Across U.S. healthcare, breaches and business disruption are now routine headlines—but the most stubborn risks aren’t purely technical. They stem from how organizations feel and function under relentless pressure: fatigue among leaders and staff, governance gaps that linger, and compliance mindsets that prioritize checklists over risk. This Executive Brief distills how those human and organizational factors are shaping cybersecurity outcomes—and what boards and executive teams can do next.

Why fatigue has become a strategic risk

Cyber operations in hospitals and health systems run at a sprint. Security teams face expanding attack surfaces (EHRs, imaging archives, payer connections, third-party apps), nonstop phishing, and complex vendor ecosystems—often with fewer people than they need. Meanwhile, breaches keep escalating in scale and cost. IBM’s industry analysis again finds healthcare with the highest average breach cost among all sectors, intensifying burnout and driving reactive decision-making.

Fatigue invites shortcuts—delayed patching, deferred network segmentation, and “temporary” exceptions that persist for months. It also drives turnover, which in turn weakens institutional memory (“Why was this firewall rule here?”) and widens exposure windows.

What insiders are saying

Recent coverage has captured blunt assessments from practitioners and leaders. In a widely discussed Wall Street Journal roundup, readers with sector experience pointed to persistent technical debt, minimal auditing, and operational realities that favor attackers. Representative remarks included: “Hospitals can’t afford downtime,” and “technical debt… applications years past due for upgrades.” (WSJ) These reflections mirror what many CISOs report privately: even well-intentioned programs struggle when legacy systems, staffing, and budget cycles collide.

Compliance isn’t the same as readiness

Compliance pressure is real and rising. But an overemphasis on documentation can eclipse operational resilience. A program may pass an audit yet remain vulnerable to the very threats driving today’s losses—credential compromise, lateral movement, and supply-chain exposure. The data bears this out: monthly breach tallies remain elevated, with June 2025 alone exposing PHI for more than 7.6 million individuals. Put plainly, paperwork does not stop ransomware.

Breaches at unprecedented scale magnify the stakes

The Change Healthcare incident underscored how interdependent—and brittle—healthcare operations can be. HHS notes approximately 192.7 million individuals affected, with wide-ranging operational and financial fallout documented across 2024–2025 reporting. For boards, the lesson is clear: cyber risk has migrated from IT to enterprise risk, with direct implications for care continuity, revenue cycle, and reputation.

Five fatigue drivers executives should address

1. Technical debt and legacy systems. Unsupported OS versions, unpatchable medical devices, and “temporary” network workarounds create permanent risk. Fatigue grows as teams babysit brittle systems.
2. Vendor and data sprawl. Hundreds of integrations and third parties expand the attack surface beyond direct control. Contracts often lack enforceable security obligations and response SLAs.
3. Resource and talent constraints. Security headcount lags behind operational demand. Hiring and retaining cloud, identity, and incident response talent remains challenging.
4. Compliance-first culture. Passing audits can mask substantive gaps in segmentation, identity controls, and detection/response maturity.
5. Frontline burnout. Clinicians and back-office teams overwhelmed by change fatigue are more likely to click, reuse passwords, or bypass controls to keep work moving.

Signals that fatigue is eroding security

• Repeated emergency changes (after-hours firewall rules, ad-hoc exceptions) with no follow-up removal.
• Extended patch windows for mission-critical systems and vendor-managed devices.
• Stagnant segmentation projects stuck in assessment, never reaching enforcement.
• Rising third-party incidents with limited contractual leverage or visibility.
• Audit pass, breach fail: clean checklists but recurring credential-theft and lateral-movement findings.

Leadership actions to break the cycle

Fatigue is solvable when leaders reframe the work and focus on a few levers with outsized impact:

• Re-center on operational outcomes. Set board-level objectives tied to business resilience (e.g., “isolate and contain ransomware in under 60 minutes”) rather than purely policy completion.
• Fund the identity and segmentation core. Prioritize privileged access management, strong MFA everywhere feasible, and enforceable network segmentation to constrain blast radius. CISA’s ransomware guide and healthcare-specific advisories provide concrete controls and response checklists.
• Right-size third-party risk. Require security addenda with measurable controls (MFA, encryption, logging), evidence of testing, and clear incident reporting timelines. Use termination-for-cause language when controls lapse.
• Close the loop on exceptions. Mandate expiry dates, executive sponsors, and monthly reviews for all security exceptions to prevent “forever exemptions.”
• Make fatigue visible. Track leading indicators (patch age, exception count, phishing click rates, MTTD/MTTR) and tie resourcing to risk reductions, not to ticket volume.

Measure what matters at the board level

Boards should demand concise metrics that show whether controls are working under stress: time to isolate infected endpoints, percentage of high-value systems behind enforced segmentation, privil