5 Questions Every Hospital Board Should Ask Their CIO About Cybersecurity

Board Governance | Healthcare Cybersecurity | CIO Advisory

Healthcare boards carry fiduciary and ethical responsibility for patient safety. In today’s threat landscape, that responsibility now extends directly into the digital realm.

Patty Lavely | Founder, CIO Consulting LLC | Boardroom Qualified Technology Expert (QTE) | CHCIO

When I sit in a boardroom, whether advising a hospital system or serving in an executive capacity, I hear this particular question over and over: Are we doing enough to protect our patients and our organization from a cyberattack?

In my 25+ years serving as both a CIO and CISO, I’ve watched how the digital age has rapidly transformed healthcare, for better and worse. I’ve seen what happens when boards don’t ask the right questions, and what’s possible when they do. Cybersecurity used to be an IT issue, but now it’s become a patient safety issue, a financial stewardship issue, and increasingly, a board governance issue.

Healthcare organizations face a relentless and growing threat landscape. In 2024, healthcare had the highest combined total of ransomware and data theft attacks of any U.S. critical infrastructure sector^[1], and for the 14th consecutive year, healthcare topped the list for the most expensive data breach recoveries, averaging $9.77 million per incident.^[2] The consequences — delayed care, compromised patient records, regulatory penalties, reputational damage — are severe. Despite this, I frequently see boards that don’t have the necessary tools and framework to interface with their CIO about cybersecurity in a meaningful way.

Here are the five questions I believe every hospital board member should be asking their CIO, plus examples of strong answers I want to see from the C-Suite when I serve in an advisory role.

QUESTION 1

What is our current cybersecurity risk posture, and how do you measure it?

This is a foundational question, and the answer tells you a great deal about your CIO’s maturity. If you only get one question, ask this one. A strong CIO should be able to articulate your organization’s risk posture in plain language, referencing a recognized framework such as NIST, HITRUST, or the HHS Health Industry Cybersecurity Practices (HICP) guidelines^[3]: a voluntary set of federally recognized standards developed collaboratively by HHS and the Health Sector Coordinating Council. They should be tracking metrics that go beyond just “we haven’t been breached,” because in healthcare, it’s often not a matter of if, but when.

Follow-up prompts for the board:

• Have we completed a third-party cybersecurity risk assessment in the past 12 months?
• What frameworks are we measured against, and who validates the results?
• How does our risk posture compare to peers of similar size and complexity?

QUESTION 2

What is our incident response plan, and when was it last tested?

Having a plan on paper is not the same as being ready to execute under pressure. I’ve worked through real incidents, and the organizations that recover fastest are those that have not just documented their response plans, but tested them. Thoroughly. This matters more than ever: in 2024, 37% of healthcare organizations required more than a month to recover from a ransomware attack ^[5]. Boards should expect their CIO to describe a living, regularly exercised playbook that includes clinical operations, communications, legal, and leadership. Tabletop exercises should be a routine part of your governance calendar, not a once-in-a-decade event.

Follow-up prompts for the board:

• When did we last conduct a tabletop exercise, and how was board leadership involved?
• What is our expected recovery time for critical clinical systems?
• Do we have a downtime procedure that keeps patient care operational during an attack?

QUESTION 3

How are we protecting our third-party and vendor relationships?

Some of the most damaging healthcare breaches in recent years didn’t start inside the hospital; they came through vendors, clearinghouses, and technology partners. Your EHR, your revenue cycle platform, and your connected medical devices are each a potential entry point. Boards should expect robust vendor risk management programs that include cybersecurity requirements in contracts, ongoing monitoring, and clear accountability. This is especially critical as healthcare systems expand their digital ecosystems and vendor connections.

Follow-up prompts for the board:

• Do our vendor contracts include cybersecurity and breach notification requirements?
• How are we monitoring third-party access to our systems in real time?
• What is our exposure risk through connected medical devices and IoT infrastructure, and how is that risk evaluated?

QUESTION 4

What cybersecurity investments are we making, and are they sufficient?

Cybersecurity investment is not just a line item in the IT budget. It is a strategic commitment to patient safety and organizational resilience. Boards have fiduciary responsibility to ensure resources are appropriately allocated to mitigate risk, yet only 14% of healthcare organizations report that their IT security teams are fully staffed^[6], and 41% of healthcare IT professionals believe their organizations allocate insufficient resources to cybersecurity^[4]. A well-prepared CIO should be able to present cybersecurity spending in the context of risk reduction, not just as a cost, but as a value proposition. If your organization hasn’t had a formal technology risk discussion at the board level in the past year, that’s a gap to address quickly.

