Strengthening the CFO/CISO partnership for cybersecurity | Viewpoint

A single ransomware event, data breach or bad actor inside your infrastructure can be financially catastrophic to a healthcare organization.

The Ascension Health ransomware incident in 2024 ultimately cost the organization an estimated $1.3 billion. Smaller providers often cannot absorb that type of blow – and some are forced to close permanently after a single devastating attack. Medium-sized providers often have to look at severe cost-cutting measures or longer term payments to vendors and providers.

Cybersecurity isn’t just a technical conversation anymore; it’s a financial one. In healthcare, the cost of cyber risk is measured not only in terms of breached records or downtime, but also in cancelled procedures, delayed reimbursements, and long-term reputational damage.

When patient safety and solvency are both at stake, chief financial officers and chief information security officers must operate as partners, not peers in separate silos.

Threats continue to escalate

Cybersecurity incidents can quickly become a patient safety, financial and operational crisis. Here’s a stark overview of the threat landscape:

Healthcare remains a prime target – Healthcare breaches are the most expensive across all industries: nearly $10 million average cost per breach in the U.S., up more than 50% from 2020.

Ransomware – Ransom demands across industries averaged $5.2 million in 2024, and healthcare is consistently among the highest-targeted sectors.

Phishing and social engineering – In healthcare, phishing-related incidents average $9.77 million per breach.

Long dwell times – Healthcare breaches take 279 days on average to contain. That’s five weeks longer than other industries, adding to the cost of downtime and remediation.

Regulatory and legal exposure – As of April of this year, the HHS Office for Civil Rights (OCR) was investigating 554 hacking-related breaches, most involving providers. In 2025, we’re seeing steeper penalties from $75,000 to $3 million in single cases.

For CFOs, every decision comes back to dollars: revenue, EBITDA, and cash flow. Translating cyber risk into financial terms reframes the discussion from “IT security” to “enterprise resilience.”

Every CFO needs to understand what 24 hours of system downtime means for billing and claims processing – and how a ransomware event can delay reimbursements and impact liquidity.

CFOs don’t need a crash course in firewalls or zero trust. What they need is confidence that their cybersecurity team can articulate how investments reduce exposure.

When a breach hits, CFOs become first responders too – sourcing liquidity, managing insurer payouts, and coordinating emergency vendor payments. The more CFOs understand what happens in the first 72 hours, the more aligned your organization will be when a crisis strikes.

Protecting margins and protecting patients are inseparable priorities. When security and finance share a common ROI framework, budget conversations become strategic rather than transactional.

Working closely together, CFOs and CISOs can ensure that the cybersecurity strategy aligns with the goals of patient safety, financial health and regulatory compliance. This partnership is critical because auditors and insurers are starting to require quarterly cyber attestations and financial modeling of risk.

Creating a CFO action plan

Here are some steps that healthcare CFOs can take to safeguard their organizations from cybersecurity threats:

Take part in tabletop exercises – In these simulations of actual attacks, CFOs can practice sourcing liquidity, coordinating insurer payouts, and managing emergency vendor payments during a crisis.

Create a financial reserve for cyber incident response – Allocate 1–2% of operating

expenses for breach response, OCR penalties, and uninsured costs.

Tighten vendor oversight – This year, there are dozens of vendor-related breaches under OCR investigation. Demand SOC 2/ISO 27001 attestations, breach-notification clauses, and proof of cyber insurance.

Use cyber insurance strategically – Premiums are high, but stabilizing. You can reduce costs by securing business interruption coverage tailored to healthcare billing and claim risks.

Get to know your current providers – If not using all in-house resources, get to know your MSSP or other providers. Utilize that relationship to help find places to shift spend to better mitigate risks and gain a greater understanding of how your spend matches what they see across the industry. Let them be as helpful as possible.

Hospital CEOs and board members have a lot on their plates besides cybersecurity. CFOs and CISOs can help reframe cybersecurity as both a financial imperative and patient safety issue.

One devastating cyber incident can sink a healthcare organization that doesn’t have the deep pockets of Ascension Health. And when critical systems are locked up, the result isn’t just downtime. It’s delayed diagnostics, canceled procedures and risks to patient safety.

Strengthening the CFO/CISO alliance is clearly one of the most important initiatives in healthcare today.

Greg Breetz is chief financial officer of Fortified Health Security, headquartered in Brentwood, Tennessee.