How Healthcare Leaders Can Elevate Cybersecurity Strategy

The healthcare industry stands at a difficult juncture in the cybersecurity landscape, grappling with increasing threats, skyrocketing costs of breaches, and unprecedented risks to patient care and operational efficiency. To navigate these challenges, leaders in healthcare organizations must approach cybersecurity with strategic foresight, shared accountability, and a commitment to embedding cyber resilience into every facet of their operations.

This article distills key insights from a recent discussion between cybersecurity leaders Jiren Day, Head of Cyber Research at KLAS, and Nana Hoy, EY America’s Healthcare Cyber Industry Group Leader. Their analysis of findings from a U.S. healthcare cyber resilience survey reveals critical gaps and opportunities for healthcare organizations to elevate their cybersecurity strategies.

The Growing Cyber Threat Landscape in Healthcare

Healthcare organizations (HDOs) face a unique and intensifying cybersecurity challenge. According to the research:

• The healthcare sector reports more cyber threat incidents than any other U.S. critical infrastructure sector.
• Healthcare breaches are the most expensive, with the highest costs per incident of any industry.
• Cyber incidents now have direct and alarming implications for patient care, from delayed procedures and diverted patients to systemic operational disruptions.

These realities underscore the need for HDOs to prioritize cybersecurity not as a technical afterthought but as a core element of their strategic planning and business resilience.

Leadership and the Cyber Resilience Gap

One of the most striking findings from the survey is the "leadership paradox" in cybersecurity:

• 81% of healthcare executives consider cybersecurity a strategic priority.
• 65% of leaders feel empowered to make cybersecurity decisions.
• Yet, only 52% have final decision-making authority, signaling a disconnect between intent and implementation.

This gap between leadership vision and operational authority leaves many organizations vulnerable. Cybersecurity, while recognized as essential, often falls to the wayside amidst budget constraints and competing priorities.

The Cost of Underinvestment

The consequences of deprioritizing cybersecurity are severe. On average, healthcare organizations take nearly nine months to identify and contain a cyber incident - a timeframe well above industry norms. During this period, attackers can exploit vulnerabilities, causing cascading effects such as:

• Disruption to patient care delivery.
• Extended downtimes and operational inefficiencies.
• Loss of trust among patients, staff, and stakeholders.

Ensuring consistent leadership engagement and shared accountability at all levels can help organizations bridge this resilience gap.

sbb-itb-535baee

Key Areas of Focus for Cybersecurity Transformation

1. Identity and Access Management (IAM): Defining the New Perimeter

The survey highlights a growing consensus: identity is the new frontier in cybersecurity. With 68% of respondents prioritizing investment in IAM, healthcare leaders recognize the need to manage both human and machine identities effectively.

Key identity challenges in healthcare include:

• Machine Identities: Most healthcare systems now manage 10-50x more machine identities than human users. Many of these identities have excessive privileges and lack adequate monitoring or credential rotation.
• Help Desk Vulnerabilities: Attackers increasingly exploit help desk processes, impersonating physicians to reset passwords and gain unauthorized access.
• Agentic AI and Bots: The rise of generative AI and automated bots introduces new identities to safeguard, with individual leaders often responsible for overseeing their governance.

To address these challenges, organizations are adopting innovations such as:

• Behavioral analytics to detect unusual activity.
• Conditional and just-in-time access to minimize overprivileged accounts.
• Comprehensive governance frameworks that encompass vendors and third-party stakeholders.

2. Cybersecurity as an Enabler of Innovation

The traditional view of cybersecurity as a cost center or compliance checkbox is no longer sufficient. The research reveals a shift toward framing cybersecurity as a value creator that enables safe innovation and transformation.

For example:

• Generative AI Integration: Many healthcare systems are piloting AI solutions despite the systemic risks posed by such technologies. Embedding cybersecurity into these initiatives from the start ensures they scale safely without introducing vulnerabilities.
• Operational Efficiency: By incorporating cybersecurity early in the development lifecycle of new technologies, organizations can reduce remediation costs, improve user experience, and streamline operations.

Nana Hoy aptly compared adopting innovative technologies without considering cybersecurity to "buying a car without seat belts." Forward-thinking HDOs are embracing cybersecurity as a catalyst for transformation rather than a barrier to progress.

3. Building Shared Accountability

The survey underscores the importance of shared accountability in driving cybersecurity outcomes. Cybersecurity cannot remain the sole responsibility of the Chief Information Security Officer (CISO); it must be a team sport involving diverse stakeholders, including CFOs, COOs, and boards of directors.

To achieve this, organizations should:

• Establish shared metrics, such as KPIs and scorecards, to align stakeholders around cybersecurity goals.
• Tie cybersecurity efforts to tangible business outcomes, such as reducing downtime or enhancing patient safety.
• Foster a culture where cybersecurity teams are seen as problem-solvers and enablers, not blockers.

The Path Forward: Cybersecurity as a Strategic Imperative

Healthcare organizations must adopt a more integrated and proactive approach to cybersecurity. The survey findings reveal several actionable steps leaders can take:

• Elevate cybersecurity to a board-level priority with non-negotiable expectations for sustained investment.
• Align cybersecurity funding with clinical, operational, and financial outcomes to demonstrate value.
• Embed cybersecurity into every initiative, from technology rollouts to geographic expansions.

By shifting the narrative around cybersecurity from a cost to an enabler, healthcare leaders can protect their organizations while driving innovation and resilience.

Key Takeaways

• Cyber Incidents Are Escalating: The healthcare sector leads in both the volume and cost of reported breaches, with direct impacts on patient care and business continuity.
• Leadership Gaps Exist: While cybersecurity is considered a strategic priority, only half of leaders have the authority to make final decisions, creating a resilience gap.
• Identity Management Is Critical: IAM is emerging as a top focus, with a growing need to govern machine identities and secure automation tools like generative AI bots.
• Cybersecurity Enables Innovation: When integrated early, cybersecurity accelerates time to market, reduces remediation costs, and enhances user experiences.
• Shared Accountability Drives Success: Effective cybersecurity requires collaboration across leadership roles and alignment with business outcomes.
• Focus on Metrics: Establishing clear KPIs tied to cybersecurity outcomes helps solidify its role as a business enabler.

Actionable Steps for Healthcare Leaders

1. Prioritize cybersecurity funding even in times of financial constraint.
2. Develop governance frameworks for both human and machine identities.
3. Embed cybersecurity into AI and technology initiatives from the start.
4. Create shared scorecards to align leadership teams around cybersecurity goals.
5. Shift organizational culture to view cybersecurity as a driver of innovation.

Conclusion

The stakes for cybersecurity in healthcare have never been higher. As threats continue to evolve, healthcare leaders must embrace a transformative approach that views cybersecurity as integral to their organization’s mission. By doing so, they can reduce risks, enhance patient safety, and unlock new opportunities for innovation and growth. The time to act is now.

Source: "KLAS and EY US Healthcare Cyber Resilience Survey 2025 Webinar" - KLAS Research, YouTube, Dec 16, 2025 - https://www.youtube.com/watch?v=4bAIKfGy9Uo

Related Blog Posts

• 10 Insights from Cybersecurity Benchmarking Studies
• Ultimate Guide to Cyber Resilience in Healthcare
• 5 Challenges in Healthcare Cyber Risk Management
• Survey Exposes Disconnect: Compliance Scores High, but Risk and Resilience Scores Trail Behind