Follow-up prompts for the board:

• What percentage of the IT budget is allocated to cybersecurity, and how does that benchmark with our peers of similar size and complexity?
• Are we appropriately staffed or relying on one or two individuals for critical security functions?
• Do we have cyber liability insurance, and have we reviewed coverage limits recently?

QUESTION 5

How are we building a culture of cybersecurity awareness across the organization?

Technical controls and systems can only go so far. The majority of successful cyberattacks begin with human error: a clicked phishing link, a weak password, a misconfigured system, etc. Human error contributed to 95% of data breaches in 2024^[7], and in healthcare specifically, 88% of employees opened phishing emails in 2024, and over 90% of cyberattacks on healthcare entities involved phishing schemes^[5]. Your CIO should be able to speak to the organization’s security culture as clearly as they can speak to your technical controls. This means ongoing training, phishing simulation programs, clear policies, and leadership modeling expected behavior around security. Cybersecurity is everyone’s responsibility, from the C-suite to the clinical staff.

Follow-up prompts for the board:

• What does our security awareness training program look like, and how often does staff go through training? How often is the training updated, and what triggers do we use to identify when to update training?
• What are our click rates on phishing simulations, and how are we improving them?
• Does our leadership team model good cybersecurity hygiene? How are they trained to talk to their teams about security?

The board’s role is to ask and to expect clear answers

Board members don’t need to be technology experts to provide effective cybersecurity oversight. They do need to ask the right questions, understand the answers in the context of patient safety and organizational risk, and hold leadership accountable for meaningful progress.

In my experience advising healthcare organizations and serving in executive roles, the organizations that navigate cyber risk most effectively are those where the board is genuinely engaged, not simply informed after the fact. That requires a CIO who can communicate clearly across the boardroom table, and board members who are equipped to meet them there.

If your organization doesn’t yet have a regular cadence of cybersecurity reporting to the board, or if you’re uncertain whether the right questions are being asked, that’s exactly the kind of gap I help organizations address.

Looking to strengthen your board’s cybersecurity oversight?

Patty Lavely works with healthcare boards and leadership teams on technology risk management, IT governance, and forward-thinking cybersecurity strategy. As a Boardroom Qualified Technology Expert (QTE) and Certified Healthcare CIO, she brings both the board governance perspective and the executive technology experience to help your organization ask — and answer — the right questions.

Ready to get the right advice for your board and your CIO? Let’s chat.

Patty Lavely is the founder and principal consultant of CIO Consulting, LLC. She is a Boardroom Qualified Technology Expert as certified by the Digital Directors Network, a Certified Healthcare Chief Information Officer and Digital Executive of CHIME, and a Fellow of the American College of Healthcare Executives. She holds an MBA from Florida State University.

Sources

[1] American Hospital Association. “Report: Health Care Had Most Reported Cyberthreats in 2024.” AHA News, May 2025. https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024

[2] U.S. Department of Health & Human Services, 405(d) Program. “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, 2023 Edition.” HHS 405(d), 2023. https://405d.hhs.gov/cornerstone/hicp

[3] GovInfoSecurity. “How Healthcare Cyberattacks Broke Records in 2024.” GovInfoSecurity, December 2024. https://www.govinfosecurity.com/how-healthcare-cyberattacks-broke-records-in-2024-a-27116

[4] DialogHealth. “120+ Latest Healthcare Cybersecurity Statistics for 2025.” DialogHealth Blog, August 2025. https://www.dialoghealth.com/post/healthcare-cybersecurity-statistics

[5] Varonis. “38 Must-Know Healthcare Cybersecurity Statistics.” Varonis Blog, April 2025. https://www.varonis.com/blog/healthcare-cybersecurity-statistics

[6] IBM Security. “Ransomware on the Rise: Healthcare Industry Attack Trends 2024.” IBM Think, November 2025. https://www.ibm.com/think/insights/healthcare-industry-attack-trends-2024

[7] Mimecast / Infosecurity Magazine. “95% of Data Breaches Tied to Human Error in 2024.” Infosecurity Magazine, March 2025. https://www.infosecurity-magazine.com/news/data-breaches-human-error/