Healthcare cybersecurity has a burnout problem, and it’s affecting risk

Healthcare cybersecurity leaders are under increasing pressure to defend complex systems while operating inside already strained clinical environments. The result is a growing mismatch between expectations and human capacity — one that is beginning to affect how cyber risk is managed.

The industry often describes people as the weakest link in cybersecurity. In healthcare, that framing may be incomplete. Security teams are operating in environments defined by staffing shortages, high alert volumes, and continuous operational pressure. Under those conditions, performance degradation is not an exception. It is predictable.

The Change Healthcare cyberattack disrupted operations nationwide and forced hospitals into manual processes. An American Hospital Association survey found that nearly three-quarters of hospitals reported patient care disruption. The response required sustained effort from IT, cybersecurity, and clinical operations teams, many of whom were already operating at capacity.

A 2025 survey from The Physicians Foundation found continued high levels of physician burnout. A study in JMIR Medical Informatics linked EHR-related workload to significantly higher burnout rates. These findings highlight how technology design and workload distribution shape performance.

Cybersecurity teams face similar pressures but are often excluded from that conversation. Digital Health Insights has reported that 73% of CISOs experienced burnout in the past year, based on data from ISC2 and Proofpoint. These roles carry increasing accountability for outcomes that extend beyond IT into clinical continuity and enterprise risk.

Cybersecurity burnout is better understood as an operational design issue rather than an individual performance failure. In high-pressure environments, fatigue rarely shows up as an obvious breakdown. Instead, it appears in more subtle ways: delayed escalation, reduced signal detection, and slower decision-making. That makes it easy to miss until the consequences are already unfolding.

At the same time, a measurement gap sits at the center of the problem. Organizations apply rigorous discipline to monitoring their technical systems, but rarely extend that same rigor to the human conditions under which those systems are defended.

Several emerging metrics could help close that gap:

• Frequency of after-hours escalations
• Volume of nonactionable alerts
• Duration of incident-related overtime
• Number of handoffs during high-severity events
• Time to recovery following major incidents

The Agency for Healthcare Research and Quality identifies fatigue as a contributor to reduced cognitive performance, including slower response times and impaired decision-making — effects that are particularly consequential in roles requiring sustained attention and rapid triage.

Healthcare cybersecurity also operates within a high-cost risk environment. IBM has consistently ranked healthcare as the most expensive sector for data breaches, and prolonged detection and containment timelines increase both financial and operational impact.

In this context, some leaders are beginning to focus on cyber wellness – an operational approach to maintaining performance under sustained demand. The concept emphasizes workload design, alert reduction, staffing flexibility, and structured recovery following major incidents.

For healthcare executives, this approach shifts attention toward measurable indicators of strain: after-hours workload patterns, escalation frequency, alert-to-action ratios, and reliance on manual processes during incidents.

If cybersecurity performance is influenced by workload and fatigue, managing those variables becomes part of managing risk. That doesn’t replace technical controls — but it does expand how resilience is defined. In healthcare environments where cyber incidents can disrupt care delivery, workforce conditions are not separate from security outcomes. They are increasingly part of them.

The path forward is concrete. Healthcare organizations already have the data, operational visibility, and leadership frameworks to act. The question is whether they will expand their definition of cybersecurity risk to include the conditions under which their teams operate. Addressing burnout is not a cultural initiative. It is a strategic imperative tied directly to resilience, response capability, and patient safety. Leaders who integrate human performance into their risk models will be better positioned to sustain operations under pressure. Those who do not may find that the gap between capability and capacity becomes their most significant vulnerability.