Hospitals boost cyber budgets

Healthcare providers are spending more on cybersecurity, but many still do not have enough people to run and defend the systems they buy. Industry coverage from Chief Healthcare Executive and benchmark material from Clearwater Security show hospitals and healthcare investors putting more money into cyber programs while struggling with hiring, retention and governance. The result is a more practical shift in how health systems talk about security: fewer discussions about adding headcount alone, and more focus on standardizing controls, reducing exposure and making vendor oversight easier to manage. That pattern has been visible across multiple healthcare IT surveys and case studies. Chief Healthcare Executive reported that hospitals are increasing cyber budgets, but many executives still describe the labor market for experienced security staff as tight. Clearwater, which advises healthcare organizations and investors, has published portfolio-level examples showing firms using the federal 405(d) Health Industry Cybersecurity Practices framework to benchmark and standardize cyber risk across multiple companies. ### Why are hospitals spending more if staffing is still short? Chief Healthcare Executive reported that healthcare organizations are putting a larger share of IT budgets into cybersecurity even as hiring remains difficult. In one HIMSS-based report cited by the publication, healthcare organizations were spending an average of 7% of IT budgets on cybersecurity, up from 6% in prior years. The same coverage said many hospitals were still struggling to recruit and retain qualified cybersecurity workers. (chiefhealthcareexecutive.com) The publication also quoted industry participants describing the workforce problem as broader than healthcare alone. Cliff Steinhauer of the National Cybersecurity Alliance told Chief Healthcare Executive that cybersecurity hiring is a worldwide issue, and Limor Kessem of IBM Security said healthcare competes with other sectors for the same skilled workers. (chiefhealthcareexecutive.com) ### What does the staffing shortage change inside health systems? Healthcare executives interviewed by Chief Healthcare Executive said budget growth does not automatically translate into larger internal teams. A March 2025 report from the publication said some hospitals were increasing spending on tools and technology rather than staff, and some organizations were not certain how much they were spending overall on cybersecurity. (chiefhealthcareexecutive.com) That leaves security leaders looking for ways to simplify operations. Chief Healthcare Executive’s coverage and opinion pieces describe pressure to get more value from existing tools, tighten patching and basic controls, and consider outsourcing or managed services where internal teams are stretched. ### How does 405(d) show up in portfolio-wide cyber programs? (chiefhealthcareexecutive.com) Clearwater said its healthcare private-equity cyber benchmark report uses actual 405(d) HICP assessments to compare portfolio companies against industry benchmarks. The firm’s March 12, 2025 announcement described the report as a first-of-its-kind look at cybersecurity performance among private-equity-backed healthcare companies. John Santana, a Clearwater principal consultant and lead author of the benchmark report, is identified in Clearwater materials as supporting portfolio-level cyber risk management and governance tied to HIPAA, HITRUST and 405(d). (chiefhealthcareexecutive.com) Those materials frame cyber work at the portfolio level as a repeatable process of assessment, benchmarking and governance rather than a separate project at each company. (clearwatersecurity.com) ### What does that mean for technology architecture? Healthcare organizations with limited security staff tend to favor architectures that are easier to operate and govern. Chief Healthcare Executive’s reporting on hospital cyber readiness points to recurring weaknesses in patching, basic controls and program maturity, while Clearwater’s portfolio materials emphasize standardization and benchmark-driven remediation. (go.clearwatersecurity.com) In practice, that pushes attention toward reducing the number of systems that need separate oversight, tightening third-party access, and using common frameworks to compare risk across hospitals, clinics or portfolio companies. Clearwater continues to offer its healthcare private-equity benchmark materials, and Chief Healthcare Executive has continued publishing healthcare cyber coverage, including a May 22, 2026 report that healthcare remains a prime target for attacks. (clearwatersecurity.com) (chiefhealthcareexecutive.com)