21ьз╕ Cweather-icon

Hospital Cybersecurity Leaders Identify Non-Negotiable Domains to Fund by 2028

News Provided by ACCESS Newswire2025-12-03
21 Views

Identity and access, endpoint/email protection, network/Zero Trust, backup and recovery, and 24×7 detection/response emerge as hospitals ' "must-fund" cybersecurity stack per current Black Book cyber polls

NEW YORK CITY, NY / ACCESS Newswire / December 3, 2025 /A new Black Book™ flash survey of 211 U.S. hospital and health system IT and cybersecurity leaders finds that a small set of cybersecurity domains has become "non-negotiable" for funding between 2026 and 2028 if clinical operations are to remain safe and financially viable.

The survey, conducted in November 2025, asked CIOs, CISOs, CTOs, and security leaders to identify their top acquisition and expansion priorities for 2026 and to project which domains must be materially funded and measurably improved by 2028.

Identity is the New Perimeter - and the Top Funding Priority

In the flash survey, 71% of respondents named identity and access (IAM, SSO, MFA, PAM, IGA, ZTNA) as one of their top three funding priorities for 2026, making it the highest-ranked cybersecurity domain.

Endpoint and email security, backup, recovery and ransomware resilience, and network security and Zero Trust connectivity followed as the next tier of "must-fund" capabilities for 2026, each cited as top-three priorities by a majority of respondents.

"Hospitals now recognize that identity, front-line endpoint/email defenses, and ransomware-ready recovery are the foundation of any modern cybersecurity program," said Doug Brown, President of Black Book Market Research. "Boards understand they cannot fund every category at once, but they also see a short list of domains that must be measurably better by 2028, or patient care and revenue are at real risk."

By 2028, Core Domains Must Be "Materially Improved"

Respondents were also asked when each cybersecurity domain would be "materially funded and measurably improved," defined as having a named owner, funded initiatives, and active KPIs.

By 2028, more than three-quarters of hospital cybersecurity leaders expect to have identity and access, endpoint/email protection, network security/Zero Trust, and backup/recovery at that higher level of maturity. Domains such as cloud and data protection, clinical technology/IoMT risk, governance and third-party assurance, and human risk and security culture are improving but are less likely to reach that threshold by 2028.

"The data shows a two-speed cybersecurity roadmap in hospitals," Brown added. "Foundational domains like identity, endpoint/email, network segmentation, backup/recovery, and 24×7 detection are being fast-tracked. Areas like IoMT, third-party risk, cloud data protection, and human risk are improving more slowly as organizations struggle to get the basics funded and staffed."

Underfunded Backup and Identity Seen as High-Risk Gaps

When asked about the consequences of underfunding these domains by 2028, nearly nine in ten respondents said inadequate investment in backup, recovery, and ransomware resilience would pose a significant or severe risk to clinical operations, and more than eight in ten said the same about identity and access controls.

When forced to choose a single domain to "fully fund and fix first" by 2028, 29% of respondents chose identity and access, and 23% chose backup, recovery, and ransomware resilience, together accounting for over half of first-choice responses.

Budget and Staffing Constraints Slow Progress

Despite broad agreement on where investment must go, respondents cited familiar obstacles.

Capital budget constraints were named as a major barrier by roughly two-thirds of respondents.

Cybersecurity staffing shortages were cited by over half.

Competing clinical and IT priorities were identified by nearly half of hospital leaders.

"Hospitals are not suffering from a lack of awareness of cyber risk," Brown noted. "They 're suffering from competing capital demands, staffing gaps, and an overwhelming vendor landscape. The organizations that succeed between now and 2028 will clearly define their non-optional domains, assign owners, fund multi-year roadmaps, and insist on measurable outcomes."

A Practical Roadmap: Nine Non-Optional Domains

Black Book 's analysis highlights nine cybersecurity domains that hospitals and health systems should treat as non-optional investments over the 2026-2028 planning horizon:

  • Identity & access as the new perimeter

  • Endpoint, email, and front-line defense

  • Network security and Zero Trust connectivity

  • Cloud and data protection foundations

  • Clinical technology, IoMT, and device risk

  • Detection, monitoring, and 24×7 response

  • Backup, recovery, and ransomware resilience

  • Governance, risk, and third-party assurance

  • Human risk and security culture

According to Black Book, these domains form the core of a modern hospital cybersecurity program. By 2028, lack of visible, measurable progress across this list will leave many organizations dangerously exposed to ransomware, data breaches, and operational disruptions.

About the Survey

Black Book™ conducted an online flash survey of 211 qualified healthcare IT and cybersecurity leaders from U.S. hospitals and health systems in November 2025. Respondents included CIOs, CISOs, CTOs, IT and security directors, and security operations leaders with direct responsibility or strong influence over cybersecurity strategy, technology selections, and budgets. Participants were recruited from Black Book 's proprietary healthcare opinion panels. At a sample size of 211, the results have an estimated margin of error of ±6.7 percentage points at a 95% confidence level, assuming a random sample. No vendor incentives or sponsorships were disclosed during screening or interviewing. Results are unweighted and are intended to be directionally indicative.

About Black Book Market Research LLC

Black Book Market Research LLC, headquartered in Tampa, Florida, is a full-service market research and public opinion research company specializing in the healthcare and information technology sectors. Since 2003, Black Book has conducted nearly four million global client experience and user satisfaction surveys, providing independent, crowdsourced insights that help healthcare organizations evaluate and select technology, services, and outsourcing partners. For more information on Black Book 's healthcare IT and cybersecurity studies, visit Black Book Market Research at https://www.blackbookmarketresearch.com

Download the new Black Book 2026 Cybersecurity Readiness and Relisience reports for Hospitals and Health Systems(gratis) produced without vendor or consultant firm influence or sponsorships:

US Hospital Cyber Readiness 2026: Upstream Ransomware, Vendor Risk, and AI-Driven Threats Report - https://blackbookmarketresearch.com/us-hospital-cyber-readiness-2026

US Hospital Cyber Resilience 2026: Identity, Insurance, and Incident Readiness Report - https://blackbookmarketresearch.com/us-hospital-cyber-resilience-2026

Contact Information

Press Office
research@blackbookmarketresearch.com
8008637590

.

SOURCE: Black Book Research



View the original press release on ACCESS Newswire



© 2025 ACCESS Newswire. All Rights Reserved.

The news, reports, views and opinions of authors (or source) expressed are their own and do not necessarily represent the views of CRWE World.




/assets/img/cw-stocks.png

/assets/img/crweworld-podcast.jpg
Sponsored
Also read

U.S. National Debt Clock