Leadership Health Care (LHC), a Nashville Health Care Council program for emerging leaders, Cohorts provide the participants an opportunity to engage in a peer mentoring program facilitated by an experienced healthcare executive. Throughout six cohort sessions, participants discuss substantive topics around a common focus area to enhance their knowledge and leadership skills.
Why IT and Cybersecurity Should Be Separate Functions in Large Healthcare Organizations: Insights from Paul Connelly
In today’s healthcare landscape, cybersecurity has become a critical priority as threats to patient data and organizational operations continue to escalate. Paul Connelly, Former CISO, Technical Advisor, Educator, & Board Member advocates for separating cybersecurity from IT in large healthcare organizations. In this LHC Cohort, Connelly shares why this separation is essential, explaining how it fosters better decision-making, reduces risks, and strengthens vendor management.
Conflicting Priorities: IT vs. Cybersecurity
One key reason for separating IT and cybersecurity is the difference in their objectives. IT teams prioritize system uptime, rapid technology deployment, and customer satisfaction, while cybersecurity teams focus on data protection, compliance, and risk mitigation. As Connelly puts it, “There are times where cybersecurity and IT are at odds. The head of IT prioritizes uptime and speed, while cybersecurity focuses on protecting the system—those objectives don’t always align.”
“There are times where cybersecurity and IT are at odds. The head of IT prioritizes uptime and speed, while cybersecurity focuses on protecting the system—those objectives don’t always align.” – Paul Connelly, Former CISO, Technical Advisor, Educator, & Board Member.
By creating separate departments, organizations allow cybersecurity to operate independently of IT’s operational demands. This structure empowers cybersecurity teams to flag risks without being overshadowed by IT’s goals, resulting in more balanced decision-making.
Constructive Conflict and Accountability
Another advantage of separating the two functions is that it promotes more open, constructive discussions. When IT and cybersecurity teams are equal partners, risk-related conversations become more transparent and actionable. Connelly explains, “If the CIO is your boss, it’s challenging to tell the CEO, ‘We have a big risk that’s not being addressed.’ But when cybersecurity is a peer to IT, those conversations can happen more freely.”
Separation also improves budgeting accountability. Tying cybersecurity’s budget to IT can lead to cuts that jeopardize security. For instance, if a company misses its financial targets for two consecutive quarters, the IT budget is often one of the first to be reduced. This is because IT typically represents a large portion of the overall budget and can absorb a cut. However, cybersecurity, which usually accounts for only 4-8% of the IT budget, feels the impact of these reductions more significantly.
Cybersecurity’s Expanding Scope
In large healthcare organizations, cybersecurity often extends beyond the traditional scope of IT. Responsibilities such as securing medical devices, which are managed by clinical departments, fall under the domain of cybersecurity. This broader responsibility highlights the need for cybersecurity to have its own mandate and authority, separate from IT, to effectively manage these critical areas.
This division becomes even more crucial during incident responses. When IT and cybersecurity work as separate entities, they bring unique perspectives to investigations, ensuring a fuller understanding of security breaches and more effective responses.
Shared Responsibility: Elevating Standards Across the Ecosystem
As healthcare organizations increasingly rely on third-party vendors, cybersecurity has become a shared responsibility across the entire ecosystem. Hospitals, health plans, and vendors all play critical roles in safeguarding patient data and systems. This increased focus on accountability is transforming vendor interactions with healthcare systems, requiring all vendor contracts to pass through risk management to ensure they meet stringent security standards. This shift helps elevate security practices across the board, making it more challenging for vendors but ultimately strengthening the overall system.
Connelly highlighted that this shared responsibility goes beyond the organization itself—larger healthcare providers must help their smaller partners and vendors improve their security practices. If smaller organizations experience a breach, the effects can ripple through the entire system. He emphasizes, that there’s a shared responsibility in healthcare. Larger organizations need to help their smaller partners improve their security practices. Hospitals and health plans are now requiring vendors to meet security standards before doing business – raising the bar for everyone.
By encouraging smaller providers to adopt industry-standard frameworks like the 405D, which outlines foundational security controls for organizations of all sizes, healthcare can collectively raise its cybersecurity standards. This collaborative approach strengthens the entire ecosystem, creating a safer, more resilient system for all.
Cybersecurity’s Role in Acquisitions
Connelly also discussed the growing importance of cybersecurity in healthcare acquisitions. In the past, security was often an afterthought, only addressed once a deal had closed, which led to last-minute efforts to resolve security concerns. Today, leadership teams recognize the need to integrate cybersecurity early in the acquisition process, ensuring that security costs and requirements are accounted for within the acquisition budget. This proactive approach helps mitigate risks and ensures that cybersecurity is fully embedded in all operational aspects from the beginning.
What The Future Holds for IT and Cybersecurity
The separation of IT and cybersecurity in large healthcare organizations is essential for better decision-making, stronger risk management, and improved vendor accountability. As cybersecurity becomes a shared responsibility across hospitals, health plans, and vendors, the healthcare industry will be better equipped to manage growing security threats. By integrating cybersecurity into acquisitions and standardizing practices through frameworks like 405D, healthcare organizations can build a more secure, resilient ecosystem that protects both patient data and operational integrity.
The Next Generation of Healthcare Leaders
Leadership Health Care’s mission is to cultivate talented healthcare professionals into the industry leaders of tomorrow. LHC aims to provide young professionals with ongoing opportunities to develop their knowledge of the healthcare industry through educational events and networking opportunities. Fill out this form to learn more about LHC.