Tenet's $100M cyber incident raises 10 must-ask questions for boards

Cyberattackers don't need to steal data to cause chaos, they just need to pose enough of a threat that management is forced to halt business.

Dallas-based Tenet Health is one of the largest for-profit health organizations in the U.S., with nearly 600 medical facilities and over 100,000 employees. The organization temporarily halted some of its business due to a cyberattack, and its second-quarter earnings absorbed $100 million in lost business and remediation costs, according to an Aug. 10 report from Forbes. 

On April 26, 2022, Tenet disclosed that in response to a cyberattack, it had "immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols and quickly took steps to restrict further unauthorized activity."

According to a follow-up press release, "there was temporary disruption to a subset of acute care operations, the Company’s hospitals remained operational and continued to deliver patient care safely and effectively, utilizing well-established back-up processes. At this time, critical applications have largely been restored and the subset of impacted facilities has begun to resume normal operations."

The Tenet Health case reinforces why boards and senior leaders must be increasingly prepared to address rising cyber-related business interruption risk. Here are 10 diagnostic questions that credible response plans, as a minimum, must address:

  1. Under what cyber threat circumstances would leadership halt operations?

  2. What IT system redundancies and controls are employed to avoid shutdowns?

  3. Are senior leaders fully prepared to address a cyber attack requiring business interruption?

  4. Which senior leader(s) has/have final "kill switch" decision authority?

  5. What would be the estimated hourly and daily cash flow effects of closures?

  6. Does the current cyber insurance policy include sufficient business interruption coverage?

  7. What detail is necessary to file a business interruption claim, and does the organization routinely gather such data and prepare similar reports?

  8. How frequently are cyber response procedures reviewed, audited, and tested to ensure clarity, adequacy, effectiveness and efficiency?

  9. Is the board aware of emergency closure plans and periodic review results?

  10. What specific stakeholder disclosures would a shutdown require?

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars