Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
“About your cybersecurity, Doctor Schrödinger, we have both good and bad news….”
The 2025 Thales Data Threat Report for Healthcare and Life Sciences (HCLS) is a mixed bag. The sector is getting stronger, but the threats are not going away. Cybercriminals adapt as quickly as the industry they target. Every cure seems to uncover a new complication.
Let’s start with the good news.
Breaches Are Down. Way Down.
Breaches in healthcare, biotech, and pharmaceuticals have been dropping steadily. In 2021, more than a third of organizations reported a recent incident. This year, that figure fell to just 12%. A 25-point decline in four years is not a blip; it’s a trend.
There are reasons for this success: more disciplined practices, wider adoption of identity and access controls, and a cultural shift in how organizations view the value of patient and research data.
Multi-factor authentication (MFA) is a clear example. In 2021, only 14% of firms could say that 40% or more of their staff used MFA. That figure is 86% today - a 72-point leap in four years. For an industry often accused of lagging in IT maturity, that is a remarkable step forward.
It shows that when the stakes are high, change is possible.
Structural Challenges Make Progress Harder
Here comes the bad news. The easy fixes are mostly done. MFA adoption was an obvious and critical low-hanging fruit. Encrypting laptops, patching obvious vulnerabilities, and tightening access controls are all critical, all achievable with focus and persistence.
However, the next stage is harder. The challenges ahead are not only technical. They are structural, systemic, and deeply tied to the way healthcare and life sciences use technology across their businesses.
Unfortunately, they’re only getting more complex.
Complexity Is Now the Enemy
The average HCLS entity now runs 77 SaaS applications and almost two IaaS platforms. Hybrid IT is no longer a choice; it is the norm. Each additional service adds surface area, and each new provider brings a fresh set of policies, controls, and possible risks.
APIs multiply the problem. A third of organizations manage more than 500 APIs. 14% are juggling over 1,000. APIs connect the digital arteries of modern healthcare, but they also create new places to cut, intercept, or poison the flow.
On top of this sits the explosion of data flowing across multiple systems and environments. 27% of HCLS organizations have little or no confidence in identifying where their data is stored. In order to tackle that, they are adopting multiple data discovery and classification tools, leading 59% of firms to use five or more.
Instead of clarity, many have created noise: conflicting policies, overlapping processes, and inconsistent controls.
The result? Despite rising investment, only 4% of HCLS organizations have encrypted 80% or more of their sensitive cloud data and nearly half of all data stored in the cloud is sensitive.
The AI Dilemma
Then there’s AI.
Healthcare, biotech, and pharmaceuticals are already using it. 27% of organizations report they are in the integration or transformation phases of their GenAI journey. That’s behind the broader market, but the momentum is clear.
Yet AI is also the number one security concern. 67% of respondents cite the fast-moving AI ecosystem as their top worry. Concerns range from model integrity to data reliability, from third-party trust to outright misuse.
Half of the spending on AI security comes from existing budgets, and 18% from newly allocated funds. This shows recognition, but it also shows strain. Firms are rebalancing resources to defend against risks they don’t yet fully understand.
And there is a deeper worry. There are concerns that AI will not only expand attack surfaces but will also accelerate the speed of attack itself. Compromise at machine speed, remediation at human pace. That is the asymmetry CISOs fear.
Quantum Shadows
Beyond AI, the report reveals another looming risk: quantum computing.
59% of HCLS leaders are concerned about future encryption compromise. 69% fear problems with key distribution. Another 68% worry that today’s encrypted data could be harvested and decrypted later, when quantum power makes it possible.
The sector is not passive. More than half are already prototyping or evaluating post-quantum cryptography algorithms. But the reality is that no one knows exactly when the threat will become real. CISOs must prepare for a race against time they cannot yet see.
Lessons From The Good And The Bad
So what do we make of this mix of progress and risk?
First, the report shows that healthcare and life sciences can adapt when urgency is clear. The dramatic fall in breaches and the surge in MFA use prove it.
Second, the report warns that complexity is now the greatest threat. APIs, SaaS sprawl, multi-cloud reliance, and data discovery tools that don’t align. All of these fragment control and blur accountability. Malefactors thrive in that fog.
Third, it highlights the paradox of innovation. AI and quantum are powerful tools for progress in medicine and science. They are also disruptive forces in cybersecurity. Leaders cannot separate those realities. They must prepare for both.
What Needs To Happen Next
Healthcare and life sciences firms need to evolve from tactical responses to strategic platforms. Point solutions solved the problems of the last decade, but they will not solve the problems of the next decade.
Organizations in this sector should aim to automate and simplify both their cybersecurity management and their compliance procedures. To consolidate fragmented tools into platforms with broader capabilities. To adopt intelligence-driven systems that can adapt to new attack patterns, an ever more fragmented environment and increasingly intelligent threats. To treat compliance requirements such as HIPAA not as an afterthought but as a design principle.
This is a call for clarity. Security leaders need to know where their data lives. They need confidence that sensitive assets are protected. They should follow the best practices of broad frameworks such as NIST Cybersecurity Framework 2.0 or the ISO/IEC 27001:2022, that give 360 degree visibility into their cybersecurity challenges.
Platforms like the Thales CipherTrust Data Security Platform are designed to deliver that breadth and resilience. Encryption, key management, access controls, discovery, and classification are integrated in a way that reduces complexity instead of adding to it.
The gains of the last four years are real. But they are fragile. The next stage of defense will require more than vigilance. It will require vision.
Download the full 2025 Thales Data Threat Report: Healthcare and Life Sciences Edition.