The NHS spent approximately £1.7 billion on cybersecurity and cloud-related IT projects in 2019-2024.¹ This blog post, originally published as a Health Forward blog, details the cyber security risks faced by the US healthcare system and how US healthcare organisations can optimise their cybersecurity spending. It identifies the need to focus   strategically on labour sourcing, technology rationalisation, vendor consolidation, and automation to mitigate cyber risks and enhance operational efficiency. In the ever-evolving landscape of cybersecurity, the UK healthcare sector faces similar challenges. The strategies outlined in this blog offer practical steps that UK healthcare leaders should consider in order to enhance their cyber resilience and protect patient data while navigating NHS budgetary constraints and the ongoing shortage of skilled cybersecurity professionals.

As we move past the midpoint of 2025, cyber threats remain a growing concern for hospitals, health systems, and health plans. A recent report estimates that 80% of health care organizations have experienced a cyberattack in the past 12 months.² These data breaches are not only becoming more frequent, but also increasingly sophisticated, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).^3,4 At the same time, many health care organizations are facing constrained budgets and tight competition for skilled cybersecurity professionals.⁵

About 60% of surveyed health system executives, and 50% of health plan executives, said their organizations intended to prioritize cybersecurity enhancements in 2025, according to Deloitte’s 2025 US health care outlook. Many of the chief information security officers (CISOs) I’ve talked with recently say they have encountered little push back from their organization’s leaders or board members when it comes to cybersecurity investments. While those leaders and board members might understand the potential impact a cyber incident could have on their organizations and patients, they still want their CISOs to explain how investments will help to mitigate or minimize the threat.

Cost optimization aligns cyber investments with value, risk reduction

Health care organizations handle highly sensitive protected health information (PHI), which is vital for patient safety. It is also a valuable target for cybercriminals. Cyberattacks can disrupt patient care, cause significant financial damage, and jeopardize data security. The cost of a cybersecurity incident in the health care sector averages $9.8 million—more than double the average cost across other industries.⁶ Beyond the financial impact, such incidents can risk patient safety, harm the organization’s reputation, and erode the trust of patients and the broader community.

Many health care organizations have finite budgets and limited resources to address their cyber risks. Cost optimization in cybersecurity is a strategic approach that can extend beyond just reducing threats. This strategy focuses on using employees and technology resources wisely and managing risk effectively without overspending. My colleagues Russell Jones, partner, and Sunny Aziz, principal, at Deloitte & Touche LLP, recently hosted a webinar that outlined steps life sciences and health care organizations can take to manage their cybersecurity investments more strategically (click here to see a replay of the June 13 Dbrief).

Russell and Sunny—both leaders in Deloitte’s Cyber practice—explained that a cost-optimization approach can help health care organizations understand how money spent on cybersecurity directly supports an organization’s operational goals (e.g., complying with regulations, keeping patients safe, securing PHI, and safeguarding critical systems and operations). They emphasized that cost optimization is an ongoing journey rather than at a one-time project. Organizations should regularly assess their threat landscape, business needs, and technology evolution. Money saved through cybersecurity enhancements could be reinvested to further strengthen an organization’s cyber program. This could include simplifying the organization’s tech stack to remove redundancies, negotiating better deals with vendors, or employing advanced tools such as artificial intelligence (AI).

Cost optimization: Four levers to consider

Health care organizations tend to operate in complex environments that rely on interconnected systems. Implementing cybersecurity measures that are compatible with existing systems and processes can help organizations maintain operational efficiency while enhancing security. Deloitte has identified four key levers health care CISOs should consider when implementing a cost optimization cybersecurity strategy:

Lever 1: Labor sourcing and workforce optimization: The cost of cyber talent can have a significant impact on budgets. There is a global shortage of more than 4 million cybersecurity professionals, according to the World Economic Forum.⁷ Public and private employers across the US posted more than 514,000 cybersecurity jobs over the past 12 months—up 12% from the prior year.⁸ This means highly skilled cybersecurity professionals can often command significant compensation. In addition, staffing shortages can increase the burden on IT staff, which can lead to burnout and turnover (see Finding, cultivating cyber talent in health care and life sciences).

Consider these strategies to when seeking to optimize labor costs:

• Consolidate: Consolidating regional security teams into a single function can help reduce management overhead and improve knowledge sharing.
• Tap in-house talent: Consider using a mix of in-house staff for strategic roles and managed service providers for operational tasks (e.g., 24/7 monitoring).
• Expand the search pool: Search for talent from lower-cost regions.
• Automate processes: Automating repetitive tasks (e.g., alert triage or compliance reporting) could help free up skilled staff for higher-value work.

Lever 2: Technology rationalization: Tool sprawl has become a common issue in health care. The average organization has 43 tools in its cybersecurity arsenal, and 5% of organizations have more than 100 tools.⁹ This proliferation often results in overlapping capabilities and underutilized features, which can increase operational costs and add new layers of complexity. Redundant and underused tools can drive up licensing, support, and integration costs, while increasing operational complexity and alert fatigue. Russell and Sunny noted that “a lot of shiny new toys” are being touted by some cybersecurity vendors. They warned that hype-driven purchases can inflate the cybersecurity budget while adding to inefficiencies.

Consider these strategies to improve technology rationalization:

• Inventory and catalogue all of the organization’s security tools: Identifying tools that are used for the same tasks (e.g., two e-signature solutions) can help reduce technology overlap.
• Consolidate vendors: Look for opportunities to group expiring contracts by vendor, introduce competitive pressure before contract renewals, and negotiate multi-year terms for lower rates.

Lever 3: Vendor and third-party consolidation: Beyond technology, health care organizations often work with a wide array of vendors, contractors, and managed service providers. Managing too many external relationships can increase costs, complexity, and risk. As I noted in a blog last fall, hospital and health systems could be at risk if third-party vendors fail to prioritize cybersecurity (see A cyber TPRM program could help make hospitals more resilient). Russell and Sunny noted that some health care organizations have achieved 10–15% reductions in vendor-related costs through consolidation.

Consider these strategies to consolidate vendors and third parties:

• Bundle and renegotiate upcoming renewals: This could result in better contract terms and pricing. Look for ways to consolidate staff-augmentation and niche service vendors.
• Reduce management overhead: Consider adding exit clauses and data-export rights in all renegotiated contracts.

Lever 4. Automation and operational efficiency: Integrating AI and automation into security operations can significantly lower costs associated with data breaches. One recent analysis estimates that organizations lacking these technologies face average breach cost of $5.72 million. By contrast, those that have adopted AI and automation could face an average of $3.84 million per breach—a reduction of $1.88 million.¹⁰

Consider these strategies to help improve automation and operational efficiency:

• Implement security orchestration, automation, and response (SOAR) tools: Identity and access management (IAM) and threat detection and response often account for a significant percentage of an organization’s cybersecurity budget. Automating or outsourcing these areas can help organizations streamline incident response.¹¹
• Use AI and machine learning for better anomaly detection and threat hunting: Many cybercriminals have begun to leverage the latest technologies to craft more convincing phishing emails and automate reconnaissance and exploitation. About 40% of phishing attacks now use generative AI.¹²

Conclusion:

Cost optimization is not the same as cost reduction. Rather, it is about aligning an organization’s cybersecurity investments with business value and risk reduction. Health care organizations should ensure that every dollar invested in cybersecurity directly supports the organization's strategic objectives. This can help enable digital transformation, protect the organization’s brand and reputation, and help it maintain regulatory compliance.

__________________________________________________________________________

Get in touch

Jimmy Joseph
Principal | Deloitte & Touche LLP
jijoseph@deloitte.com