When a massive ransomware attack struck Britain’s National Health Service in 2017, ambulances were diverted and surgeries canceled. This was not a mere IT glitch—it was a crisis that put patient lives and hospital operations at risk. Incidents like this underscore a reality that healthcare leaders can no longer ignore: cybersecurity failures directly threaten patient safety, financial stability, and reputation. As such, cybersecurity in healthcare has evolved from a back-office IT concern into a critical enterprise risk. To protect their organizations and patients, healthcare executives must rethink cybersecurity as a core risk management function rather than just an IT responsibility. This article explores why healthcare organizations need to shift from IT-led to risk-led cyber strategies, and how doing so will better safeguard their mission in today’s threat landscape.
The Rising Cyber Threat and Risk in Healthcare
Healthcare is under siege from cyberattacks that have far-reaching consequences. Hospitals and health systems hold a trove of sensitive data – from personal identifiers and financial records to valuable medical research—making them prime targets for cyber thieves and nation-states. The average cost of a breach in health care is nearly three times higher than in other industries (about $408 per stolen health record versus $148 for non-health data). But beyond monetary cost, cyber incidents can literally put lives on the line. When hackers lock up electronic health records or disable networked medical devices, doctors can lose access to critical patient information and tools. In the worst cases, as seen in the WannaCry attack, patient care is delayed or diverted—a stark patient safety issue. It’s no surprise, then, that experts now urge hospitals to view cybersecurity as a patient safety, enterprise risk, and strategic priority woven into the organization’s risk management and continuity frameworks. In fact, the U.S. government itself regards cyber threats to hospitals as a public safety matter, on par with other strategic threats.
Modern cyber threats don’t just threaten data—they threaten the entire functioning of a healthcare organization. A ransomware attack can halt clinical operations for days, jeopardizing patient outcomes and community trust. A breach of protected health information (PHI) can incur hefty HIPAA penalties and erode patient confidence. These high stakes have elevated cybersecurity to the boardroom. As of recent years, 70% of U.S. hospital boards have now included cybersecurity in their risk management oversight, reflecting recognition that cyber risk is enterprise risk. Healthcare executives increasingly realize that a cyber incident is not just an IT problem; it’s a business crisis that impacts every facet of care delivery. This new threat reality demands a fundamentally different approach—one that treats cybersecurity as a shared organizational risk to be managed, not simply a tech issue to be delegated.
Rethink Your Cyber Org Chart
Why IT-Led Cybersecurity Falls Short in Healthcare
Traditionally, many healthcare organizations managed cybersecurity through their IT departments, viewing it as a technical problem of protecting systems and data. This IT-centric approach is proving inadequate against today’s challenges. One major issue is lack of executive visibility and engagement. A few years ago, a Ponemon Institute study found only about 36% of IT security professionals believed their senior leadership saw cybersecurity as a strategic priority, and roughly 68% of boards were not being briefed on cyber risks or defenses. In other words, treating cyber as “just IT” kept it off the radar of the C-suite and board—until a crisis hit.
Siloing cybersecurity under IT can lead to dangerous blind spots. Front-line IT teams may focus narrowly on technical safeguards, but cyber risk touches clinical operations, finances, compliance, and reputation. Wayne Horkan, a healthcare cybersecurity expert, notes that governance of cyber risk often remains siloed: “Cyber risk reports…sit with CIOs, not Chief Medical Officers,” and risk assessments fail to connect cyber controls to patient safety outcomes. When cybersecurity is viewed as an “IT issue,” it tends to be tackled with an IT mindset – patching servers, checking boxes for HIPAA compliance, and reacting to alerts. While these tasks are necessary, they are not sufficient for true resilience. An IT-led approach can devolve into a check-the-box exercise that overlooks the larger risk context. Indeed, many hospitals still struggle to integrate cyber risk into enterprise risk management and continue to treat cybersecurity as a siloed IT issue, leaving critical gaps in preparedness.
