top of page

Building a strong cyber security culture in the healthcare sector

  • Writer: Christiane Wuillamie
    Christiane Wuillamie
  • Feb 11, 2025
  • 3 min read


Cyber attacks on healthcare institutions are rising fast, with high costs and serious consequences.

This case study explains how hospitals can strengthen cyber resilience by focusing on culture — not just technology — and by making cyber security an enterprise-wide responsibility, from trustees and senior leadership to every staff member.

The scale of the challenge

Healthcare is a prime target for cybercrime.

Ransomware, data theft and operational disruption are increasing in the healthcare sector. Successful attacks have stolen patient records, triggered multimillion-dollar recovery costs and exposed organisations to regulatory and legal action. Legacy systems, stressed and overworked staff, and often limited cyber investment contribute to the sector’s exposure.

Why technology alone is not enough

Cyber security remains treated as a technical issue.

Hospitals often view cyber security through a narrow lens of firewalls, patching, and perimeter defence, without addressing the organisational conditions that shape risk behaviours and response. As the case study highlights, this leaves critical gaps — especially when staff are fatigued, reporting is low, and Boards lack deep cyber understanding.

Defining core hospital cyber risks

Multiple factors combine to create vulnerability.

The PDF identifies common risks in healthcare settings:

  • Cyber security seen as a technology issue

  • Weak board understanding of cyber risk

  • Unsafe IoT medical devices

  • Legacy IT systems

  • Non-mandatory cyber training

  • Fatigue and stress among clinical staff

  • Special access demands from doctors

  • Weak data backup and recovery plans

These systemic drivers mirror the real work context and create pressures that technology alone cannot mitigate.

Culture is the best firewall

A statement of organisational accountability.

A senior quote in the case study makes the shift in perspective clear:

“Cyber threats are a mirror of the entire organisation, not just the cyber security function.” Christiane Wuillamie OBE 

This reframing helps leaders see cyber security not as an IT problem, but as an enterprise risk requiring shared accountability.

Building a cyber security culture in healthcare

Strategic actions that matter.

The case study sets out a series of practical elements that strong healthcare organisations adopt:

  • Identify systemic cyber risk using data and culture mapping to reveal hidden drivers

  • Board commitment to cyber governance, including cyber training for trustees

  • Engaging business leaders and clinicians in risk discussions, not just IT staff

  • Risk management design for security embedded in core processes

  • Internal communications to improve cross-function coordination

  • Securing the supply chain through oversight of partners and vendors

  • Employee care and training, including home/work environment security

  • Linking cyber security to business priorities so risk is visible and managed alongside clinical and operational goals

These practices move cyber security from a checklist to a governed organisational system.

Leadership and accountability

Everyone must be responsible.

Another expert quote reinforces this enterprise view:

“Every function must become cyber-responsible. To blunt cybercrime, we must adopt a culture of rigorous cyber hygiene.” Rick McElroy, Cyber Security Strategist, VMware 

In healthcare, that means trustees, administrators, clinicians and support staff all play a role in reducing exposure and improving rapid response.

What leaders should take from this

A culture focus strengthens outcomes.

Boards and executives in healthcare should:

  • Treat cyber security as core to organisational strategy

  • Commit to cultural practices that shape secure behaviours

  • Use analytics and mapping to uncover causal risks

  • Engage leaders across functions to reduce silos

  • Make cyber performance visible through leading indicators

This approach aligns with broader healthcare goals — protecting patients, data, trust and operational continuity.

Key topics covered in this article

  • Rising cybercrime in the healthcare sector

  • Core systemic risks in hospital environments

  • Why technology alone does not suffice

  • Reframing cyber security as enterprise accountability

  • Practical elements of a strong cyber security culture

  • Leadership roles in shaping secure practice

  • Cultural drivers that enable or hinder resilience

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organisations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organisations close the gap between strategy and everyday behaviour.

Our approach is effective:

  • We treat culture as a systemic business issue, not an HR initiative.

  • We identify key internal business practices that create cyber security risks and provide effective solutions you can immediately implement.

  • We link your cyber security culture to business financial metrics, showing a clear ROI for strengthening your cyber security culture.


Connecting the dots

For more information or to request a demo on how mapping culture drivers can improve business results, contact us here.



BACK TO RESOURCES

Let's connect the dots

See how PYXIS models What-If scenarios to prioritise the fixes that move your numbers.

BOOK A PLATFORM DEMO
bottom of page