Why Healthcare Boards Lag Other Industries in Preparing for Cyberattacks

As leaders responsible for prioritizing their organizations’ goals, board members must push the cybersecurity agenda forward. Yet new research shows healthcare boards are far behind their peers in making cybersecurity a priority and understanding cyber-risks, despite the potentially severe consequences to patient safety and care.

“Cybersecurity: The 2022 Board Perspective,” a new global report from Proofpoint and Cybersecurity at MIT Sloan, found that cybersecurity is much lower on healthcare boards’ agendas compared with other sectors. Although 77% of the 600 board members surveyed suggested cybersecurity is a top priority for their organizations, only 59% of healthcare directors concurred.

The report also found that only 61% of healthcare boardrooms discuss the topic at least monthly (versus 75% across all sectors), and only 64% believe they have invested adequately in cybersecurity (versus 76% for all sectors).

The future appears just as bleak. While 87% of participants expected to see their cybersecurity budgets increase in the next 12 months, only 77% of healthcare board members share this belief.

Healthcare Boards Need Better Focus on Cyber-Risks

What makes these findings more alarming is the contrast between healthcare boards’ opinions about their cyber preparedness and the sentiments of other boards. Despite their lower cyber priorities, healthcare boards are much more optimistic. Only 50% believe their organization is at risk of a material cyberattack in the next 12 months (compared to 65% across sectors), and just 43% think their organizations are unprepared to cope with a targeted cyberattack (compared with 47% for all cohorts).

One reason behind the healthcare directors’ misplaced confidence is their lack of cybersecurity understanding and expertise — another area where they fall behind their peers. Across all industries, 85% of survey participants believe their boards understand systemic risk, but only 61% of healthcare directors feel the same. Furthermore, fewer healthcare organizations have experts on their boards (68% versus 73%) and adequate training to respond to a cyber incident (59% versus 74%).

Given the gap in the directors’ understanding of cyber-risks, it is understandable that they would look to their chief information security officers (CISOs) for guidance. However, the report findings show that this is not true. Only 57% of healthcare boardrooms have regular presentations from CISOs or other cybersecurity experts, compared to 73% across all sectors. Twenty-three percent of healthcare board members only see their CISOs when they appear before the board to make a cybersecurity report.

Board-CISO Rift a Barrier to Progress

Our industry is well aware of the communications gap between boards and CISOs. For years, boards showed little interest in cybersecurity, viewing it as an IT problem rather than a business one. Today, thanks to growing publicity about escalating threats such as ransomware, we finally see cybersecurity elevated to the board level.

But this increased awareness has not yet resulted in thawed tensions between boards and their security leaders. The survey found that 31% of directors globally still do not see eye to eye with their CISOs — and even more healthcare directors (41%) fall into this camp. If the two sides don’t know, like, or even see each other very much, how can they agree on priorities and improve their organizations’ security posture?

This chasm is especially alarming given the magnitude of cyber threats and patient risk in healthcare. A Ponemon Institute report on healthcare threats earlier this year found that 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months. Among those that experienced attacks such as ransomware and cloud compromise, 20% saw an increased patient mortality, rate while 57% saw poor patient outcomes because of delays in tests or procedures. There is a clear connection between cybersecurity and patient wellbeing — yet the healthcare sector often fails to take that seriously.