There are practical limitations to keeping cybersecurity under the sole purview of IT. For one, IT departments typically control technology systems but cannot easily influence organizational behavior. Many breaches stem from human factors (like an employee falling for a phishing email), which require organization-wide awareness and culture change – a domain of leadership, not just IT. “IT has much more control over systems than it does over human behavior,” an AHA advisory notes, whereas the C-suite “has the most influence on the behavior and culture of an organization” . Additionally, an IT-driven security program may struggle to secure funding or attention commensurate with the risk; cybersecurity competes with other IT priorities and often lacks a champion at the executive level. All of this means an IT-led strategy can leave healthcare organizations flat-footed in the face of sophisticated threats. The approach needs to change. As Horkan put it bluntly, “We need a rethink. Cyber must be embedded as a clinical safety concern, not an IT hygiene checklist”. In short, the old siloed model is misaligned with the interdisciplinary, high-stakes nature of cyber risk in healthcare.
From IT Issue to Enterprise Risk Function: A New Paradigm
Shifting to a risk-led cybersecurity strategy means elevating cyber risk to the same plane as other major enterprise risks and managing it accordingly. Instead of being an afterthought in the IT department, cybersecurity becomes a core component of hospital risk management – with executive ownership, formal governance, and integration into decision-making across the organization. Practically, what does this look like?
First, it requires clear leadership and accountability at the top. Healthcare boards and CEOs must treat cyber threats as “first and foremost a patient safety and care delivery risk issue,” not just a technical hassle. The American Hospital Association recommends that boards elevate cyber risk to an enterprise risk management issue, on par with patient safety and quality of care. This might involve establishing a board-level risk or audit committee that includes cybersecurity in its charter and receives regular briefings on the organization’s cyber risk profile and mitigation efforts. Many hospitals have begun doing exactly this, as noted earlier (70% of boards now oversee cyber risk). Executive leadership should likewise assign a high-ranking sponsor for cybersecurity – whether that’s a Chief Information Security Officer (CISO) with a direct line to the CEO or a Chief Risk Officer who ensures cyber is part of enterprise risk discussions. The reporting structure is critical; if a CISO is buried under a CIO with limited access to the board, their warnings may never reach the decision-makers in time. Forward-thinking hospitals are giving security leaders the “status, authority and independence” needed to be effective.
Second, a risk-led approach means integrating cybersecurity into enterprise frameworks and culture. Cyber risks should be included in the hospital’s enterprise risk register, assessed alongside strategic, financial, and operational risks. This cross-functional integration forces a holistic view: the cybersecurity team must collaborate closely with clinical operations, finance, legal, and other departments to identify where cyber threats intersect with business processes and patient care. As one AHA guide notes, effective hospital cybersecurity “requires close integration and cooperation” among the cybersecurity function and all business, operations, administrative, and clinical functions. For example, the process for onboarding a new medical device or third-party vendor should involve cyber risk evaluation (not just a procurement decision made in isolation). Risk-led cyber strategy also aligns cybersecurity with business continuity and incident response planning. Rather than IT having a standalone incident response plan, the plan is part of enterprise-wide disaster preparedness – ensuring that a ransomware attack triggers the same level of coordinated response as, say, a natural disaster would.
Crucially, viewing cybersecurity as a risk function shifts the organizational mindset and culture. Leadership sets the tone that “a top-down culture of cybersecurity” is as non-negotiable as the culture of patient safety. When executives champion cybersecurity, employees across the board are more likely to take ownership of their role in protecting the organization. The goal is to leverage healthcare’s existing “culture of care” and extend it to cyber care. Staff should understand that practicing good cyber hygiene (e.g. vigilant password practices, cautious email behavior) is a form of protecting patients – analogous to handwashing and infection control, but for computer viruses. This kind of cultural embedding only happens when cybersecurity is communicated as an organizational value and risk priority, not merely an IT policy. In a risk-led paradigm, success is measured not just by IT metrics (like number of patches applied) but by risk outcomes – reduced likelihood of a breach that disrupts care, faster recovery times, and minimized impact on patients if an incident occurs. Ultimately, treating cybersecurity as an enterprise risk function means the issue receives the visibility, resources, and gravitas that its impact on the business warrants.
Benefits of Embracing a Risk-Led Cybersecurity Strategy
Reframing cybersecurity as a risk function isn’t just a semantic change – it yields tangible advantages for healthcare organizations. By taking a risk-led approach, hospitals and health systems can achieve:
- Better Protection of Patients and Safety: When cyber risk is managed at the enterprise level, defenses focus on what really matters – keeping patients safe and care uninterrupted. It prioritizes safeguarding the availability and integrity of critical systems and medical devices so that hackers can’t endanger patients. A risk-led strategy thus directly supports the hospital’s healing mission: protecting people over just data.
