Enhancing health-care delivery through cyber resilience

Canadian hospitals, clinics and other health-care organizations are the frequent targets of cyber attacks¹ that have led to delayed medical procedures², privacy breaches, financial damage and compromised patient safety.³

More than half (54%) of the health-care respondents to our 2025 Global Digital Trust Insights survey ranked cyber as the highest risk for mitigation facing their organization. This shows that many respondents recognize their organizations are technologically vulnerable. But safeguarding your organization involves going beyond mitigation. It also requires cyber resilience at the enterprise level.

These investments can be challenging for resource-strained health-care organizations. Allocating funds to cybersecurity instead of hiring an additional nurse or investing in other areas of front-line care can be a difficult decision for an individual hospital or clinic. 

Conversely, establishing regional or provincial cybersecurity strategies for the health-care sector can effectively focus resources and increase operational resilience. We’re currently seeing momentum move in different directions across the country. In some cases, provinces are adopting a shared services approach. This includes Ontario’s Regional Security Operation Centre pilot programs, and transition to Local Delivery Groups, which promote resource sharing and a collective approach to cybersecurity.⁴ But there are still opportunities for province-wide leadership across the country.

By collaborating, health-care organizations can strengthen their defences and securely digitize patient care, letting health teams effectively work together to enhance patient outcomes. This approach can also help health-care organizations invest resources efficiently, build resilience and stay ahead of regulatory developments. 

We often see a substantial deficit in technical, security and privacy spending within health-care organizations. And our survey found health-care organizations are increasing their cyber budgets at a slower rate than other sectors: 71% of health-care organizations told us their cyber budget would increase in 2025, compared to 77% of respondents across all industries. Additionally, 17% of health-care organizations said their cyber budget would remain flat in 2025, compared to a global average of 11%. 

Where are health-care organizations investing? Nearly half of organizational leaders (48%) say they’re prioritizing data protection and data trust. This suggests these organizations understand that securing sensitive information is vital to maintaining citizen trust and reputational integrity. It also mitigates the risk of service disruptions and facilitates appropriate data sharing, which can improve patient outcomes. For example, a patient may consent to their psychiatrist accessing information about their recent cancer diagnosis—but should be confident that health-care staff not involved in their treatment are unable to access their records. 

Health-care respondents—like those from other sectors—told us they’re also increasing their investments in generative artificial intelligence (GenAI) for cyber defence, particularly for threat intelligence, detection and response. GenAI can help filter vast amounts of data to pinpoint critical threats and enhance cyber defences through advanced threat-hunting activities. This includes monitoring the online presence of an organization’s senior leaders to detect spoofed profiles or compromised credentials. 

By consolidating investments in these and other cyber priorities, organizations can achieve cost efficiencies and develop greater maturity than if they operated individually.

With limited health-care funds, it’s crucial to align spending with current and future risks. Yet our survey respondents provided a sobering assessment of their cyber readiness: many of the threats they find most concerning are also the ones they feel least prepared to address (see chart). 

The gap in health care’s cyber threat preparedness

Organizations’ growing reliance on connected products, cloud and third parties increases their attack surface. Access controls, ring fences and similar measures can mitigate these threats. But true cyber readiness requires organizations to close resilience gaps and develop plans to recover quickly from attacks to minimize disruption. Health-care organizations that prepare properly can return to normal operations faster—reducing disruptions such as cancelled surgeries, delayed diagnoses and diverted patients.

These preparations include assessing the extent to which difficult-to-protect legacy technologies are hindering the defences of an organization. The good news? More than four in 10 (43%) organizations are prioritizing technology modernization, including cyber infrastructure, in their cyber budgets. This is a powerful opportunity to increase cyber resilience by decommissioning legacy technologies, which often have known vulnerabilities. But there are still opportunities to go further.

By joining forces, health-care organizations can more effectively close their resilience gaps and maintain operational continuity. Our survey reviewed 12 resilience actions across people, processes and technology and found that 46% or fewer of health-care organizations have fully implemented any one of those actions. Here are several important areas where health-care organizations can collaborate to increase their collective resilience (figures show the percentage of health-care respondents that have not implemented the resilience action across their organization):

• Develop a cyber recovery playbook for IT-loss scenarios (68%)

• Implement cyber recovery technology solutions (64%)

• Share information with sector peers through formal processes to prevent systemic risks (65%)

• Establish a resilience team with members from functions such as business continuity, cyber, crisis management and risk management (63%) 

New cyber and privacy rules affecting health-care organizations in Canada are on the horizon. Bill 194 in Ontario, and bills C-26 and C-27 federally, will require health-care organizations to bolster their cybersecurity measures, protect patient data more rigorously and ensure compliance with new regulations on personal information, patient health data and technology use.

Currently, the provinces of Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia each have health laws declared substantially similar to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to health information. If Bill C-27 doesn’t pass—due to an election or other reason—we expect provinces that have been holding off on their own updates pending new federal rules will introduce privacy legislative changes. 

Health-care organizations understand that regulations can be a powerful tool for protecting sensitive information. Many also believe regulations can lead to positive change: 76% say that regulations helped challenge, improve or increase their cybersecurity posture. 

Effective investments in cyber controls can help facilitate health research and the implementation of new diagnostic and treatment technologies. Without these controls, some organizations may abandon these initiatives because they can’t adequately protect the information. National and provincial strategies can help individual health-organizations strike the right balance between data sharing and data security by promoting consistent and safe handling of personal information and appropriate disclosure, access and consent.

^{1- “Cybersecurity: Cyber resiliency in healthcare,” Digital Governance Standards Institute, 2023.}

^{2- Karen Howlett and Jill Mahoney, “Two months after Ontario hospital cyberattack, many patients are left in limbo,” The Globe and Mail, December 22, 2023.}

^{3- Vinyas Harish, Alun Ackery, Kiran Grant, Trevor Jamieson and Shaun Mehta, “Cyberattacks on Canadian health information systems,” Canadian Medical Association Journal, November 20, 2023.}

^{4- Ontario Health, “Operational Direction: Participating in the Provincial Cyber Security Operating Model ,” June 20, 2023.}