
Healthcare Security Comp and Budgets Decline: Access Key Report Data and Trends
A little more than a year ago, a ransomware attack on UnitedHealth-owned Change Healthcare affected approximately 190 million individuals, causing widespread disruption in claims processing and potentially exposing millions of personal health records. Hackers gained access and then exfiltrated data due to a failure on the organization’s part to implement multi-factor authentication (MFA) on a critical system. Other factors in the attack included legacy systems and older technologies that needed updates.
Healthcare remains a prime target for hackers due to the high value of sensitive patient data, the complex and interconnected nature of healthcare systems, and the potential for significant gain or disruption through cyberattacks. Despite the growing risk and evolving threat landscape, data from our 2025 Compensation and Budget for CISOs in Healthcare Benchmark Report shows that year-over-year (YOY) growth in security budgets for the healthcare sector remains modest, with a 4% average increase down two percentage points from 2023 and 14 below 2022 growth levels.
With ransomware attacks remaining a primary concern, healthcare CISOs and other security leaders must strategically invest in cybersecurity technologies to protect their organizations and customers. With flat budgets and CISO compensation below average compared to other industries, 2025 could prove challenging for security leaders who report less job satisfaction than their peers. This piece breaks down a few key data points relevant to the state of security budgets and compensation in the healthcare industry, as uncovered in our 2025 Compensation and Budget for CISOs in Healthcare Benchmark Report.
Healthcare Cybersecurity Budgets in Decline
The declining rate of annual security budget growth is evident as our study reveals security budget growth shrunk by two percentage points in 2024 down to 4% growth compared to 6% in 2023. The healthcare industry security budget decline contrasts other industries that experienced budget growth by at least two points over 2023 figures. (See Figure 1.)
“2024 was another difficult year for companies in the tech sector, and healthtech was no exception. With a multitude of companies in the healthtech segment backed by private equity (PE) or venture capital, many privately held organizations tightened their budgets amidst challenging macroeconomic conditions, which postponed a financial transaction,” says IANS Faculty Steve Martano, also a partner in Artico Search’s cyber practice.
While the healthtech sector showed the highest budget growth (24%) as well as the highest decline (24%), more than 80% of CISOs in healthcare services and health insurance and payments reported flat or moderate budget growth.

Our report data shows that budget as a percentage of IT spending and of revenue have been volatile for healthcare organizations over the past five years, reflecting the challenges of expanding cybersecurity programs amidst budget constraints and shifting financial priorities. For hospitals and clinics, the budget of as a percentage of IT spend and IT revenue are well below the average outside of healthcare at about 8% and less than 1%, respectively. These organizations have higher overall IT costs because hospitals and clinics run large, complex IT infrastructures with significant spending on electronic health records, medical devices, imaging systems, and patient management software. (See Figure 2.)
Separately, at healthtech and healthcare services firms, security spending as percentage of the IT budget averages around 15%, which can be partly explained by blurred boundaries between IT and infosec in healthtech and healthcare services companies.
Access Tools and Resources: Essential Insights for Healthcare CISOs

Healthcare CISO Compensation is Below Average
Total compensation for healthcare industry CISOs also falls below the average across other industries. According to our research, CISOs earn between 10% and 40% less in cash compensation and total compensation than their peers in other sectors.
Compensation is notably low in hospitals/clinics and healthcare services subsectors, perhaps due in part to the fact that most hospitals and clinics are nonprofit organizations with smaller budgets and no ability to offer equity grants. (See Figure 3.) The notable exception is in the health insurance and payments subsector, which compromises mostly multibillion-dollar firms that have greater access to capital markets and offer larger equity-based compensation
Despite the relatively lower compensation figures compared to other industries, healthcare CISOs’ responsibilities continue to expand. Many healthcare CISOs are expected to cover SecOps, tech risk and compliance, third-party risk management, governance, risk management and compliance (GRC), and architecture and engineering (A&E). Still, there is a broad range of differences in CISOs responsibilities even among the healthcare subsectors.
For instance, healthtech CISOs are likely to oversee broader security functions including AppSec, IAM, product security, enterprise risk management, privacy, physical security, and fraud. CISOs at hospitals and clinics have a more focused scope of responsibilities that are heavily tied to ensuring uptime for critical systems, which often means less involvement in other areas such as product security and fraud prevention.
Other data collected during our study shows that healthcare CISOs are among the least satisfied in their roles. Healthtech has the lowest satisfaction figures likely due to the subsector also experiencing the most budget cuts, the broadest scope of responsibility, and the lowest board engagement figures. Despite healthtech CISO compensation being among the highest in the healthcare sector, it still falls short of CISOs earn in the broader tech industry, according to our research. In fact, some 91% of healthcare services CISOs reported they were considering a job change in the next 12 months, while 86% of healthtech CISOs said the same.
“In general, we see CISO satisfaction dip when the organization adds operational responsibilities to the CISO’s scope, rather than strategically changing their scope. Without commensurate staffing, budgets and/or compensation, CISOs get burnt out and frustrated. In a tight budgetary environment, it’s not surprising that viewing CISOs as ‘problem-solvers-in-chief’ will lead to burnout and dissatisfaction over time,” Martano says.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security organization, security staff compensation, and job satisfaction.
These in-depth reports feature new takeaways, uncover a wealth of insights, and provide valuable leadership guidance to fine-tune your current role, department, and career path.
Download our 2025 Compensation and Budget for CISOs in Healthcare Benchmark Report – and gain access to these and other valuable insights and data sets.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.