- Stronger Executive Alignment and Decision-Making: With leadership involved, cybersecurity efforts get aligned to business priorities. Executives can weigh cyber risks in terms of impact on strategic goals (e.g. “How would a week-long outage affect our surgical volume or reputation?”) and allocate resources to the most critical exposures. This leads to more informed, proactive decisions — for example, investing in backup systems or network segmentation where it reduces the greatest risk. Regular board reporting on cyber risk also ensures accountability and continuous improvement, rather than “set it and forget it” complacency.
- Financial and Regulatory Risk Reduction: Treating cybersecurity as an enterprise risk helps avoid the massive costs of breaches and downtime. It’s far cheaper to mitigate risks upfront than to suffer a multi-million-dollar incident response and legal fallout. Effective cybersecurity risk management “saves money, ensures regulatory compliance, protects a company’s reputation and supports business continuity,” as business analysts note. In healthcare, avoiding a single large breach or preventing a days-long shutdown of operations can save not only money but lives. Moreover, a risk-focused approach keeps the organization ahead of regulators: compliance with HIPAA and other laws becomes a natural byproduct of robust risk controls, rather than a last-minute scramble.
- Enhanced Organizational Resilience: A risk-led strategy improves the resilience of the hospital when incidents happen. By integrating cyber into enterprise continuity planning, organizations are better prepared to maintain or rapidly restore critical services during a cyber crisis. For instance, leadership that has planned for ransomware scenarios – complete with offline data backups and practiced downtime procedures – can keep the hospital running when attackers strike. This resilience protects the organization’s reputation and builds trust among patients and the community that the hospital can weather cyber storms.
- Cultivation of a Security-Aware Culture: Perhaps most importantly, elevating cybersecurity to a risk function fosters a culture where every employee feels responsible for managing cyber risk. From the C-suite to clinicians to front-desk staff, everyone understands that cybersecurity is part of patient care. This can dramatically reduce human errors that lead to breaches (like falling for phishing scams) because employees are educated and motivated to be the “first line of defense.” When leadership reinforces that cyber hygiene is akin to medical hygiene in protecting patients, it resonates. Over time, security-minded behavior becomes habit, improving the organization’s overall security posture in ways technology alone cannot.
In short, a risk-led approach turns cybersecurity from a siloed expense into a strategic asset – one that not only defends against attacks but also strengthens the trust, safety, and stability that healthcare delivery depends on. It aligns the cybersecurity program’s goals with the organization’s broader goals of high-quality, uninterrupted care.
Cyber Incidents Don’t Wait for Board Approval
How Healthcare Leaders Can Enable the Shift to Risk-Led Cybersecurity
Moving to a risk-led cybersecurity model requires deliberate changes championed by leadership. Healthcare executives can consider the following steps to operationalize this shift:
- Establish Governance and Oversight: Begin at the top by making cybersecurity a standing item on the board and executive agenda. If you haven’t already, form a board-level committee (or expand an existing risk committee’s scope) to include cybersecurity risk oversight. Ensure the board is regularly briefed on cyber threats, readiness, and incidents – just as it would be for financial or operational risks. This communicates that cybersecurity is a priority and creates accountability for progress.
- Empower a Capable Security Leader: Designate a senior leader (e.g. a CISO) to lead the cybersecurity program and position them appropriately in the organizational hierarchy. For true risk alignment, this leader should have sufficient authority and independence for example, reporting directly to the CEO or another top executive rather than being several layers down. Invest in this role with the budget and staff needed to manage cyber risk effectively. Many hospitals are too small to afford a large security team, but all should identify someone who wakes up every day focused on cyber risk and can speak the language of both tech and business to bridge those worlds.
- Integrate Cyber into Enterprise Risk Management (ERM): Don’t let cybersecurity live in a vacuum. Fold your cyber risk assessments into the broader ERM process. This means identifying key cyber scenarios (e.g. “clinical systems unavailable for X days” or “data breach of Y records”) and evaluating their likelihood and impact alongside other enterprise risks. By doing so, leadership can prioritize cybersecurity efforts based on potential business impact, not just technical severity. As one AHA article put it, addressing cyber risk at the enterprise level will directly bolster overall risk management. Use the same rigor for cyber as you do for other risks: assign risk owners, mitigation plans, and track progress over time.
