Jaren Day
In healthcare right now, cybersecurity is no longer just an IT issue. It’s hitting operations. It’s hitting finances. And in many cases, it’s actually directly impacting patient care. So over the past several months we’ve been sitting down with health care executives and security leaders.
We recently partnered with EI (Ernest & Young LLC) to run a national survey. And what we heard was really eye opening. I want to share some of the biggest takeaways from that research with you.
So, three numbers really stood out to me. First, 60% of executives said that their organizations have experienced moderate to severe care delivery disruptions from a cyber-attack in the past 24 months. And most of these came through third party systems.
Second, 86% of organizations reported two or more impactful cyber events or incidents at their organization in just one year.
And then a third is that executives told us while they feel empowered to fund cybersecurity, there are still major gaps in turning that funding into real strategy and execution. So together, these numbers really make it clear.
Cyber risk in health care isn’t rare. It’s the daily reality that we’re operating in.
When care delivery is interrupted, cybersecurity becomes a mission issue. Healthcare’s vendor ecosystem really makes us uniquely vulnerable. And a single weak link can ripple through the entire system. Leaders have shared with us that one way that they’re tackling this is by doing tabletop exercises that include their top vendors, the ones that they have the biggest strategic partnership with that would have the biggest impact on their organization if something was to happen to them.
That way, when something happens, everyone knows their role, and how to respond. If your vendors aren’t part of your playbook, then you really don’t have a playbook in your response, in your recovery to a cyber-attack yet.
Another theme we heard loud and clear in the research is identity. Identity and access management has become a frontline of defense. And it’s not just your people anymore. It’s your box. It’s your service account. It’s even your AI agents. Leaders at our forums said that they’re starting to audit every non-human identity and really ask two simple questions: Does this account still need to exist? And who owns it? Every identity needs an owner, and if there’s no owner, then there’s no account.
Here’s where leadership really matters. Many executives feel like the money is there for their cyber investments, but execution is lagging. One cybersecurity leader even shared with us that they’ve become the chief information screenshot officer; they really feel like they’re spending more time feeding auditors than really improving security.
So how do you make cybersecurity a true priority when there are so many competing demands?
A big takeaway we explored within the EI report is to tell the cyber story in the language of your audience. So, for financial leaders, it’s really all about the cost, the downtime and the recovery. For clinicians, this is about patient safety and uninterrupted care. For boards, it’s about monetary responsibility and resilience.
The other key here is that cybersecurity really can’t sit on the shoulders of the CSO alone. The best organizations treat cybersecurity as a shared responsibility, really across the leadership teams, the vendor partners. It’s really everyone’s job. The bottom line here is that cybersecurity in healthcare is not just about protection, it’s really about resilience. It’s about enabling innovation. And it’s about safeguarding patients.
Leaders who succeed here are the ones who align their funding with strategy, who anchor their messages to what really matters to each part of the business, and who are creating a culture of shared responsibility. Compliance is really a byproduct; resilience is the real goal here.
Thanks for joining. Don’t forget to like and subscribe if you enjoyed the content today!
