On the matter of an organization’s cybersecurity responsibilities, Kurt Knutsson opened with this in a Fox News article:

When a hospital or nonprofit falls victim to a cyberattack, it’s hard to place blame. Cybersecurity isn’t their strength, and many lack the budget for a dedicated security team, let alone a chief technology officer.

It’s completely straightforward to fix blame in such a case, as in all other cases. Knutsson identified the culprits even while denying the difficulty of identifying them. The lack of sufficient budget and (not or) the lack of security-capable IT personnel is directly the fault of the hospital or nonprofit’s management team, who refused to provide the budget necessary to have proper security against cyberattacks.

Especially for hospitals, which maintain so much personal and personally identifying medical data, such conscious decisions to not perform are inexcusable. Cybersecurity needn’t be an organization’s strength, but cybersecurity—and the personnel and resources needed to achieve and maintain it—most assuredly need to be a serious undertaking.