KLAS recently hosted a timely conversation with Jaren Day of KLAS Research and Nana Ahwoi of Ernst & Young LLP (EY US), diving into findings from our recent US Healthcare Cyber Resilience Survey. The discussion explored how healthcare organizations are evolving their approach to cybersecurity across a variety of executive roles (not just CISOs) at a moment when the stakes have never been higher.
This blog serves as a recap of that webinar, highlighting the core themes we explored together and why they matter for every healthcare leader. For the full conversation, I recommend watching the replay.
Cybersecurity Resilience in Healthcare 2025
Jaren and Nana started off with the current state of healthcare and cyber threats. They shared startling findings from other research: No other US critical-infrastructure sector experienced more reported cyber incidents last year, and the average cost of a healthcare data breach remains the highest across industries. More importantly, disruptions in healthcare extend far beyond operations; the effects ripple into clinical workflows, patient safety, and the financial stability of organizations.
And truly, these aren’t hypothetical risks. As Nana pointed out, they’re lived experiences for many health systems today, with some incidents taking months to identify and contain. That extended exposure window compounds both cost and clinical impact.
For these reasons, KLAS and EY US intentionally surveyed not just CISOs but also CIOs, CTOs, COOs, CFOs, and other leaders with responsibility for cybersecurity outcomes. Their perspectives were remarkably aligned, reinforcing a simple truth: Cyber resilience is no longer the concern of a single leader or team. It is an enterprise-wide priority.
Insight 1: Cybersecurity Isn’t a CISO Problem; It’s Critical to Business
Early on, Jaren explores a theme in the findings that he calls the leadership paradox. In the survey, 81% of participating executives said cybersecurity is a strategic priority, with 65% saying they feel empowered to make decisions about cybersecurity. Yet only 52% hold the actual authority to act on that responsibility.
This illustrates all too well the paradox: Cybersecurity is often listed as a top-ranking strategic risk, while simultaneously being pushed to the middle of the investment priorities. Other elements like operational efficiency and revenue optimization tend to crowd out needed cybersecurity investment. This creates a resilience gap, where everyone has good intentions, but real execution is lacking.
No organization can meaningfully strengthen cyber defenses if responsibility remains siloed with the CISO while other leaders’ decisions and resources influence outcomes. Rather, cybersecurity must become a team sport, with everyone’s roles being clearly defined.
Insight 2: Identity Is the New Perimeter
Another major discussion thread followed identity and access management, which is emerging as one of the highest-priority areas of investment across surveyed organizations. The sheer expansion of nonhuman identities introduced through automation, bots, and emerging agentic AI tools has created an identity landscape that many organizations are still trying to understand and govern.
The webinar explored current challenges, such as weak help desk verification processes, the rapid proliferation of machine identities, and inconsistent privilege-management practices. In response, behavioral analytics, just-in-time access models, and clearer ownership structures are becoming foundational strategies for managing identity at scale.
Insight 3: Changing the Message to Cybersecurity Enables Innovation
Later on, the conversation focused on reframing cybersecurity as a catalyst for transformation rather than a compliance checkbox. With healthcare organizations collectively exploring generative AI pilots, digital automation, and new models of care delivery, cyber maturity increasingly indicates which organizations can innovate safely and scale confidently.
The discussion referenced a recent EY US study that reinforces this point: When cybersecurity is embedded early in strategic initiatives, organizations realize faster times to market, lower remediation costs, and better user experiences.
Nana illustrated the point with an analogy. You would never buy a car without seatbelts today, nor should you implement AI and other tools without considering cybersecurity.
We asked our audience what evidence would most solidify cybersecurity’s role as an innovation enabler, and responses reflected a desire for clearer metrics: improved patient and clinician experience, reduced downtime, and stronger ROI. These are precisely the outcomes we believe cybersecurity must be tied to moving forward.
Cyber Resilience Requires Collective Leadership
Jaren and Nana’s conversation underscored a key shift happening across healthcare: Cybersecurity is no longer a technical function operating on the margins. It is the foundation that underpins safe care delivery, operational continuity, digital transformation, and organizational trust.
As we emphasized in the webinar, every healthcare leader should be asking themself the following question: How can I support cyber resilience in my area of responsibility? Cybersecurity is everyone’s business, and when leadership embraces that mindset, organizations are better positioned to adapt, innovate, and protect the communities they serve.
We invite you to explore the full US Healthcare Cyber Resilience Survey for a deeper look into the themes we discussed. It’s an important read for anyone working to strengthen their cybersecurity strategy in 2025 and beyond.
© Song_about_summer / Adobe Stock
