INTRODUCTION TO Cybersecurity Budgeting: Strategies for Healthcare CFOs

If there ever was a time for CFOs to focus on budgeting for healthcare security, that time is now. The healthcare industry saw an alarming 239% increase in large-scale data breaches over the past four years. And while cybersecurity might not be every CFO’s strong suit, they are the best in the world at mitigating financial risk

Generally, CFOs are putting more and more into their cybersecurity budget. Yet, the growing number of cybersecurity attacks continues to challenge these strategies. 

Related Reading: Looking Ahead at the Cybersecurity Landscape for Healthcare in 2024

CFOs might think cybersecurity should be left to their Chief Information Security Officer (CISO). However, there has never been a more crucial time for CFOs to recognize their part in reducing cybersecurity risk.

Why? The stats above and the threat landscape demand a different perspective from CFOs. This article seeks to address this perspective and how CFOs should approach cybersecurity. 

Simply put, the threat of attacks in healthcare is serious. Breaches can be very costly because they involve highly sensitive patient data. So, it’s important that CFOs realize how much their financial decisions affect their overall security position.



Why Healthcare CFOs Should Be Tuned Into Cybersecurity Beyond The Budget

There is no way to put it lightly - with the average cost of a healthcare data breach at $10.93 million, a cybersecurity attack is a nightmare for CFOs. 


The Implications of Cybersecurity Attacks

Just one attack could severely damage the bottom line and lead to long-lasting issues, including:

  • Cost of breach
  • Cost of brand reputation
  • Loss of customer trust
  • Loss of customers
  • Cost of remediation
  • Legal fees and settlements from lawsuits
  • Compliance penalties
  • Downtime or disrupted operations (revenue loss)
  • Increased insurance premiums
  • Loss of investor confidence
  • Patient identity theft
  • Jailed CISOs

Plus, the healthcare industry is heavily regulated due to sensitive patient data. Most companies are required to comply with several frameworks at once, such as HIPAA, HITRUST, GDPR (for EU), and PCI DSS (for payment card information). 

Compliance violations can lead to huge penalties. Plus, having multiple frameworks means those fines could double or triple, costing thousands or even millions of dollars.


One Example of a Recent Healthcare Cybersecurity Attack

For a real-life example, look at what happened with the recent UnitedHealthcare security breach. This one attack is thought to have affected “maybe a third” of the American population. Hackers apparently obtained over six TB of sensitive patient data, leading to at least six class action lawsuits. To date, this event is costing healthcare providers an estimated $100 million… daily. 

If we look closer at this incident, we see another alarming trend across the industry - consolidation. The cybersecurity attack targeted Change Healthcare, which is a subsidiary of UnitedHealth Group that it acquired in 2022. 

While we are not saying this consolidation is directly to blame, it is worth noting that increased consolidation results in increased information sharing. And, as the number of parties increases, so does the risk of breaches. 

Related Resource: How Ransomware Has Caused Patient Deaths in Healthcare


Businesses Are Not Spending Enough on Cybersecurity (According to Industry Experts)

But before we look at how CFOs can strategize their plan for risk management in healthcare, let us see how the rest of the industry is doing it.

The UnitedHealthcare security breach has experts second-guessing how well the healthcare industry is prepared for attacks. According to these experts, cybersecurity spending is simply not on par with the growing scale and threat of these incidents. 

With so many challenges in the healthcare industry, CFOs must firmly make the case for cybersecurity spending. Especially since these other challenges are competing for their budget. And that means CFOs have to make the case that investing in cybersecurity is more important than other issues, including more “traditional” investments.

CFOs are also able to influence the board on the importance of cybersecurity spending. While it may prove tricky to convince them, the key is that their status as CFO (financial decision maker/ risk mitigator) makes them a pivotal player in advocating for security spending.

Related Resource: Social Engineering Threats in Healthcare



Three Tips on How Healthcare CFOs Can Build a Cybersecurity-Centric Budget

CFOs need to take a proactive approach to prevent attacks and build up their defense. All while still meeting their financial goals. This responsibility falls squarely on the shoulders of CFOs. So, where should they start, given that measuring the returns on security investments is not straightforward?


How CFOs Can Plan Their Healthcare Cybersecurity Budget

CFOs are, understandably, numbers people. However, they cannot put a figure on the growing potential threat of cybersecurity attacks. We only know the attacks appear to be increasing and more sophisticated over time. 

This makes it hard to measure ROI depending on security investments. And that is not a position CFOs are happy to be in. But there are ways that they can measure cybersecurity success: 

  1. Quantifying Their Cybersecurity Risk
  2. Optimizing Their Costs
  3. Benchmarking Their Progress Through Assessments


1. Quantifying Their Cybersecurity Risk

To quantify risk, CFOs must look at two major factors: their internal security position and the external threat landscape.

Internal Security Position

The first question for CFOs to ask themselves is how they measure risk. And what does success look like? 

They can start by defining important benchmarks and assigning key performance indicators (KPIs) across their security platform. For example, they can track the number of security incidents detected and mitigated or the average time to catch and respond to threats. Or, for the savvy CFO, the percentage that cybersecurity-related costs reduce over time.

With these factors in mind, CFOs can make more informed decisions when it comes to using resources and goal-setting. Plus, tracking KPIs can give them insight into what is worth investing in to get the best ROI.

