Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Healthcare cyberattack losses above $200,000: what identity teams need to do


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Healthcare organizations reporting losses above $200,000 nearly quadrupled from 5% to 19% year over year, while 48% experienced at least one incident and 31% saw compromised user or admin accounts, according to Netwrix's 2025 Cybersecurity Trends Report. The findings show that identity-first defence is no longer optional when AI-accelerated phishing and privilege abuse are driving faster, costlier attacks.

NHIMG editorial — based on content published by Netwrix: Resource center News Healthcare Cyberattack Losses Above $200,000 Nearly Quadruple in 12 Months, Netwrix Survey Finds

By the numbers:

Questions worth separating out

Q: What breaks when healthcare identity controls do not keep up with credential theft?

A: When identity controls lag behind credential theft, a single phishing event can become a privileged account compromise, then a broader data or operational incident.

Q: Why do compromised user and admin accounts increase healthcare breach costs so quickly?

A: Compromised user and admin accounts are expensive because they already sit close to sensitive records and operational systems.

Q: How do security teams know whether identity-first defence is working in healthcare?

A: Identity-first defence is working when compromised accounts are detected quickly, privileged actions are constrained, and revocation happens before the attacker can move from login to meaningful access.

Practitioner guidance

  • Reduce the value of every credential after compromise Segment privileged access so a single user or admin account cannot reach patient data, infrastructure, and administrative tools at once.
  • Shorten the lifetime of privileged usefulness Apply tighter joiner-mover-leaver handling, session controls, and just-in-time elevation so high-risk access exists for less time and is easier to revoke after an incident.
  • Instrument account abuse as an incident trigger Alert on impossible travel, unusual privilege use, and admin activity from new devices or locations, then revoke access before the account is used to move into clinical or record systems.

What's in the full report

Netwrix's full report covers the operational detail this post intentionally leaves for the source:

  • Breakdowns of survey methodology across 2,150 IT and security professionals in 121 countries.
  • Industry-by-industry comparisons of incident and loss severity beyond the healthcare subset.
  • The report's broader identity and AI threat findings that sit behind the healthcare figures.
  • Additional survey results that help security leaders benchmark their own exposure against peers.

👉 Read Netwrix's 2025 Cybersecurity Trends Report findings on healthcare breach losses →

Healthcare cyberattack losses above $200,000: what identity teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity loss is the economic driver behind healthcare breach severity. The survey's cost data shows that once attackers get into a healthcare environment, the financial damage rises fast because access to records, clinical workflows, and admin systems is concentrated behind identities. That means identity governance is not just a control plane issue, it is a loss-containment issue. Practitioners should read incident cost as a signal of entitlement quality, not just threat volume.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when AI-accelerated phishing leads to an identity breach?

A: Accountability should sit with the teams that own identity governance, privileged access, and incident containment, not only with security awareness programmes. AI makes phishing faster, but it is the organisation's access design that determines how far stolen credentials can go. If access is broad and durable, governance gaps become breach multipliers.

👉 Read our full editorial: Healthcare cyberattack losses expose the limits of identity-first defense



   
ReplyQuote
Share: