Cybersecurity is an essential, if often costly, aspect of hospital operations.
At Becker's Health IT + Digital Health + Revenue Cycle event, hospital CIOs shared how they tackle cybersecurity on a budget, balancing financial constraints with the pressing need to secure sensitive patient data. Panelists Garrett Olin, CIO of Redding, Calif.-based Shasta Community Health Center, Greg Bryant, director of IT at North Texas Medical Center in Gainesville, and Teresa Andrea, vice president and CIO of Silver Cross Hospital in New Lenox, Ill., spoke to the importance of creative financing, vendor negotiation, and strategic prioritization to keep hospitals safe from cyber threats.
Cybersecurity is a priority that can’t be sacrificed, even with budget limitations.
"We have to be more creative in trying to figure out how we're going to address [cyberthreats] because our budget is not nearly the size of some of the others," said Mr. Orland. "We find a way to do more with less. Part of that is being open to listening. I talk to vendors, the various cold calls and things like that just because I want to learn what's out there, what's available that maybe we hadn't thought of or seen. Then I try to negotiate the best price if it's something we think we need and can provide the security we're looking for."
It's important to find affordable cybersecurity solutions that still offer robust protection. Negotiating with vendors has been one of his strategies to reduce costs while obtaining high-quality security measures.
"There are some things you have in an organization like security that are non-negotiables," said Mr. Bryant. "When budget time comes and we have to spend X amount of dollars on cybersecurity, we're going to spend it or face a worse cyberattack than what we may have before. Being that diplomat is part of the job nowadays, and it has its ups and downs, but it makes you also appreciate the other parts of the organization and how everything can tie together."
North Texas Medical Center recently adopted a cybersecurity solution that offered ransomware prevention. The tool, which generates decryption keys in case of a ransomware attack, not only helps prevent costly downtime but also lowered the hospital's cybersecurity insurance costs.
Implementing cybersecurity on a budget requires clear communication with the hospital’s leadership to ensure buy-in. It's important to educate stakeholders on the significance of cybersecurity investments, particularly those that may not show immediate returns but prevent costly breaches in the long term.
"You have to have good dialogue with your executive team and your board of directors and really understand what is the level of risk they are willing to tolerate," said Ms. Andrea "Because then when it comes down to what your budget is, you put things in the bucket of what's the non-negotiables, what are the things we have to do, what's strategic and what's the nice to haves? At the end of the day, that is where there's more dialogue and where they continuously and increasingly look the CIO as a business partner to help navigate that."
Mr. Bryant frames cybersecurity as essential to patient care and hospital operations, not just a technology expense.
"Our job is to make sure leadership sees security as part of our commitment to patient safety," he said. This mindset helps hospital leadership recognize cybersecurity investments as integral to operational continuity and patient trust, even in smaller budget environments.
Working within budget constraints requires agility and a willingness to adapt. The cybersecurity landscape evolves rapidly, and maintaining an effective defense requires staying up-to-date with threats and technologies, even on a limited budget.
"Every dollar has to go toward something that actively protects us," Mr. Bryant said.