Cybersecurity, AI Use, and Major Policy and Regulatory Shifts Are Driving Factors in the Most Significant Risks Hospitals Face in 2026, According to Kodiak Solutions’ Top Risks Report

The promise of new technologies must be balanced with ongoing, real-time assessments of the risks of cyberattacks and AI data privacy and governance, Kodiak’s risk and compliance team finds

Cybersecurity, artificial intelligence, and the rapidly changing healthcare policy and regulatory environment are common threads weaved into many of the Top Risks for 2026 identified by Kodiak Solutions.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20251203735122/en/

The top 10 risk areas as determined by the percentage of audits that found a specific risk in each area, according to the annual Top Risks report by Kodiak Solutions.

Kodiak’s risk and compliance team determined the top 10 risk areas by compiling the results of audits conducted for hospitals, health systems and medical practices during the 12 months ended Sept. 30, 2025. Risk areas are ranked by the percentage of audits that uncovered a specific risk within that subject area.

“As change accelerates, risks become harder to spot, requiring an ever-vigilant effort from internal auditors,” said Dan Yunker, senior vice president, risk and compliance, for Kodiak Solutions. “The pace of change healthcare is experiencing requires auditors to have an always-on, data-driven approach. Identifying these top risk areas provides a road map for internal auditors to make the most of shrinking resources.”

Beyond charting the risk areas uncovered by its audits, the Kodiak risk and compliance team also took a deep dive into the problems the audits uncovered and the factors driving them.

Providers may face cybersecurity standard developed for defense contractors

Cybersecurity defenders face changing government standards and cyber criminals who are constantly innovating their forms of attack, often powered by AI, Kodiak’s audit analysis found. Proposed revisions to the HIPAA Security Rule are a near-term change that provider organizations need to plan for. Kodiak experts see an even more impactful change on the horizon, with federal policymakers evaluating whether to make healthcare provider organizations comply with the Cybersecurity Maturity Models Certification that originally was developed for defense contractors.

Cybersecurity risks drove the information systems risk area to the No. 1 spot on the Top Risks chart. Cybersecurity is a risk in any area that relies on information systems or networked equipment, such as medical devices, so the reach is enterprise-wide for hospitals, health systems and medical practices.

Unlocking value of AI requires appropriate guardrails

Deploying AI across healthcare organizations is an operational imperative but also carries significant risks, Kodiak’s analysis found. For AI tools to be most effective, they require access to massive amounts of sensitive data, from patient clinical and financial records to claims data and other proprietary business information. Deploying AI requires thoughtful rules for data privacy and for governing how the AI tools are used in decision making.

AI-related risks were the top factor in the clinical operations risk domain, ranked No. 5 on the Top Risks list, as well as a significant contributor to the information systems risk domain. AI also is a critical tool for revenue cycle teams, especially for the specific risk of denials management, the top risk driving revenue cycle to No. 4 on the top 10 risks.

Provider organizations should anticipate policy, regulatory shake-ups

For the finance and accounting risk domain, No. 2 on the top 10 risks list, the top three drivers of risk are related to policy, starting with the financial impact of the One Big Beautiful Bill Act, followed by labor costs and supply costs. Regulatory and policy changes also impact compliance, the No. 3 risk, with proposed enhancements of price transparency requirements, and the No. 10 risk, pharmacy, which is impacted by the federal government’s pilot program to increase the use of rebate models in the 340B Drug Pricing Program.

“Cybersecurity, AI and policy shifts ripple through many of the most significant risks hospitals, health systems and medical practices face in 2026,” Yunker said. “Internal auditors have their work cut out for them to find and eliminate or mitigate the risks caused by these factors and others across their enterprises.”

To view Kodiak Solutions’ full report on the top management risks for healthcare in 2026, click here.

About Kodiak Solutions

Kodiak Solutions is a leading technology and tech-enabled services company that simplifies complex business problems for healthcare provider organizations. For nearly two decades as a part of Crowe LLP, Kodiak created and developed our proprietary net revenue reporting solution, Revenue Cycle Analytics. Kodiak also provides a broad suite of software and services in support of CFOs looking for solutions in financial reporting, reimbursement, revenue cycle, risk and compliance, and unclaimed property. Kodiak’s 450 employees engage with more than 2,300 hospitals and 350,000 practice-based physicians, across all 50 states, and serve as the unclaimed property outsourcing provider of choice for more than 2,000 companies. To learn more, visit our website.

View source version on businesswire.com: https://www.businesswire.com/news/home/20251203735122/en/

“The pace of change healthcare is experiencing requires auditors to have an always-on, data-driven approach. Identifying these top risk areas provides a road map for internal auditors." -- Dan Yunker, SVP, risk and compliance, Kodiak Solutions