- Align Policies and Incident Response with Patient Safety: Reframe cybersecurity policies in terms of protecting patients and critical services. For example, access control policies should be justified in terms of preventing unauthorized access to life-critical systems, not just “because IT said so.” Develop or refine your incident response plan with multidisciplinary input – IT, clinical operations, communications, legal, etc. – so that a cyber incident is met with a swift, coordinated response that prioritizes patient safety and continuity of care. Conduct tabletop exercises with leadership for scenarios like ransomware hitting your EHR system, to ensure everyone knows their role when responding to a cyber crisis. These steps embed cyber risk thinking into the fabric of organizational preparedness.
- Foster an Enterprise-Wide Security Culture: Use your influence as leaders to drive cultural change. Communicate to all staff that cybersecurity is everyone’s responsibility and directly tied to the organization’s mission of care. Incorporate cybersecurity into patient safety rounds, staff training, and internal communications. Celebrate departments that exemplify good security practices just as you might celebrate quality improvement. The goal is to create a vigilant workforce that acts as an extended security team. When employees at all levels understand that clicking a suspicious email link could down the ER, or that a stolen laptop could expose thousands of patients’ data, they are far more likely to follow protocols and speak up about potential issues. Leadership’s active engagement asking questions about cybersecurity in meetings, allocating resources for training, and modelling good practice is essential to cultivate this culture.
By taking these steps, healthcare executives can gradually transform their organization’s approach to cybersecurity. It shifts the burden from a few IT specialists to a shared responsibility model where risk awareness and mitigation permeate the organization. The result is not only stronger security, but a more resilient and confident enterprise ready to face the evolving cyber threat landscape.
Make Cybersecurity Part of Your Culture of Care
Key Takeaways for Healthcare Executives
- Cybersecurity is a Business Risk, Not Just an IT Problem: Modern cyber threats (ransomware, data breaches, etc.) can shut down hospitals and endanger patients, making cybersecurity a core enterprise risk that demands board and C-suite attention. Treat cyber risk on par with financial, operational, and safety risks in your governance and strategy.
- Executive Oversight and Leadership are Crucial: Ensure your organization’s cyber strategy is risk-led from the top. Establish board oversight (e.g. risk committees) and assign clear executive ownership for cybersecurity. Regularly review cyber risk reports and preparedness at the leadership level. Leadership involvement secures the resources and cross-department cooperation needed to stay ahead of threats.
- Integrate Cybersecurity into Enterprise Risk Management and Culture: Break down silos between IT and the rest of the organization. Embed cyber risk management into enterprise processes – including risk assessments, business continuity plans, vendor management, and clinical workflows. At the same time, drive a security-aware culture where every staff member understands their role in protecting patient data and systems. Leverage your hospital’s existing patient safety culture to make cybersecurity a shared value.
- Focus on Risk Outcomes and Resilience: Shift the mindset from mere compliance to actual risk reduction. Instead of measuring success by checklists or IT metrics, focus on outcomes like reduced downtime, prevented incidents, and quick recovery. Invest in controls and contingencies that mitigate the highest risks (for example, robust data backups, network segmentation, and rapid response drills for cyber incidents). A risk-led approach will help protect your bottom line and your reputation by avoiding costly breaches and ensuring continuity of care.
- Act Now – Don’t Wait for a Crisis: Finally, recognize that adopting a risk-led cybersecurity strategy is urgent. Cyber threats are growing in frequency and sophistication, and regulators and patients alike expect healthcare organizations to be prepared. Waiting for the “perfect” moment or more guidance can leave your organization exposed. The time to elevate cybersecurity into your risk function is now, before the next attack forces the issue. By proactively making this shift, healthcare leaders can fortify their organizations against cyber risks and continue delivering safe, reliable care in an increasingly digital world.
By embracing cybersecurity as a risk function, healthcare executives reclaim control over one of the most pressing challenges of our time. This strategic shift enables hospitals and health systems to anticipate threats, minimize harm, and maintain the trust of those they serve. In an industry where lives are on the line, integrating cybersecurity with enterprise risk management is not just good governance—it’s fundamental to the future of healthcare delivery.
