as closely aligned to Sarbanes Oxley (SOX) as HISAA is. Though this regulation is still in the early stages of review, it is clear that, even if not signed into law, it will incentivize the creation of future cybersecurity legislation. It has been estimated that over 170 security and data privacy regulations have been drafted since 2022, which evidences the strong and far-reaching desire for such legislation. While it is still being determined if HISAA will become law, whether passed or not, pressure for security legislation will persist.