In 2024, the healthcare industry faced unprecedented challenges, including the largest cybersecurity attacks ever recorded, historically low Customer Experience Index (CX Index™) scores, and widespread disruptions in relationships between health systems and insurers that drove the spread of medical deserts.

As the industry moves into 2025, it faces a complex terrain pitted by the aftermath of these challenges. New hazards will continue to emerge: growing concentration risk, regulatory uncertainties stemming from the overturning of the Chevron doctrine, and the impact of an upcoming election. We expect healthcare organizations (HCOs) to move into protection mode, prioritizing cybersecurity enhancements and investing in generative AI (genAI) technologies to improve customer experiences and manage rising costs. Forrester predicts a challenging yet opportunity-abundant landscape for HCOs in 2025.

Here’s what we predict for healthcare in 2025:

Half of the top 10 US health insurers will use AI to bolster member advocacy.

Health insurers invested millions of dollars in digital experiences to drive member self-service only to face lower than expected digital adoption rates and mediocre customer ratings. Call volumes to health insurers continue to soar. And now, the long run of dismal customer experience has caught the attention of the US government. In 2025, US health insurers will embrace the human experience to drive down costs and bolster wavering member trust. Health insurers will invest in genAI-powered tools to help contact center employees and care advocates build relationships with members.

One-third of leading health insurers will decrease reliance on prior authorizations (PAs).

In recent years, payers have employed AI algorithms to process PAs faster and cheaper. But use has turned into overuse, generating increased administrative burden for providers and care delays. PA-fueled bureaucracy and payment delays have led some health systems to exit payers’ networks during a plan year, accelerating the spread of medical deserts. From national legislation to state-specific laws, payers changing their PA process will evaluate the risk holistically, balancing the cost of removing PA requirements and its potential upsides.

Three more states will pass legislation to fortify hospital cybersecurity requirements.

Cybersecurity attacks, such as the one on Change Healthcare, left devastation in their wake. The newly proposed Health Infrastructure Security and Accountability Act aims to make healthcare cybersecurity controls mandatory and enforceable, but the bill has a long legislative road ahead of it, and the industry is unlikely to meet its standards. New York is leading the charge with new cybersecurity program requirements that bolster security controls and mandate more stringent risk assessments and better incident response. The program also extends protections beyond HIPAA to cover hospitals’ confidential business information. We expect states such as Massachusetts and California to follow suit, and Illinois, Texas, Florida, and Washington may not be far behind due to their recently intensified focus on privacy and cybersecurity laws related to healthcare. HCOs must prepare for three more state-level initiatives that regulate cybersecurity in 2025.