By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ProofpointPublished October 7, 2025

TL;DR: Ransomware, cloud compromise, supply chain attacks, or BEC disrupted patient care at 72% of organisations, according to Proofpoint’s 2025 healthcare report based on nearly 700 IT and security professionals. The governance problem is no longer data loss alone, but clinical risk propagation through identity, cloud, and human error controls.


At a glance

What this is: Proofpoint’s healthcare report shows cyberattacks are now routinely affecting patient care, not just IT operations.

Why it matters: For IAM, PAM, and security teams, the report reinforces that access control, privilege governance, and human error reduction are patient safety controls as much as cyber controls.

By the numbers:

👉 Read Proofpoint’s 2025 report on cyber risk and patient safety in healthcare


Context

Cyber risk in healthcare is no longer contained within the technology function. When ransomware, cloud compromise, supply chain attacks, or business email compromise interrupt care delivery, the security failure becomes a clinical failure, with consequences that extend to procedures, discharge timing, and patient outcomes.

That matters for identity governance because healthcare environments depend on a dense mix of human access, privileged access, cloud collaboration, and third-party connections. Where those access paths are poorly governed, the issue is not just exposure of systems or data. It is the possibility that an operational incident becomes a patient safety event.


Key questions

Q: What breaks when healthcare identity and access controls are too broad?

A: Broad access in healthcare turns a single compromised or mistaken account into a workflow problem, not just an IT problem. Scheduling, records, messaging, and prescribing can all be affected at once, which increases the chance of delayed treatment, longer stays, and clinical error. Strong privilege boundaries reduce the blast radius of ordinary account misuse.

Q: Why do cloud and collaboration accounts matter so much in healthcare security?

A: They sit inside the daily operating layer of care delivery. If an attacker takes over email, shared documents, or cloud collaboration spaces, they can disrupt approvals, communications, and clinical coordination without touching the EHR directly. That is why these identities should be governed as care-critical access paths, not simple productivity tools.

Q: How can healthcare teams know whether privileged access is actually under control?

A: Look for a measurable reduction in standing administrative access, faster revocation of unused privileges, and monitoring that ties access to specific tasks or sessions. If high-risk users can still operate broadly across care workflows without time limits, approval checks, or strong logging, privilege governance is still too loose.

Q: Who is accountable when a medical device cyber issue affects patient safety?

A: Accountability sits with the manufacturer for ensuring cybersecurity does not compromise clinical performance, but healthcare operators also need ownership for deployment, monitoring, and maintenance. The practical question is not who caused the weakness alone, but who controls the patch path, the risk decision, and the response when patient harm becomes plausible.


Technical breakdown

How cyber incidents translate into patient safety impact

Healthcare attack paths often begin with ordinary enterprise compromise, then move into care delivery systems, communication tools, or connected clinical workflows. Once attackers disrupt those systems, the effect is not limited to downtime. A delayed prescription, a blocked discharge, or a failed lab workflow can alter the clinical timeline. In healthcare, operational resilience and clinical resilience are tightly coupled because access to records, systems, and coordination channels underpins treatment decisions.

Practical implication: map cyber recovery priorities to the workflows that most directly affect diagnosis, treatment, and discharge.

Why cloud compromise and BEC are high-impact in healthcare

Cloud accounts and communication platforms are high-value because they sit inside the daily operating fabric of care teams. Business email compromise can redirect approvals, while cloud compromise can expose or disrupt collaboration, scheduling, and shared clinical content. The security issue is not simply account takeover. It is the loss of trust in the communication and identity layer that staff rely on to coordinate care across roles, shifts, and organisations.

Practical implication: treat collaboration platforms and cloud identities as clinical dependencies, not just administrative tooling.

Human error and privileged access remain persistent control failures

The report reinforces a familiar pattern: many healthcare incidents still begin with user mistakes, unsafe handling of sensitive information, or misuse of privileged access. That means the control gap is often not a lack of policy, but a lack of effective behaviour shaping, least privilege enforcement, and operational guardrails. Where privileged access is broad and user actions are poorly bounded, one mistake can cascade quickly into patient-facing disruption.

Practical implication: tighten privileged access scope and build controls that reduce the blast radius of ordinary human error.


Threat narrative

Attacker objective: The attacker objective is to disrupt or exploit healthcare operations in ways that create systemic operational pressure and downstream clinical harm.

  1. Entry occurs through ransomware, cloud compromise, supply chain access, or business email compromise that reaches healthcare operating environments.
  2. Escalation happens when compromised accounts or systems intersect with scheduling, records, lab, or communication workflows that clinicians depend on.
  3. Impact appears as treatment delays, longer stays, increased complications, and in severe cases patient harm.

NHI Mgmt Group analysis

Clinical risk is now the right lens for healthcare cyber governance. This report shows that security failures are no longer confined to availability metrics or data loss metrics. When 72% of affected healthcare organisations report care disruption, the governing question becomes how access, identity, and recovery controls influence patient outcomes. For IAM and PAM teams, that means care delivery workflows must be treated as protected assets, not just supporting systems. Practitioner conclusion: security governance in healthcare has to be measured against clinical continuity.

