Recent high-profile data breaches represent a horror story for health care organizations. Here are some steps your board can take to stay one step ahead of the cyber criminals.
Just like rain showering the earth’s surface, many health care organizations cope with a constant barrage of cyberattacks. As technology advances to thwart such attacks, so do cyber criminals’ savvy in working around it.
For health care boards, perhaps more than any other industry to due to the sensitive nature of patient data and HIPAA laws, these cyber intrusions loom large. A data breach involving any sort of confidential information — patient-related or not — can devastate an organization’s reputation and cost, on average, $9 million per incident.
Earlier this year, UC Health announced it was victimized by a security incident that compromised some of its files. The FBI’s 2022 Internet Crime Report said that over 800,000 reports were filed that year, with losses exceeding $10 billion — a cost 49% higher than the previous year despite 5% fewer incidents being reported.
What can health care boards do to protect themselves? Let’s examine the steps.
How Important is Cybersecurity to Your Board?
The first step, obviously, is to prioritize cybersecurity. Most boards across all industries seem to be taking cyber threats seriously. OnBoard’s latest survey found that 89% of board directors, administrators, and staff members view cybersecurity as a vital issue.
More than three-fourths (76%) of CIOs expect to have increased involvement with cybersecurity in the next year, and it’s estimated that 40% of boards will have a dedicated cybersecurity committee by 2025.
So, if your board has identified cybersecurity as a top priority, you’re on the right track. You’re also far from alone. What can your health care board do to avoid becoming a statistic?
Best Practices for Preventing Cyberattacks
Executives, management teams, and other organizational leaders should invest in education, preparation, and defense related to ransomware, data leaks, and all other types of cyber incidents.
Appointing a board member with cybersecurity expertise is a good start, but don’t lean too much on one in-house expert.
Here are 6 steps every health care board should take to ensure sound cybersecurity practices:
- Invest in a solid cybersecurity infrastructure. The National Association of Corporate Directors (NACD) recommends that boards include cybersecurity as part of an organizations’ full risk management framework to defend against attacks, and secure operations now and in the future. Support and empower IT teams with resources and budgets to meet cybersecurity needs.
- Securely manage all board materials digitally. The days of paper copies should be over. Printed materials can fall into the wrong hands much easier than those that are stored on a secure digital portal. No solution is perfect, but digital portals that include encryption, two-factor authentication, and biometric scanning devices (such as facial or fingerprint recognition) are preferable.
- Set appropriate permissions. Board members who have a conflict of interest in a specific area of the operation shouldn’t have unfettered access to that department’s sensitive information. Assign appropriate permissions to board members that give them access to perform their roles, but no more.
- Protect meeting minutes. Don’t distribute these vital records via insecure channels like email, Google Drive, or Dropbox. Ensure the method you’re using to compile, distribute, and store meeting minutes is safe and secure, and make minutes available to board members in a read-only format.
- Require directors to communicate via a secure portal. Personal email accounts aren’t secure, and even company email accounts have vulnerabilities. Aim to conduct all board communications through a secure board platform that includes automated notification systems without transmitting sensitive information.
- Wipe vulnerable apps. Board members often access information from several devices, including laptops and mobile phones. While it’s important to be able to conduct business anytime, from anywhere, organizations should insist that board members only conduct business on trusted devices. You should be able to remotely wipe sensitive data from devices when they’re stolen, lost, or replaced, or go a predetermined time (90 days, perhaps?) without use.
The Bottom Line on Cybersecurity
In OnBoard’s 2023 Board Effectiveness Survey, 56% of respondents say they lack confidence in their organization’s digital security. So, while boards and their organizations have clearly prioritized cybersecurity in recent years, it’s just as clear — from survey respondents and actual ongoing cybercrime — that they have a long way to go before actually operating securely.
Directors should seek to build their knowledge about cybersecurity issues and be forthright and willing to ask probing questions. Utilize these best practices and others, so when a cyber attacker targets your organization, you’re prepared and able to respond.