Cybersecurity belongs in the boardroom

When the notorious criminal Willie Sutton was asked why he robbed banks, he famously replied, "Because that's where the money is." For the first time in history, criminal attacks – motivated by financial gain – are now the leading cause of data breaches in the healthcare industry.

Medical records are worth a great deal of money on the black market. In fact, the FBI Cyber Crimes division has formally notified the healthcare industry that they are the top target for cyber criminals. On the black market, for example, one complete set of medical records can fetch up to $1,000. In comparison, a stolen credit card is worth only a dollar.

Cybersecurity is such a mission critical endeavor, and healthcare organizations can no longer view security as an IT issue or even a management issue. It has reached a tipping point where the hospital's board of directors should play a more active role. The financial losses and damage to an organization's reputation are of such magnitude they are now relevant to the board of director's fiduciary responsibility to sustain the corporate mission.

Healthcare providers and payers are reporting a 60 percent increase in detected incidents and financial losses skyrocketing 282 percent since 2013.i A cyber-attack is costly as well, with the average economic impact of a single data breach estimated to be $2.1 million for a healthcare organization.ii According to federal records, 90 percent of healthcare organizations experienced a data breach in the past two years and 40 percent had more than five.iii Security experts agree, it's no longer a question of if a healthcare organization will experience a data breach, it's now simply a matter of when.

Moving cybersecurity to the boardroom

In light of the severity of the problem and the devastating financial consequences, cybersecurity should be a top concern for the board of directors in every hospital and health system. Yet the numbers show otherwise. According to the Global State of Information Security Survey 2016 by management consulting firm PwC, only 40 percent of board members understand their organization's security strategy, 32 percent are aware of their security strategies and a mere 25 percent have formally considered security and privacy risks.iv

The board, however, can and should play a much more active role in protecting the finances and reputation of their organizations. They can start by asking the following questions:
• Does the organization have a security framework?
• What are the organization's top security risks?
• Is the hospital considering internal and external threats when planning cybersecurity activities, such as enterprise-wide audits?
• How does the organization manage security governance?

Leading on cybersecurity

The board needs to educate themselves and understand all of these issues while taking a leadership role and following guiding principles of cybersecurity. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue with an appropriate security framework.

Additionally, board members must understand the legal implications of cyber risk. This includes understanding what constitutes a data breach and all of the notifications required by state and federal laws. Further, the board must be notified of all breaches or security incidents.

Board members should also understand internal and external threats by having access to cybersecurity expertise. By scheduling regular discussions of cyber risk management with security experts – either internal staff or outside consultants – during board meetings, directors can gain insights and understanding of key issues. According to a study by the Ponemon Institute, hospitals need to step up their security game and many still have not hired a Chief Information Security Officer (CISO).v However, it is the CISO or the executive responsible for security who should meet with the board on a regular basis. By placing security on the board meeting agenda, directors can gain an understanding of all risks they are avoiding or accepting and make sure their cyber insurance coverage is sufficient for their risk profile.

Perhaps one of the most important roles for directors is setting the expectation that management will develop an enterprise risk management framework and governance with appropriate budget and staffing. This includes tasking management with developing a risk management organization, governance structure and providing the board with staffing and budget details.

Finally, board discussions of cybersecurity should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.

Developing a cybersecurity framework

By elevating security to the highest level of the organization, the board of directors can help ensure their business has a strong security framework in place. In light of the current threat environment, developing and maintaining a comprehensive security framework is essential.

While there is no recognized framework for healthcare, boards can look to the National Institute of Standards and Technology (NIST) Cyber Security model for guidance on structuring a framework for their organization. The NIST model is multi-tiered, standards-based and versatile enough that healthcare could leverage many aspects of the model to develop a comprehensive security framework.

To cyber-criminals, hospitals are lucrative targets because, as Sutton said, "that's where the money is." It is only with a carefully developed strategy that today's most targeted victims of cybercrime can be prepared. Hospital and health system boards must take the proper leadership role in understanding and communicating the importance of risk management and an enterprise-wide security framework to prevent attacks and also have a plan in place to best respond should a breach occur.

http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
ii ibid
iii Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute
iv http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
v https://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/?gclid=CK6irfXmrr0CFUhT4godIVUA-w

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months