Once they have established the overarching plan, they can go deeper and start creating KPIs for any part of their strategy that they spend money on. In other words, CFOs have to manage both the strategy and the tactics. This will give them insight into how each area of investment is making an impact.

For one example, they could set KPIs for their Data Loss Prevention (DLP) system, such as:

  • the number of data leak incidents
  • the time to stop and control data leaks
  • how well it complies with data protection rules

As CFOs invest more, they should expect to see reduced data leak incidents, faster data leak control times, and improved compliance rates.

External Threat Landscape

CFOs may think evaluating the current threat landscape is too foreign. However, it is no different from any other careful business evaluation.

Aspects like sensitive patient information make the healthcare industry unique in its threats and challenges. As CFOs evaluate these threats, they can consider:

  • Healthcare breaches that have already happened (and what CFOs can learn from them)
  • Common external threats or weak spots
  • How other healthcare companies are preparing
  • Consulting with their CISO and other cybersecurity experts (especially in their industry)


2. Optimize Your Healthcare Organization's Costs

Optimizing your organization's costs starts with analyzing your cybersecurity investments. With KPIs in mind, see areas where your organization can enhance efficiency without compromising on your security standards. 

Your approach may vary, but different cost savings ideas include leveraging cloud-based solutions (rather than cumbersome on-prem solutions), outsourcing to Managed Security Service Providers (MSSPs) rather than hiring in-house staff or combining your security stack for streamlined functionality and reduced overhead.


3. Benchmark Your Healthcare Organization's Progress

Of course, keeping track of your progress and adjusting as necessary is just as important as tracking KPIs and optimizing costs. Your organization can do this through a three-step assessment that thoroughly evaluates your cybersecurity tech investments. To break it down simply, your assessment should look like this:

  1. Discover phase: Start by conducting a detailed examination of your current cybersecurity position and maturity to determine where your security posture stands.

  2. Analysis phase: Once your organization's position is thoroughly examined, assess your healthcare business for potential security gaps against multiple frameworks and create a plan to remediate those gaps.

  3. Synthesis phase: Combining all of your information plus feedback from cybersecurity experts and stakeholders, create a clear roadmap of action that addresses every shortcoming, improves your posture, and aligns with future financial goals.

Or run your assessment based on a specific compliance framework. The best compliance assessment approach is to:

  1. Start with a control set that is deemed appropriate for your organization (such as HIPAA, HITRUST, etc.).

  2. Measure how well your organization is performing against one specific framework.

  3. Create a specific plan to adjust your security investments for maximum returns and the best possible bang for your buck. Again, keep in mind your team will have to be both strategically-minded and tactically efficient to be successful as you assess and adjust accordingly.



Tools for Optimizing A Healthcare Organization’s Budget – How Microsoft MXDR Can Help Healthcare CFOs

With all of these considerations in mind, start thinking about specific tools to streamline this process. 


1. Microsoft Purview for Healthcare

We briefly mentioned Data Loss Prevention (DLP) systems earlier. DLP is a set of tools designed to safeguard sensitive information from unauthorized access. One example is Microsoft Purview, which is a worthwhile healthcare investment in protecting confidential patient information. Plus, it is designed to quickly aid in stopping and controlling a data leak incident in the event of a breach.

In fact, there is currently a 90-day Purview trial available for customers with a Microsoft 365 E3 license. Customers with a Microsoft 365 E5 license already have Purview included.


2. Microsoft 365 E5 for Healthcare

More comprehensive than Microsoft 365 E3, the E5 certification includes everything E3 does plus advanced security (including Advanced Threat Protection and Azure Active Directory Premium P2), threat intelligence, compliance, and analytics features. While E3 licenses are better suited to keeping only the essentials at a lower cost, E5 licenses add a wealth of features and enhanced security that are ideal for larger organizations with bigger budgets.

However, just owning E5 is insufficient to justify investing in it or expect optimal cybersecurity outcomes. If your organization is concerned about unlocking the full potential of Microsoft E5, then Microsoft MXDR might be worth the security investment.


3. Microsoft MXDR for Healthcare

Microsoft Managed Extended Detection and Response (MXDR) is a service that combines a comprehensive suite of Microsoft tools with support and expert analysis. MXDR can detect, respond to, and mitigate cybersecurity threats, and comes with the support of dedicated security expertise to ensure your organization gets the maximum value out of the platform. In other words, leveraging the full suite is challenging without the help of experienced security experts who enable your organization to make the most of its advanced features (and your investment).

Related Resource: Simplify Data Governance in Healthcare with Microsoft Purview: A Strategic Guide for Security Professionals




Balancing your cybersecurity budget and meeting organizational goals is no small feat. But, as a CFO, you’re uniquely qualified to improve your overall security position with the right healthcare security budget, thereby preventing costly breaches

If this process still sounds daunting, keep in mind that you can outsource your security solution implementation to an experienced MSSP to help navigate your unique security challenges more effectively.

Reach out to Avertium today to learn how we can make implementation as straightforward as possible for your organization.


microsoft solutions partner security specialist         Modern Work


Looking for your next read? 

Check out our Blog on, "What Does the Microsoft e5 License Mean for Your Cybersecurity?"

Chat With One of Our Experts

CISO healthcare MSSP Financial Risk microsoft Cyberthreats in Healthcare Microsoft Security Solutions Microsoft Partner third-party security Blog