Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Healthcare: 2023 Insights from the Ponemon Institute

Dark purple background with report icon on right side. Letters in teal and white.


In today's rapidly evolving digital landscape, offensive security has emerged as a crucial strategy for organizations, particularly in the healthcare sector. In our latest industry cut, The Offensive Security Blueprint for Healthcare, we share a comprehensive analysis based on input from 100 participants representing healthcare organizations (15% of the total sample) in Ponemon Institute's 2023 State of Offensive Security Report.

This industry analysis serves a dual purpose:

  • Empower healthcare security leaders to gain a profound understanding of the current offensive security practices that are shaping the healthcare industry
  • Strengthen security strategies by sharing the essential elements that must be integrated into your security approach for robust protection

Don't miss out on this authoritative report that will equip you with the knowledge and strategies necessary to safeguard your healthcare institution in an ever-changing threat landscape.

Research Findings: Healthcare

The healthcare sector is a prime target for digital threats due to its sensitive patient data. However, our analysis shows that healthcare organizations with mature security programs are diligently taking proactive measures to identify and address potential vulnerabilities. These organizations should be looked to as prime examples in the industry for effectively combating modern adversaries.

The most common offensive security practices employed by these organizations include red teaming, application security, network testing, and IoT testing for medical devices. In fact, 63% of these organizations believe that these practices have effectively strengthened their defenses against top cyber threats.

By adopting these proactive measures, healthcare organizations are taking a strong stand against digital threats and safeguarding the privacy and security of patient data.

Usage of Offensive Security

Healthcare organizations prioritize offensive security testing for their internal and external networks (50%) and IoT testing/product security (51%) at a slightly higher rate than other industries (47% and 49% respectively). This is largely due to government regulations, such as HIPAA, and recommendations from certification agencies, like HITRUST. However, they fall behind in utilizing other offensive security services compared to their counterparts in different sectors.

Historically, the healthcare sector has been hit by ransomware attacks that propagate throughout the network and impact the entire system. These ransomware attacks not only impact internal IT systems but can be detrimental to patient care, and even fatal. Consequently, safeguarding network infrastructure is vitally important, which is evidenced by the industry's emphasis on internal and external network testing. Ensuring the uninterrupted operation of critical healthcare systems and protecting sensitive patient data are paramount to the safety and well-being of patients.

In addition, medical device security and IoT testing are both growing trends as the world becomes even more interconnected. The pandemic fueled these trends, as we saw with the explosion of in-home care options and connected devices to better monitor patient health.

Bar graph showing organization's offensive security strategy, comparing all industry versus healthcare industry.

FIGURE 1 - Does your organization's offensive security strategy include any of these services?

Drivers for Offensive Security Testing

In addition to the explosion of medical devices, the global pandemic dramatically reshaped the healthcare sector in terms of embracing new technology like telehealth services. In fact, 46% of healthcare organizations with mature security programs consider "new technology adoption" as a top priority for offensive security testing, slightly surpassing the industry average (44%). Unsurprisingly, regulatory and third-party compliance are also a major focus for healthcare organizations, with 42% prioritizing it. Additionally, the sector heavily depends on cloud-based solutions and new applications to provide top-notch patient care, as indicated by the figures of 37% for ‘cloud migration’ and 38% for ‘new application releases’.

Bar graph showing which use cases has driven offensive security testing in the last 18 months comparing all industry versus healthcare industry.

FIGURE 2 – Which of the following use cases has driven offensive security testing in your organization in the last 18 months?

Executive oversight and mergers and acquisitions have emerged as critical priorities in the healthcare industry. Surprisingly, healthcare organizations are placing more emphasis on these areas compared to other industries. In fact, 23% of healthcare organizations consider executive oversight important, surpassing the industry average of 21%. Similarly, 25% of healthcare organizations prioritize mergers and acquisitions, exceeding the all-industry average of 23%. Moreover, in response to the challenges brought by the pandemic, leaders increasingly acknowledge the importance of executive-level involvement in security programs to guarantee the safe and efficient provision of healthcare services in a new era of digital healthcare.

Top Cyber Threats

Insider threats, ransomware, and zero-day exploits are the key concerns for healthcare organizations, accounting for a significant 45%, 43%, and 38%, respectively. These priorities set them apart from the all-industry average, which prioritizes ransomware at 41%, social engineering attacks at 40%, and cloud vulnerabilities at 39%.

Bar graph showing the types of cyber threats driving offensive security investments, comparing all industry versus healthcare industry.

FIGURE 3 – What types of cyber threats are driving your offensive security investments?

Red Team Services

Healthcare organizations understand the criticality of conducting regular testing that mimics real-world situations and potential threats. The industry is increasingly inclined (66%) towards conducting Red Teaming exercises on a quarterly, monthly, or continuous basis, showing a strong dedication to constant vigilance. Furthermore, healthcare organizations are highly motivated to substantially or moderately boost their investments in Red Teaming (58%) in the next one to two years. This unwavering commitment to thorough testing and increased investment underscores the industry's firm resolve to ensure robust security measures.

Bar graph showing which Red Team services are  important for organization comparing all industry versus healthcare industry.

FIGURE 4 – Which Red Team services are most important for your organization to test?

Cloud Security

Our study unveils a clear inclination towards the utilization of public cloud in the healthcare sector, with leading providers identified as AWS, Azure, and IBM. Healthcare institutions value cloud configuration reviews slightly more (41%) compared to the general industry (38%), and threat analysis even more so (47% vs. 41% industry-wide). The nearly identical importance attached to penetration testing (58% for healthcare vs. 59% industry-wide) and assumed-breach scenarios (26% vs. 27%) across different sectors underscores a mutual recognition of their crucial role in an aggressive cybersecurity approach.

Bar graph showing which cloud service provider are organizations currently using comparing all industry versus healthcare industry.

FIGURE 5 – Which cloud service provider is your organization currently using?


The healthcare industry is making significant progress in securing its environment, as evidenced by the Ponemon data, which surveyed healthcare organizations with advanced security programs and revealed their commitment to offensive security. These organizations prioritize internal Red Teaming, favor public cloud usage, and make substantial investments in securing medical devices.

Unlock the full power of the Healthcare industry cut with our comprehensive analysis. Discover why healthcare organizations are investing in their offensive security capabilities and learn how you can implement these game-changing tactics in your own organization. Don't miss out on this opportunity to stay ahead of the curve. Download now.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Beth Robinson BF Headshot

About the author, Beth Robinson

Senior Content Writer

Beth Robinson is a Bishop Fox Senior Content Writer alumna. She joined Bishop Fox with nearly 20 years of experience focused on technical intelligence issues.

More by Beth

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.