What healthcare CFOs don’t know about cybersecurity — and what they should ask their CISOs

Cybersecurity is a growing concern for all healthcare organizations amid the ongoing rise of ransomware attacks and other threats.

In 2023, the number of reported data breaches in the U.S. rose to an all-time high of 3,205, a 78% increase from 2022, while the average cost of a healthcare data breach hit $10.93 million.

What’s driving these alarming figures isn’t necessarily a lack of technology or talent.

In fact, the bulk of cybersecurity incidents can arguably be attributed to something more rudimentary: The lack of alignment and engagement between business executives: (CEOs and CFOs), IT leaders (CIOs) and chief information security officers (CISOs). When these groups are not aligned, it can lead to gaps in security measures, insufficient resource allocation and a lack of comprehensive risk management.

“Understanding the business impact of every decision is vital for the resilience of organizations, particularly in healthcare,” said Joe Oleksak, CISSP, CRISC, partner, Plante Moran. “Often, business decisions are driven by cost efficiencies, customer demand, organizational strategy, industry pressures and profit margins. However, the essential role of IT systems and their interdependencies with business operations are frequently overlooked.”

It doesn’t have to be this way, however.

By rethinking their approach to collaboration and risk management, healthcare CFOs can more effectively align security with both technology and the business to help their organizations become more resilient.

Evolving cybersecurity needs

It’s hard to believe that just a decade ago, cybersecurity was an ancillary concern for health systems. Many fell for the “It won’t happen to me” myth. Today, nearly every healthcare organization has experienced a cybersecurity breach. In fact, healthcare organizations are now one of the most attractive targets for hackers.

“Hackers aren’t necessarily targeting organizations because of who they are,” Oleksak said. “They are finding targets by looking for organizations that are not doing things correctly, and when identified – they quickly look for ways to monetize what they find.”

“That’s why, when hackers get into a health system, they are very excited,” said Oleksak. “They know health systems have cybersecurity insurance, and the black-market value of the healthcare record is rising dramatically. They understand that downtime can literally be the difference between life and death, and more figuratively the financial death of a physician practice, for example. And, as a result, are much more likely to receive a big pay-day.”

What hasn’t changed in this rapid-risk environment is the “siloed” mindset that many CEOs and CFOs have around the role of CIOs and CISOs. Cybersecurity and risk management are still seen as the domain of IT and IT alone. At the same time, CISOs don’t necessarily communicate as effectively and frequently as they should with healthcare’s senior business executives.

“In most organizations, the CISO is reporting to the CIO, given a budget, and told what they need to do in terms of security, and it’s usually IT focused,” Oleksak said. “As a result, CISOs typically don’t feel free to talk about what they really need. They don’t feel empowered or motivated to get more involved in compliance and more involved in business process and organizational resilience, as opposed to just IT resilience, which are both very important, but two very different things.”

Aligning and communicating are key

To combat these challenges, health system CFOs should work more closely with CISOs to understand the interdependencies between business performance, technical reliance and security.

“The business impact analysis is, quite frankly, the most important thing leaders should be involved in when it comes to security,” said Oleksak. “CFOs must understand the business processes each business unit relies on, including the supporting systems and infrastructure in place, along with the risks, threats and corresponding compliance regulations.”

As part of this business impact analysis, here are five initial questions CFOs should ask CISOs.

1 How ready is our organization for an attack?

If the organization is hit with a ransomware attack, what are the business processes in place to continue business while IT responds and recovers? The answer to this question can determine how quickly healthcare organizations recover from a devasting security incident. One need only look to the aviation industry as a cautionary tale: After the CrowdStrike security software outage in July 2024, airlines that had backup manual ticketing, manual baggage handling and hand-held radio processes were able to recover faster and resume operations.

2 Are we putting too many eggs in one basket?

Too often, executives fall in love with a single technology system or solution without considering whether the solution has any risk of failure. Consider the recent cyberattack on the software company CDK Systems, which resulted in a shutdown that impacted more than 15,000 U.S. automobile retailers. “Auto dealers couldn’t sell cars for three or four days,” Oleksak said. To avoid similar scenarios, CFOs should work with their CISOs to identify any single points of failure as part of their ongoing business impact analysis and overall risk assessments.

3 Are there any trends we should keep an eye on?

CISOs are typically well-versed in cybersecurity trends, such as spikes in data breaches, as well as new regulations. CFOs should pay attention to and understand how those trends impact decision-making around technology investments, ways to build organizational resilience to security threats and more.

“The CISO should be following what’s happening across all different industries and providing insight to CFOs and CEOs as well as CIOs,” said Oleksak. “They should say, ‘Here’s what’s happening out there, and here’s what’s coming as a result of this.’”

4 Are we doing our due diligence?

CFOs need to be as vigilant about their organization’s cybersecurity defenses as CISOs and CIOs. Their involvement is crucial because financial decisions directly impact the resources available for cybersecurity measures. However, too often, CFOs do not engage in the necessary level of due diligence, leaving this responsibility to their IT counterparts.

Working with a third-party expert can provide assurance to CFOs that the right steps are in place to prevent an attack.
For example, a third party skilled in cybersecurity defense can offer an independent assessment of cybersecurity protocols, review vendor service level agreements and provide ongoing support.

“These partnerships allow you to see further into the future,” Oleksak said. “They enable you to understand your environment at a maturity level much greater than your own. From there, you’ll understand where your organization sits on the risk continuum and what you need to do to reach your desired security maturity.”

5 How can we support you and your team?

When cybersecurity teams feel isolated from the rest of the organization, problems arise. Organizations can avoid this fate when CFOs and technology leaders actively engage with the security team on a regular basis. Leading CFOs listen to their security teams’ concerns around everything from budget to risk management to work-life balance.

“One of the biggest things we find when talking to organizations is that information security officers don’t often feel like they get what they need,” Oleksak said. “Everyone within the organization needs to feel empowered and responsible for executing on what’s needed. Fostering a sense of team unity is what’s going to get you there.”

Looking ahead

By engaging in regular business-impact analyses and asking the right questions, CFOs will strengthen their relationships with both cybersecurity and IT leaders. In turn, they’ll strengthen their organizations’ abilities to meet community needs, even in the face of increasing cyberattacks.

As emerging threats become more sophisticated, the need for executive alignment could not be greater. Cybersecurity is no longer the exclusive responsibility of CISOs and other IT leaders. CFOs must also do their part to understand threats and risks — and how to support resilience. 

About Plante Moran

Plante Moran is among the nation’s largest accounting, tax, consulting, and wealth management firms and provides full services to organizations. Our healthcare practice is a leading national financial and operational consulting practice, serving over 2,500 clients across the entire healthcare continuum. Our clients are large health systems, community hospitals, skilled nursing facilities, independent and assisted living facilities, home health and hospice agencies, medical groups and physician practices, health plans, community-based service providers, and private equity groups. For more information, visit plantemoran.com/healthcare.

_{This published piece is provided solely for informational purposes. HFMA does not endorse the published material or warrant or guarantee its accuracy. The statements and opinions by participants are those of the participants and not those of HFMA. References to commercial manufacturers, vendors, products, or services that may appear do not constitute endorsements by HFMA.}