In today’s fast-evolving digital landscape, establishing a cybersecurity strategy that can withstand constant threats, personnel turnover, cyber intrusions, and regulatory demands is paramount for health care organizations. This comprehensive guide will delve deeper into the key challenges and strategic solutions to create a defensible cybersecurity program.

Key Challenges for Health Care Organizations

Fragility of Our Systems

Growing up on a farm and ranch on the high plains of Texas, my father regularly shared with me the phrase, “Anything man can create, man can break.” In cybersecurity, this is evident as our technological creations remain vulnerable to attack and failure. For instance, a case study from 1985 showed that malicious code could be inserted into software without detection.1 With millions of lines of code in modern operating systems, vulnerabilities are persistent.

Millions Invested Are Not Enough

Even organizations that invest heavily in cybersecurity may still suffer incidents. Take the Equifax breach of 2017, which cost them billions, despite extensive cybersecurity investments.

Programs Often Are Tech-Focused

Many cybersecurity programs revolve around purchasing and managing technical tools. However, security encompasses administrative and physical safeguards, not just technology.

Lack of Strategic Direction

Reactive measures dominate many cybersecurity programs, lacking a long-term strategic road map and leaving organizations ill-prepared for evolving threats. A proactive program will have a long-term or multiyear strategic road map that includes space for responsive actions and establishes long-term strategic goals.

Increased Demands from Regulators, Insurers, Investors, and Customers

Health care organizations must meet various compliance standards, control frameworks, and regulatory expectations, adding complexity to their cybersecurity responsibilities. In addition to increased oversight from regulatory bodies, they also must meet expectations from cybersecurity insurers, investors, and customers.

Cybersecurity Leadership and Personnel Turnover

High turnover in the cybersecurity workforce and leadership positions create challenges in maintaining a consistent and effective cybersecurity strategy. Additionally, it often takes several months for new cybersecurity leadership to learn the business and up to a year or more to develop relationships and start deploying the plan. After two to three years, cybersecurity leadership often receives an opportunity at another organization, and then the entire process starts again.

Strategic Solutions

Establish a Multiyear Strategic Road Map

A long-term cybersecurity road map aligned with organizational priorities is crucial. It should include a Cybersecurity Program Charter, a Cybersecurity Oversight Committee, and adherence to compliance program elements, such as leadership support, risk assessment, policies, controls, training, enforcement, investigations, auditing, and third-party management.

Regularly review and update your strategic road map to adapt to emerging threats and changing organizational needs. Engage all stakeholders in the process to ensure alignment with the organization’s goals.

Align with and Adopt Designated Cybersecurity Frameworks

Considering the high turnover rates of cybersecurity leaders, it’s common for the organization not to progress in a cybersecurity strategy. One solution to this is for the organization to align itself to an industry-accepted framework, such as the National Institute of Standards and Technology Cybersecurity Framework, International Standards Organization 27000 series, or Center for Internet Security controls.

Implement a framework that aligns with your organization’s specific needs and regulatory requirements. Regularly assess your adherence to the framework to identify gaps and areas for improvement.

Create Annual Tactical Work Plans

Develop annual tactical work plans to prioritize controls, allocate budgets, and align with stakeholder expectations. These plans should encompass improvements, risk remediation, and specific control requirements. Ensure that your tactical work plans are dynamic and responsive to emerging threats. Conduct regular reviews to track progress and adjust priorities as needed.

Invest Logically into Controls: Avoid Focusing on the Latest Market Acronym

Cybersecurity investments should prioritize fundamentals. Follow a logical hierarchy, just like building a strong foundation before constructing a building. Implement controls that match organizational needs and capabilities.

Continuously assess your cybersecurity controls to ensure they are effective. Prioritize investments based on risk assessments and threat intelligence, not just on the latest trends.

Establish an Oversight Committee and Regularly Report Program Status

Form a cybersecurity oversight committee with diverse organizational leaders to guide the program. A successful cybersecurity oversight committee often consists of the CEO or designee, chief information officer, legal officer, human resources, operational leadership, risk management, compliance officer, and audit representation. This committee should meet regularly and receive status reports on program measurements, strategic road map progress, assessment results, compliance status, annual work plans, and control improvements.

Empower your oversight committee with the authority to make decisions and allocate resources. Ensure that they have a clear understanding of the cybersecurity program’s goals and objectives.

How to Get Started

By aligning with recognized cybersecurity frameworks, continually assessing program status, engaging stakeholders, developing annual tactical work plans, and logically implementing controls, health care organizations can meet regulatory, insurer, investor, and customer expectations while reducing cybersecurity risks. This strategic approach provides a defensible cybersecurity strategy for health care organizations in an ever-evolving threat landscape. Remember, cybersecurity is not just a technology issue; it’s a business imperative that requires a proactive and comprehensive approach to protect patient data and hospital operations.

At LBMC, we understand creating a secure environment requires both an understanding of the business’ larger objectives and clear and open communication among security professionals, operational leaders, and the boardroom. For questions or guidance on how your organization can get started, contact me at


1 Perlroth N. This Is How They Tell Me the World Ends. p. 87. New York. Bloomsbury Publishing. 2021