How CISO Talent Is Shaping Today’s Healthcare Organizations

Healthcare and technology have never been more deeply entwined. From AI-driven diagnostics and medical IoT devices to telemedicine and electronic health record (EHR) systems, the industry’s collective push toward digital transformation continues to reshape the nature of patient care. But every tech innovation opens a new door for exploitation—ransomware, software vulnerabilities, and social engineering exploits—risks that jeopardize both healthcare operations and the sensitive patient data they protect.

With over 305 million patient records exposed in 2024 and the average security breach costing $9.77 million, the urgency to shield digital infrastructure from rising cyber threats has elevated the role of the Chief Information Security Officer (CISO). As more healthcare organizations embrace advanced tech infrastructure, both data and infrastructure security have become strategic imperatives. CISOs now shoulder the dual responsibility of ensuring digital systems are not only functional but resilient.

To better understand the impact of cyber threats across healthcare, we spoke with three healthcare CISOs and one founder about the industry’s most pressing threats, how organizations are working to protect themselves, and what’s truly needed to succeed in the role.

Healthcare’s Greatest Cybersecurity Risks

For decades, threat actors have prioritized companies with valuable data that can either be sold or exploited for financial gain, making healthcare organizations prime targets for criminals seeking to profit from stolen data. While IT departments have adapted to thwart traditional forms of attack, new advancements—particularly in AI—outpace many organizations’ ability to defend themselves effectively.

“AI has completely transformed the way criminals conduct attacks, both in terms of velocity and sophistication. The pace at which these attacks are evolving has led to even greater emphasis on protecting data due to its immense value.”—Param Vig, CISO of Solventum

AI’s impact on healthcare’s digital security is often referenced from the attacker’s point of view. However, its use also poses risks from within, as healthcare employees increasingly rely on AI tools to improve patient experience and offer clinical decision support— sometimes putting sensitive patient data at risk.

“Healthcare employees are looking to AI tools to improve care, not harm the healthcare system. However, there’s real potential for leaking information into these models without realizing it. Large language models are trained on whatever you give them. So, when a well-intended healthcare provider inputs a person’s health information, that data could resurface or create unintended references. That’s why almost every conversation about AI in healthcare comes back to safety, security, monitoring, and governance.”—Kedar Mate, Chief Medical Officer & Founder at Qualified Health

Ransomware remains an industry-wide concern. However, smaller healthcare organizations face even greater risk, as they often lack the same financial resources to implement strong security protocols.

“Lots of small to medium healthcare delivery companies do not have the budget to invest and stay on top of these new technologies. For those companies, it is not a matter of if there will be an attack, but a matter of when. Underinvestment creates a fairly large threat landscape.”—Judy (Hatchett) Molenaar, CISO at Surescripts

The healthcare sector has also seen a sharp uptick in remote work and virtual care in the post-pandemic era. Yet the rush to enable remote work and telemedicine platforms has led many organizations to overlook critical security considerations, increasing vulnerability across the industry.

“When COVID hit and everyone went remote, companies had to move fast to adapt to a large remote workforce—often without fully thinking through access and permissions. Since then, companies have had to go back and reassess everything, or they should be , especially in healthcare and life sciences spaces. Too many shortcuts were taken during COVID that have not been shored up from a security and risk standpoint.”—Shannon Shirk, Former CIO/CISO at Health Connect America

What It Takes to Build Resilience

Even with cyberattacks growing increasingly sophisticated, human error remains one of the industry’s biggest vulnerabilities. Whether it’s falling for social engineering exploits, using unsecured networks, or mishandling sensitive data, employee behavior continues to create opportunities for attackers. With that in mind, CISOs are putting greater emphasis on employee awareness to reduce risk.

“Education is a big part of resilience and prevention, but the truth is, even with extensive training, employees are human and don’t perfectly follow security protocols 100% of the time when it comes to handling sensitive patient data. So, you have to build and plan around that risk with technology, process, continuous education, and people.”—Shannon Shirk, Former CIO/CISO at Health Connect America

“Having visibility across the digital ecosystem is an absolute necessity. That means having a full inventory of assets, understanding who’s using those assets, and having awareness of the specific privileges they have. If you don’t have a handle on all three of these factors, there’s going to be blind spots that elevate risk.”—Judy (Hatchett) Molenaar, CISO at Surescripts

The Present and Future CISO Leadership

The role of the CISO will only become more critical as the healthcare sector continues to digitize. But many CISOs note that healthcare working environments operate very differently from other sectors—especially in terms of compliance, data management, and system complexity—making direct industry experience a valuable credential for those being considered for new roles.

“Direct industry experience is incredibly important for any CISO working in healthcare. This isn’t just about general cybersecurity—it’s about understanding healthcare and life science frameworks and how data flows across a highly interconnected and regulated ecosystem. The Change Healthcare breach in 2024 is a perfect example: poor contractor access controls and no multifactor authentication contributed to a ~$3 billion breach that’s still unfolding. If you don’t know who owns the data, who is authorized to access that data, and where vulnerabilities lie, you can’t build true resilience.”—Shannon Shirk, Former CIO/CISO at Health Connect America

“There’s no question that the CISO role will change significantly over the next five to seven years. I expect we’ll see a lot of tech CISOs enter healthcare, which could lead to a more cyber-intrinsic mentality across the industry.”—Param Vig, CISO of Solventum

The increasingly technical nature of healthcare will undoubtedly bring many positives to the industry, especially in terms of care quality and accessibility for patients. Yet many CISOs shared anxiety about the availability of cybersecurity talent to meet expectations.

“Talent is a constant struggle—I believe there are roughly 300,000 unfilled healthcare cybersecurity roles in the U.S. alone. To address this, healthcare companies will need to adopt a multipronged approach between internal teams and external vendors.”—Param Vig, CISO of Solventum

“There’s definitely a talent shortage, and the barrier to entry is still high. The upside is AI may help with this, as companies can take someone with limited experience and use AI to teach them how to monitor, do investigations, etc.”—Judy (Hatchett) Molenaar, CISO at Surescripts

As the healthcare sector continues its digital evolution, the weight of the CISO role is growing just as quickly. No longer just managers of IT infrastructure, these leaders are central to protecting sensitive information and critical systems from an ever-changing threat landscape. The future of healthcare will demand CISO leadership that balances technological innovation with an unwavering commitment to patient care.