How healthcare CISO responsibilities are evolving

Healthcare CISOs take on more fiduciary responsibility

According to a 2025 report from IANS and Artico Search, approximately 39% of surveyed CISOs across all industries are at the vice-president level or higher, compared to 35% two years ago. What's more, half of surveyed CISOs reported quarterly or monthly engagement with the board.

CISOs' proximity to the C-suite and board varies by organization, but they are increasingly getting a seat at the table when it comes to making business decisions.

"The chief information security officer function has been elevated -- it used to be the department of 'no,'" said Michael Hamilton, field CISO at Lumifi. "Then it was, do your job, don't hit the radar. Now, there's finally an invitation to talk at a business level."

CISOs having more board and C-suite visibility shows that security is becoming a bigger priority for business leaders, who are turning to their security teams for guidance on how to prevent cyberattacks and ultimately save money.

"Now, in my conversations with healthcare professionals, they know that what they're trying to avoid are business outcomes, unauthorized disclosure of protected records, theft, extortion and disruption," Hamilton stated.

"Every one of those has a price tag associated with it. And so now it's become more of a fiduciary responsibility than the cyber people just trying to plug the holes. That's been a good evolution."

While some CISOs are embracing this expanded scope, others are navigating misalignment with the C-suite. A 2024 Trellix report, which consisted of survey responses by CISOs across several industries, including healthcare, revealed that 59% of surveyed CISOs feel their views are misaligned with those of their chief information officer and CEO.

Nearly 85% of the surveyed CISOs reported believing that the role needs to be split into two functions -- one to tackle technical challenges, and the other to take on business-focused tasks.

As CISOs increasingly take on more responsibility for business outcomes, they are also facing increased attention from regulators, who want answers from them when large data breaches and cyberattacks occur.

Regulatory proposals put spotlight on cybersecurity accountability

In September 2024, lawmakers introduced the Health Infrastructure Security and Accountability Act (HISA), with the goal of establishing minimum and enhanced security requirements for healthcare entities.

The passage of HISA is uncertain under the new administration. Additionally, new HIPAA Security Rule updates have since been proposed.

However, certain provisions of HISA suggest that increased corporate accountability is top-of-mind for lawmakers, and CISOs are no exception.

For example, HISA states that an individual who submits or causes to be submitted any of the required documentation under HISA knowing that the documentation contains false information, or willfully fails to submit that documentation in a timely manner, faces felony charges. Upon conviction, this individual could be fined up to $1 million as well as imprisoned for up to 10 years.

The required documentation within HISA includes an annual documented security risk analysis and independent security compliance audits. Essentially, healthcare cybersecurity leaders who fail to honestly report documentation of security practices are subject to charges and jail time.

With healthcare CISOs often playing a pivotal role in establishing and documenting security actions, documentation of security actions is crucial to protecting the business and oneself, even if HISA does not move forward.

What healthcare CISOs can do now to mitigate risk

The potential passage of legislation that could enhance executive accountability, as well as the growing focus on cyber resilience in healthcare, has pushed healthcare cybersecurity leaders to focus more on locking down documentation processes, Hamilton suggested.

"Because if they're going to audit you to find out whether you doing the right things, you have to produce artifacts that prove that this control is in place and it's effective. There's a whole lot of work going on to be able to establish that these controls are in place," Hamilton said.

"Part of that is the acknowledgment that this legislation might pass, but part of it is just because in today's world, everybody has to show everybody else your security papers, and having a good set of documented controls provides in some states a little bit of a safe harbor so that you don't end up with that class action suit."

As the role of the CISO expands and healthcare data breaches continue to reach record numbers, healthcare organizations must make sure that they can survive scrutiny.

"That's what CISOs are doing right now. They're making sure that they can defend their programs," Hamilton noted.

Healthcare organizations can look to the National Institute of Standards and Technology Cybersecurity Framework and HIPAA for guidance on how to implement and document security practices.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.