The threat researchers at Netskope Threat Labs have been monitoring key cyber threats facing healthcare organisations and their employees in the last thirteen months, and are releasing their analysis in their annual healthcare threat report today.
As healthcare staff adopt and use generative AI (genAI) applications at a higher frequency, the risk of leaking sensitive information through prompts and documents continues to grow. Regulated data, such as patient records and medical information, is especially at risk, accounting for 89% of all data policy violations occurring in the context of genAI usage, significantly higher than the cross-industry average of 31%.
Compounding this issue is the use of personal genAI accounts in the workplace. While this behaviour has dropped sharply in the past thirteen months, 43% of healthcare workers are still using personal genAI accounts at work, which security teams often can’t properly monitor for data leaks. In order to address this risk, healthcare organisations are pushing their staff to use company-approved genAI applications, which they continue to deploy at pace. The proportion of workers using genAI applications managed by their organisation jumped from 18% to 67% in the same time period, outpacing cross-industry averages (26% to 62%).
Looking forward, healthcare organisations will increasingly explore the potential of AI to streamline their operations. The report shows that the deployment and usage of internal AI tools, which require bespoke security guardrails, is already accelerating. Even when genAI applications or AI agents are deployed internally, they often need to connect to the underlying model hosted in the cloud for processing via a dedicated API. Thus, monitoring API traffic can help measure on-premises AI deployments, and in healthcare, almost two in three organisations are detecting API traffic to OpenAI and AssemblyAI (63% and 62% respectively), and more than a third (36%) to Anthropic. This heavy reliance on API-based integrations underscores the growing role of embedded AI services in clinical, administrative, and operational systems, which also need to be secure and well-governed in order to avoid AI-related cyber incidents.
The use of personal cloud applications in the workplace is also posing data security challenges, with workers who might inadvertently or intentionally upload sensitive data to personal accounts. Regulated data is once again the type of data they expose most regularly, accounting for 82% of data policy violations related to personal cloud applications. Some of the measures that exist to mitigate this risk include offering automated, real-time guidance to employees to dissuade them from sharing sensitive information with unmanaged services or blocking uploads to personal apps. Over the past year, more than half of healthcare organisations (56%) that deployed such policies, blocked users from uploading files to personal Google Drive accounts, illustrating the frequency of potential data exposure in popular personal cloud applications. Google Drive was followed by Google Gmail (39%) and OneDrive (30%).
Attackers also continue to take advantage of the inherent trust employees put in cloud applications, and the files they might find in them. In healthcare, Azure Static Web Apps, GitHub, and Microsoft OneDrive were the platforms most frequently exploited by attackers for malware distribution, with 8.2%, 8%, and 6.3% of organizations detecting employees attempting to download malware from each app, respectively.
Ray Canzanese, Director of Netskope Threat Labs, said: “While building defences against external threats is essential for healthcare organisations that have historically been prime targets for cybercriminals, addressing internal risk is equally important, especially in such a highly-regulated industry and a context of fast-paced cloud and AI adoption. Our report shows that those that operate without security guardrails governing cloud and AI usage are very likely to suffer regulated patient and clinical data leaks, and potentially high regulatory penalties. Deploying company-approved applications that meet employees’ demands for convenience and productivity, along with relevant security tools that offer full visibility and control over usage and data movements, should be a high priority for healthcare organisations to strike a balance between modernisation and security.”
More threat analyses and statistics are available in the full report.
Methodology: The information presented in this report is based on anonymised usage data relating to a subset of Netskope customers in the healthcare sector across the globe, and collected between December 1, 2024 and December 31, 2025 with prior authorisation.
