Health systems urged to put cyber resilience on board agenda

BCG says attacks threaten patient care.

Health care providers should treat cyber resilience as a board-level priority as hospitals become more digital and interconnected, with cyber attacks increasingly threatening patient care and business continuity, according to Boston Consulting Group.

The report argued that the risks are relevant across health systems because the sector remains a prime target for attackers, whilst many organisations still lag in cyber maturity.

It said medical records are worth four times as much as social security numbers, and only 13% of health care organisations have reached an advanced cyber maturity level, compared with 29% of technology companies and 22% of banks.

BCG said the operational impact of a major attack can be severe. Citing the 2024 Change Healthcare ransomware incident in the United States, it said 74% of hospitals surveyed reported direct patient impact, including treatment delays, whilst 60% took weeks to months to fully recover, underscoring how quickly disruption can spread through critical health infrastructure.

The consultancy said boards need to move cyber discussions beyond technical updates and focus instead on whether essential services can continue during an incident.

Yet only 27% of boards regularly discuss cybersecurity, it said, even though maintaining patient care, restoring key systems quickly, and managing disruption across clinical and operational teams now require enterprise-wide oversight.

BCG said the most resilient organisations identify mission-critical services in advance, test recovery plans under pressure, and set clear restoration priorities.

It added that stronger preparation can reduce breach costs, citing research from IBM Security and the Ponemon Institute showing that organisations with high levels of incident-response planning and testing saved about $1.5m compared with those with low levels.

Third-party exposure is also a growing risk, the report said, with nearly one in six health care breaches originating outside the organisation.

BCG said providers need tighter oversight of vendors, connected devices and other external partners, arguing that cyber resilience should now be treated as a core patient safety and governance issue rather than a narrow IT function.