Identity and access control failures become patient safety failures in connected care environments. The article’s cloud, collaboration, and human error themes point to a single governance problem: too many critical workflows depend on broad, shared, or poorly bounded access. That creates the conditions for a single compromised account or negligent action to spread across scheduling, records, and communication channels. Practitioner conclusion: healthcare identity programmes need blast-radius control, not just authentication coverage.

Privileged access abuse remains the most consequential human-factor risk in healthcare. The report’s emphasis on employee negligence, privileged access misuse, and misdirected communications shows that the weakest link is often not a novel attack technique but an over-trusted operational model. Clinical access exposure window: the period in which broad human or admin access can affect patient-facing workflows before detection or containment. Practitioner conclusion: reduce standing privilege and use just-in-time access for high-risk healthcare functions.

AI adoption in healthcare will widen governance expectations before it reduces them. The article notes growing AI use in both security and clinical systems, but also highlights data protection and oversight problems. That means AI security in healthcare cannot be separated from identity, authorisation, and data access governance. Practitioner conclusion: if AI is influencing clinical or security decisions, the access path to its data and outputs must be governed like any other care dependency.

Healthcare cyber resilience is becoming a board and clinical leadership issue, not an IT silo issue. The report correctly frames cyber safety as patient safety, which changes accountability. Boards and clinical leaders cannot treat identity governance, recovery planning, and user behaviour as back-office concerns because the business impact is measured in patient outcomes. Practitioner conclusion: governance reporting must connect control performance to operational and clinical risk.

What this signals

Clinical resilience is becoming an identity governance outcome. Healthcare programmes should expect boards to ask whether access controls, privileged access, and recovery planning are sufficient to prevent patient harm, not just downtime. That shifts the programme from compliance reporting toward workflow-based assurance, where control performance is judged against care continuity.

Privilege reduction now has a patient safety dimension. The more care workflows depend on shared collaboration tools and broad admin access, the easier it is for one account failure to propagate into service disruption. Teams should expect stronger pressure to justify standing privilege, especially where access can influence prescribing, discharge, or diagnostic coordination.

The next governance step is to connect identity telemetry to clinical operations reporting. If security teams can show which accounts, sessions, or vendors touch patient-critical workflows, they can prioritise controls based on harm potential rather than generic risk scoring.


For practitioners

  • Map critical care workflows to identity controls Identify which clinical processes depend on cloud accounts, shared mailboxes, privileged admins, and third-party access, then assign explicit control owners for each workflow. Prioritise the identity paths that can delay treatment, discharge, or lab turnaround.
  • Reduce standing privilege in care-delivery systems Replace persistent elevated access with time-bounded, task-specific privileges for scheduling, records administration, and support operations. Require stronger approval and session monitoring for access that can affect patient-facing systems.
  • Harden collaboration and email trust boundaries Apply phishing-resistant authentication, tighter conditional access, and recipient verification for systems used to exchange clinical instructions or sensitive data. Focus on reducing business email compromise and mistaken disclosure in routine care coordination.
  • Tie incident response to patient safety scenarios Build response playbooks that prioritise restoration of prescribing, discharge, and diagnostic workflows before general IT recovery tasks. Test those playbooks with clinical stakeholders so containment decisions reflect patient harm, not only system recovery.

Key takeaways

  • Healthcare cyber incidents are now judged by their effect on patient outcomes, not just system uptime.
  • The strongest signal in this report is the link between broad access, human error, and clinically visible disruption.
  • Security teams need to measure identity and recovery controls against the workflows that directly affect care delivery.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access control is central because care disruption follows compromised access paths.
NIST SP 800-53 Rev 5AC-6Least privilege directly addresses broad access in healthcare operations.
CIS Controls v8CIS-6 , Access Control ManagementAccess control management is relevant to broad healthcare identity exposure.
ISO/IEC 27001:2022A.5.15Access control policy is relevant where healthcare workflows depend on governed identities.

Map clinical workflows to PR.AC-4 and tighten access boundaries around patient-critical systems.


Key terms

  • Clinical Risk Propagation: The way a cyber incident moves from systems or identities into patient-facing consequences such as delayed treatment, longer stays, or care interruption. In healthcare, this means the impact of a compromise is measured by effects on clinical workflow, not only on data or infrastructure.
  • Care-Critical Access Path: An identity or access route that directly supports treatment, diagnostics, prescribing, discharge, or clinical coordination. These access paths deserve higher assurance because a failure or misuse can affect patient safety, not just operational efficiency.
  • Standing Privilege: Standing privilege is access that remains active even when no immediate task requires it. For NHI programmes, it is a common failure mode because long-lived credentials and persistent roles create unnecessary exposure. Reducing standing privilege usually means tighter expiry, on-demand access, and clearer review of who or what still needs access.
  • Business email compromise: A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.

What's in the full report

Proofpoint's full report covers the operational detail this post intentionally leaves for the source:

  • Survey methodology and respondent breakdown across nearly 700 U.S. healthcare IT and security professionals
  • Detailed treatment of cloud compromise, supply chain, ransomware, and business email compromise in healthcare settings
  • Role-based findings on AI adoption in security and patient care environments
  • The report's full set of patient safety impact measures and sector-specific context

👉 Proofpoint’s full report provides the sector findings and patient impact detail behind these trends.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners build the control thinking needed to reduce access risk across complex security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org