2025 Reflections and 2026 Predictions: Healthcare’s Cybersecurity Frontier

As cybersecurity professionals, one of the most valuable things we can do is reflect on the lessons of the past while preparing thoughtfully for the challenges ahead. Healthcare is a uniquely complex field, and its evolving cybersecurity landscape demands fresh perspectives and intentional strategies.

On the latest episode of We Have Trust Issues, we (Tamer and Steven) invited Carter Groome, CEO of First Health Advisory, to join us in dissecting 2025’s major healthcare trends and anticipate what 2026 has in store. Carter’s perspective as a seasoned consultant and industry leader revealed what healthcare cybersecurity leaders need to know to navigate pressing challenges in AI adoption, regulatory compliance, risk reduction, and operational resilience. Here are the takeaways we think every reader should consider carefully.

Lessons from 2025: A Pivotal Year for Healthcare

Take a deep breath—2025 was a whirlwind. Beyond a surge in AI implementation, the healthcare sector faced mounting external pressures that forced security teams to evolve rapidly.

Reflecting back, Carter identified two major themes that dominated 2025:

1. Delivering Measurable Value in Cybersecurity: Boards are no longer interested in hearing about risks without action plans. 2025 saw heightened calls for rationalizing technologies, streamlining tools, and proving measurable reductions to risk exposure. Security leaders need to answer questions about their stacks: Are tools overlapping unnecessarily? Is anyone addressing the noise? How can systems integrate to reduce vulnerabilities, instead of simply highlighting them?
2. Building Resilience: Healthcare organizations shifted heavily toward operational resilience. With the assumption that a breach isn’t a matter of “if” but “when,” CISOs are investing more in continuity plans, disaster recovery strategies, and minimum viable hospital models.

“Healthcare security teams aren’t just tasked with defending anymore. They need to recover and help organizations thrive—even when bad actors succeed,” Carter noted during our conversation. The incredible pressure to enable agility while reducing costs has left security leaders juggling priorities more intensely than ever.

AI Dominated 2025: But What Was the Real Impact?

Artificial Intelligence was the buzzword of the year—and while it unleashed enormous potential across healthcare, it also exposed serious risks. We’ve seen enterprises rush to adopt AI solutions across operations, clinical workflows, and cybersecurity. But this “race to innovate” often lacks governance, intentionality, or alignment with real-world challenges.

“There’s been an obsessive approach to implementing AI for the sake of implementing AI,” Carter noted. “Boards push competitive advantages, efficiency, and labor replacement—but often forget the critical steps like governance and risk reviews. This pressure could lead organizations into dangerous territory if left unchecked.”

The parallels with the onset of the pandemic are impossible to ignore, as organizations scrambled to enable work-from-home setups overnight, figuring out security after the fact. While AI represents progress, Carter warned against deploying solutions without thoughtfulness, transparency, or careful evaluation of real use cases.

As security professionals, we agree there’s a need for balance—AI adoption doesn’t have to mean sacrificing foundational principles. Instead, let’s focus on sober assessments of AI’s utility and risks, ensuring tools solve problems rather than creating new vulnerabilities.

Looking Ahead: Predictions for 2026

As we turn to 2026, Carter emphasized one guiding principle: intentionality. Healthcare needs more deliberate efforts to address governance structures, data strategies, and technical infrastructure. Without thoughtful preparation, healthcare organizations won’t be able to keep up with the accelerating pace of threats.

Here’s what Carter predicts for 2026:

1. Identity Takes Center Stage: Identity management—including human users, devices, and AI agents—will be mission-critical as adversaries find easier ways to exploit credential-based attacks. With healthcare tied so closely to IoT and medical devices, zero trust policies will increasingly target identity-first frameworks.
2. Organizational Extortion Intensifies: Executive extortion and class action lawsuits after breaches are likely to increase, leaving healthcare CISOs to defend both the digital and legal standing of their organizations. Carter emphasized that industry-wide adoption of baseline cybersecurity controls, such as the Cybersecurity Performance Goals (CPG), could reduce liability and improve recoverability.
3. Malware-Free Intrusions Become Commonplace: Why hack systems when stolen credentials allow bad actors to log in directly? Healthcare organizations will need to rethink defenses to address this growing trend.
4. Authenticity Becomes a Priority: AI-generated media, voice deepfakes, and sophisticated social engineering tactics will make distinguishing real from fake harder than ever. Security strategies must emphasize authenticity, ensuring trust remains intact across systems, users, and stakeholders.

5. Risk Reduction Must Be Measurable: Platforms will need to shift from identifying risks to actively reducing them. Carter projected that organizations will cancel contracts with tools unable to demonstrate measurable risk reduction and ROI.

    

Cybersecurity Strategy in Action

As we discussed with Carter, healthcare cybersecurity leaders have their work cut out for them in 2026. A successful strategy will hinge on intentional planning and coordinated efforts, and there are tangible steps organizations can take right now:

• Rationalize Your Security "Estate": Visibility across IoT, medical devices, IT systems, and data inventory is critical. Carter highlighted that high-fidelity inventories and tools explicitly designed to consolidate visibility will offer healthcare organizations a competitive edge.
• Prove ROI: Security is often seen as a cost center, but boards are asking for more. Carter suggested that next year’s focus will be on demonstrating reduced costs, minimized risks, and smarter resource allocation.
• Lead with Zero Trust and Identity Frameworks: The healthcare threat landscape is evolving, placing clinical workflows and patient devices at greater risk. Aligning resources with zero trust frameworks centered on human and device identity will be essential moving forward.
• Adopt AI Intentionally: Thoughtful use of AI requires transparent vendors and proper risk evaluation. Avoid rushing to implement technology just because it’s available—focus instead on solutions that align with measurable outcomes.

The Regulatory Landscape

One area Carter flagged for significant 2026 growth is healthcare-specific regulation. From updates to the HIPAA security rule to sector-specific Cybersecurity Performance Goals (CPGs), policy movements will shape compliance efforts.

“Regulatory updates like HIPAA’s proposed rules bring significant pain points for healthcare organizations,” he explained. “If frameworks are too demanding, security leaders will need time, consultation, and scalable solutions to avoid compounding financial strain in an already vulnerable industry.”

Final Thoughts: Authenticity Sets the Tone

As we said goodbye to Carter after the episode, he left us with one important point: authenticity will be at the heart of effective cybersecurity strategy in the year ahead. Healthcare leadership—boards, C-Suite executives, and cybersecurity professionals alike—must create a foundation of trust across their organizations. Whether defending against adversaries or educating teams about skepticism online, setting the right tone will drive investment in security and privacy.

“Nobody wants their healthcare organization to get extorted by bad actors—and nobody wants their patients to lose confidence in their care providers,” Carter remarked. “Right now, the focus needs to be on reducing risks thoughtfully and proving value in everything we do.”

We couldn’t agree more—and as we enter 2026, intentional planning and prioritized solutions must be the cornerstone of every healthcare security program.