It is very well understood that cybersecurity needs to be a leading consideration in all of our decisions. I’m sure many of you even have an itemized list of the exact security measurements and tools you’d want to implement, ready to go. However, the only way to get these plans to become a reality is through the monetary support of your leadership – something that is not always easy to get.
For that reason, we reached out to our talented Healthcare IT Today Community to ask — what can you do to get better buy-in from your leadership to support security and privacy efforts? Below is what they had to share.
Peyman Zand, Chief Strategy Officer, CFCHE at CereCore
Health IT leaders should stop presenting security as an operational cost and instead frame it as a strategic enabler of innovation and growth. Leadership buy-in follows when security is understood not as a roadblock, but as the foundation for progress.
A robust governance framework, for instance, doesn’t just say ‘no’ to a new telehealth platform. It creates a secure pathway for its adoption, enabling the organization to expand patient access and create new revenue streams safely. It transforms the security discussion from ‘if’ to ‘how.’
This value becomes undeniable through strategic investments with concrete outcomes. Here are some examples to consider: AI-powered tools actively analyze network traffic to neutralize a ransomware attack before it cripples the system. A virtual CISO democratizes expertise, giving a regional hospital the same level of strategic guidance as a major health system to ensure compliance and resilience. At the endpoint level, comprehensive device management prevents a single compromised IV pump from becoming the entry point for a network-wide breach.
When leadership sees security actively defeating threats and paving the way for innovation, it ceases to be a line item and becomes a competitive advantage.
Paul Baratta, Manager, Healthcare Industry Segment Development Americas at Axis Communications
Security and safety within hospitals and healthcare organizations are just as important on the physical front as it is on the digital front. Multiple studies show healthcare workers experience higher rates of workplace violence and injuries than those in other professions; they’re up to five times more likely to be victims of workplace violence, accounting for a large percentage of non-fatal workplace injuries. In fact, a survey conducted this year found 72% of healthcare security professionals cited violence to staff as the leading security challenge.
Due to these long-standing physical security issues, healthcare workers are not feeling safe at work and are leaving the industry, contributing to ongoing labor shortages in the space. However, advanced surveillance solutions can be implemented to enhance proactive safety measures and reduce workplace violence in healthcare environments.
AI is quickly becoming a vital component of surveillance technology, powering modern video, audio, and access control systems that are now able to understand scenes and behaviors like never before. AI is able to provide actionable data, alerts, and recommendations for faster incident response for both workplace violence incidents and patient emergencies. From body-worn cameras for enhanced staff protection and accountability to intelligent surveillance systems with embedded AI for real-time detection and response, hospitals and health systems have a variety of advanced technological solutions at their disposal to address today’s pressing security issues.
And in terms of privacy, experienced technology partners should tailor and design these solutions to reach the highest standards in quality care, safe and secure facilities, and efficient services, without compromising critical health information and data. Healthcare organizations that decide to leverage AI must also ensure that the use of AI aligns with relevant laws, governance frameworks, ethical standards, and data protection policies.
Abhinav Mishra, VP & Head of Engineering, at Doceree
To ensure leadership buy-in, frame security and privacy initiatives as both risk mitigation and business enablers. The right investment, such as AI-driven threat detection, secure cloud backups, and modernized infrastructure, can prevent significant financial losses from fines, lawsuits, downtime, and the long-term erosion of patient trust. Human error remains a major vulnerability, so scenario-based employee training is essential for teaching staff to recognize phishing attempts, adopt stronger password practices, and respond effectively to suspicious activity.
Security also extends to connected medical devices and clinicians’ mobile tools. Isolating IoT devices on dedicated networks and enabling remote wipe capabilities on lost or stolen devices adds an additional safety net. Finally, emphasize that third-party vendor vetting, including certification for security compliance, ensures that every link in the chain meets the same high standards. This approach not only protects sensitive data but also strengthens the organization’s overall resilience.
Scott Lundstrom, Sr. Industry Strategist – Health, Life Sciences at OpenText
The biggest hurdle in healthcare cybersecurity isn’t technical; it’s getting buy-in from executives and administrators to invest in security.
Success starts with speaking their language. That means framing cybersecurity in business terms, not technical specs. Quantify the cost of a breach, including fines, legal fees, downtime, and reputational damage, and show how those risks far outweigh the cost of prevention.
Tying security directly to operations and patient safety also resonates. Cyberattacks can halt patient care, delay critical procedures, and disrupt billing systems that keep the organization financially stable. Instead of overwhelming leadership with jargon, focus on metrics that matter to them: incident detection and response time, system uptime, and cost savings from prevented breaches.
Beyond making the business case, meaningful partnerships across the organization are also essential. Security leaders should get involved early in strategic planning, not just during security reviews. By offering solutions that support broader departmental goals, cybersecurity teams can build trust and position themselves as collaborators, not roadblocks.
Dave Bailey, Vice President of Consulting Services at Clearwater
Security leaders often secure executive support by reframing cybersecurity as a business and patient safety issue. Risk analyses that map exposures directly to operational and financial impact resonate far more than technical metrics. When leaders see that a breach can mean not only regulatory fines but also delayed care or reputational harm, investment in security becomes a strategic imperative.
Ty Greenhalgh, Industry Principal of Healthcare at Claroty
Securing leadership buy-in starts with framing cybersecurity as patient safety, business continuity, and a driver of operational excellence and patient trust. When security is seen as essential to the organization’s mission, and not just a technical requirement, leadership engagement grows. Waiting for a real-world breach or regulatory penalty is a costly lesson. The most resilient organizations invest in security before it becomes a crisis, protecting patients, reputation, and operations.
Ken Armstrong, Information Security Manager at Tendo
It’s important to understand the business and your leadership to effectively build a security and privacy program. Fortunately, in healthcare, there are well-known and integrated authoritative standards that companies are held to. Aligning with leadership on risk threshold and tolerance is key to balancing security and privacy with other business decisions. Traditional tools such as risk assessments, risk registers, key risk indicators, and formal risk treatment processes can help communicate the why, while a detailed control matrix and strategy documentation can detail the what. Ultimately, it comes down to ROI and risk appetite.
Candice Moschell, Cybersecurity Leader at Crowe
To gain meaningful buy-in, cybersecurity and privacy need to be translated into language that resonates with the business, and that often means dollars and cents. While qualitative heat maps are helpful, shifting to quantitative risk assessments allows security and privacy teams to express their risk as financial risk, making it clear how vulnerabilities could impact revenue, operations, or regulatory exposure. When leaders see the potential cost of inaction, they’re more likely to prioritize investment.
Coupling that data with relatable storytelling, like real-world breach examples or tabletop exercises, further personalizes the risk. Communicating progress through dashboards that frame metrics in operational and strategic terms, not just technical KPIs, also reinforces relevance. Finally, aligning security and privacy metrics to business goals (uptime, patient care, reputation, revenue loss) frames cybersecurity and privacy as a strategic enabler, not just a cost center.
Joe Fichera, Group Lead, Cyber Security at TruBridge
Awareness and education create mutual understanding and shared language between IT leaders and professionals across other departments. IT teams must research and communicate the costs of a security breach to build buy-in and emphasize the importance of continuous monitoring and prevention efforts. With the right systems in place, costs, response, remediation, and recovery times will be significantly reduced.
So many great ideas here! Huge thank you to everyone who took the time out of their day to submit a quote to us! And thank you to all of you for taking the time out of your day to read this article! We could not do this without all of your support.
What do you think you can do to get better buy-in from your leadership to support security and privacy efforts? Let us know over on social media, we’d love to hear from all of you!
No comments:
Post a Comment