Why Healthcare Boards Lag Other Industries in Preparing for Cyberattacks

Only by working collaboratively can boards and security leaders make progress and agree about cybersecurity threats and priorities.

Ryan Witt, Healthcare Cybersecurity Leader, Proofpoint

March 14, 2023

3 Min Read
A healthcare professional "holding" an abstract visual of a digital lock.
Source: Andrew Angelov via Alamy Stock Photo

As leaders responsible for prioritizing their organizations' goals, board members must push the cybersecurity agenda forward. Yet new research shows healthcare boards are far behind their peers in making cybersecurity a priority and understanding cyber-risks, despite the potentially severe consequences to patient safety and care.

"Cybersecurity: The 2022 Board Perspective," a new global report from Proofpoint and Cybersecurity at MIT Sloan, found that cybersecurity is much lower on healthcare boards' agendas compared with other sectors. Although 77% of the 600 board members surveyed suggested cybersecurity is a top priority for their organizations, only 59% of healthcare directors concurred.

The report also found that only 61% of healthcare boardrooms discuss the topic at least monthly (versus 75% across all sectors), and only 64% believe they have invested adequately in cybersecurity (versus 76% for all sectors).

The future appears just as bleak. While 87% of participants expected to see their cybersecurity budgets increase in the next 12 months, only 77% of healthcare board members share this belief.

Healthcare Boards Need Better Focus on Cyber-Risks

What makes these findings more alarming is the contrast between healthcare boards' opinions about their cyber preparedness and the sentiments of other boards. Despite their lower cyber priorities, healthcare boards are much more optimistic. Only 50% believe their organization is at risk of a material cyberattack in the next 12 months (compared to 65% across sectors), and just 43% think their organizations are unprepared to cope with a targeted cyberattack (compared with 47% for all cohorts).

One reason behind the healthcare directors' misplaced confidence is their lack of cybersecurity understanding and expertise — another area where they fall behind their peers. Across all industries, 85% of survey participants believe their boards understand systemic risk, but only 61% of healthcare directors feel the same. Furthermore, fewer healthcare organizations have experts on their boards (68% versus 73%) and adequate training to respond to a cyber incident (59% versus 74%).

Given the gap in the directors' understanding of cyber-risks, it is understandable that they would look to their chief information security officers (CISOs) for guidance. However, the report findings show that this is not true. Only 57% of healthcare boardrooms have regular presentations from CISOs or other cybersecurity experts, compared to 73% across all sectors. Twenty-three percent of healthcare board members only see their CISOs when they appear before the board to make a cybersecurity report.

Board-CISO Rift a Barrier to Progress

Our industry is well aware of the communications gap between boards and CISOs. For years, boards showed little interest in cybersecurity, viewing it as an IT problem rather than a business one. Today, thanks to growing publicity about escalating threats such as ransomware, we finally see cybersecurity elevated to the board level.

But this increased awareness has not yet resulted in thawed tensions between boards and their security leaders. The survey found that 31% of directors globally still do not see eye to eye with their CISOs — and even more healthcare directors (41%) fall into this camp. If the two sides don't know, like, or even see each other very much, how can they agree on priorities and improve their organizations' security posture?

This chasm is especially alarming given the magnitude of cyber threats and patient risk in healthcare. A Ponemon Institute report on healthcare threats earlier this year found that 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months. Among those that experienced attacks such as ransomware and cloud compromise, 20% saw an increased patient mortality, rate while 57% saw poor patient outcomes because of delays in tests or procedures. There is a clear connection between cybersecurity and patient wellbeing — yet the healthcare sector often fails to take that seriously.

About the Author

Ryan Witt

Healthcare Cybersecurity Leader, Proofpoint

Ryan Witt is the Senior Director, Industry Solution Group at Proofpoint and is responsible for the solutions and strategy for the company’s focused industries. He is also one of Proofpoint’s Resident CISOs and chairs the company Healthcare Customer Advisory Board. Ryan is a recognized healthcare cyber security executive and a frequent speaker at HIMSS, CHIME, H-ISAC, etc. Previously, Ryan was the healthcare leader for Fortinet and Juniper Networks where he also was the Chair for their respective Healthcare Customer Advisory Boards. Ryan is a graduate of San Jose State University and lives in Silicon Valley.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights