How to Communicate Cybersecurity Needs to a Healthcare Board
In 2015 alone, 112 million healthcare records were compromised. If there’s one thing we can count on in the years to come, it would be increasingly sophisticated cybersecurity attacks that specifically target healthcare organizations. Why healthcare? Here are a few reasons.
- Most healthcare organizations are spending less than 3 percent of their IT budgets on cybersecurity. This is substantially low, which makes them an easy target.
- Healthcare records are valuable because they routinely include an individual’s name, address, Social Security number, health plan ID, and other information.
- To adequately care for patients, many people require access to healthcare records and a high level of connectedness is necessary to enable this amount of data sharing. Unfortunately, that means a bevy of potential access points through which cybercriminals can enter and steal data.
Hospitals are up against a barrage of attacks with no end in sight. In lieu of this, the state of their cybersecurity shouldn’t be viewed as IT’s issue alone. Management and the hospital’s board members need at least a base-level understanding of the types of threats that could impact their organization and what preventive measures are in place to keep threats at bay. Yet most hospitals are slow moving to get their board members involved.
Here are some ways to effectively communicate cybersecurity needs to your healthcare board:
1. Help Them Realize Their Part
It’s the board’s job to ensure reasonable controls are in place and working. However, it is not their responsibility to actually “run” these controls. A common misconception is that boards also require an on-panel expert. This certainly wouldn’t hurt, but if a board lacks an internal cybersecurity guru, that doesn’t mean they are incapable of developing the necessary level of understanding needed to do their part.
2. Cover Risk Management
Once again, it’s not the board’s job to balance risk and reward, but it is their job to ensure management does. Management should come to the table with documentation outlining potential risks, probability of incidence, and their recommended resolution based on budget and operational impact. A security risk assessment will help ensure these details are realized and recorded for compliancy. The results will also serve as a mechanism for informing the board of where the organization stands in their cybersecurity efforts.
Ultimately, the board should be able to recognize if the right safeties are in place, and how mitigating funds are allocated. They should be part of a system of checks and balances to ensure cybersecurity needs are being met according to what’s best for the overall organization and its clientele.
3. Discuss Cyber Liability
Healthcare organizations can either invest in cyber liability insurance or self-insure. Most organizations are not in the position to go the latter route, which means they must select a liability insurance provider that offers a fiscal shield, risk assessment services, and incident support should a data breach occur.
Cybersecurity is no longer a job for IT alone—it’s become too intricate and far-reaching. Between a healthcare organization’s board, management, and security team, every open door must be identified and protected accordingly. In the years to come, experts believe we will see an increase in ransomware and third party attacks. They also suspect unencrypted devices getting lost or stolen will continue to create headaches for organizational leaders. But if all levels of a healthcare organization work together to protect data—their odds of warding off such attacks are much greater.
About DOUG KANNEY
Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.