Odgers’ Chris Hamilton and Mike Drew explain why cyber security leadership is now paramount for most healthcare providers
In hospitals across the world, cyberattacks have moved from disrupting systems to endangering lives.
When an attack locks clinicians out of patient files or disables connected medical devices, care can stall in critical moments.
The line between digital risk and clinical harm has disappeared.
For healthcare organisations, cyber security is no longer just a technical or compliance function, it is a matter of patient safety that demands attention from every board and executive leader.
Why Healthcare Is Uniquely Vulnerable to Cyberattacks
The latest wave of ransomware incidents has exposed just how vulnerable the sector has become.
Legacy infrastructure, outdated systems, and the rise of connected devices have created vast attack surfaces.
Criminal groups target hospitals because they know the stakes are high. Healthcare providers often face a devastating choice: restore services quickly or risk lives.
According to McKinsey’s 2025 analysis, cyberattacks on healthcare provider organisations nearly doubled in 2023 compared with 2022.
The sector now records the highest average cost per data breach of any industry worldwide, at $9.8 million per incident. The financial losses are severe, but the real cost is measured in patient outcomes and trust.
From IT Risk to Clinical Risk: A Paradigm Shift in Leadership Thinking
The connection between cyber risk and patient harm is no longer hypothetical.
A 2023 study by DePaul University found that hospitals hit by ransomware attacks experienced a 0.77 percentage point increase in in-hospital mortality rates, a 20.7 per cent relative rise among patients already admitted. In the most severe cases, mortality rose by up to 1.87 percentage points, a 55 per cent relative increase.
These findings confirm what many clinicians and technology leaders have feared: every minute of downtime matters.
When access to data, diagnostic systems, or communications is compromised, so is patient care.
This changing threat environment demands a new kind of leadership.
Historically, Chief Information Security Officers were recruited for technical expertise in firewalls, compliance, and network defence.
Today, healthcare requires leaders who understand how cyber incidents can ripple through clinical operations, supply chains, and frontline care.
The CISO role has evolved into one that blends operational resilience with patient safety and ethical responsibility.
What Boards Should Look For in Cybersecurity Leaders Today
Forward-thinking organisations are already responding. In leading health systems, cyber security and clinical safety teams are beginning to collaborate more closely, sharing data and designing joint response protocols.
Board-level governance frameworks are being updated to recognise that cyber preparedness is not a back-office issue but a pillar of operational continuity.
The ability to translate technical threats into patient-safety language that resonates with boards, clinicians, and regulators is now a defining skill for modern security leaders.
For executives making these appointments, the qualities to look for have changed.
Cyber security leaders in healthcare must be clinically fluent and able to understand how digital systems underpin every stage of care delivery.
They must lead cross-functionally, working across clinical, operational, and compliance functions to embed a culture of security that supports care continuity.
They also need strong communication and cultural credibility, able to earn the trust of both technologists and medical staff.
Above all, they must possess a resilience mindset that focuses not only on defence but on recovery and adaptation.
The Talent Challenge: Building a New Generation of Cyber-Clinical Leaders
Finding leaders who embody these capabilities is not straightforward.
There is a growing global talent gap between traditional cyber security specialists and leaders who can operate in complex clinical environments.
Many healthcare systems are experimenting with hybrid models, pairing Chief Information Security Officers with Chief Clinical Safety Officers or sharing accountability between technology and operations.
Some are looking beyond the sector, recruiting from industries such as aviation, energy, and defence, where cyber resilience has long been critical to safety.
Yet these leaders must be carefully integrated to align with healthcare’s values and patient-first ethos.
Bridging this divide will also require investment in leadership development.
Future-ready organisations are upskilling both IT and clinical leaders, ensuring each understands the other’s priorities and constraints.
Building this shared understanding across disciplines can reduce friction, improve incident response, and strengthen overall resilience.
The most effective cyber security executives will not emerge from technology or healthcare alone, but from both worlds.
Reframing Cyber Security as Patient Care
Ultimately, cyber security in healthcare must be reframed as an extension of patient care.
Protecting patient data, clinical systems, and operational continuity is as essential as protecting patients themselves.
Every digital system that supports a diagnosis, medication, or life-saving intervention must be treated as part of the care pathway.
Patients trust healthcare providers with their most personal information and their lives.
Safeguarding that trust requires leadership that sees cyber security not as a technical barrier but as a human safeguard.
For boards, the question is no longer whether to invest in cyber security but whether the right leadership is in place to ensure resilience when the next attack comes.
Healthcare organisations that view cyber resilience as a cornerstone of patient safety will be better equipped to protect their people, their reputation, and their mission.
In today’s environment, a secure hospital and a safe hospital are one and the same.
