By: Frank Auberle, CPA, and Jameson Miller, CPA, CISA, CISSP, CCP, CCA
Healthcare organizations have increasingly become the target of hackers looking for sensitive data and high-dollar ransoms. Attacks on big-name hospitals and healthcare systems regularly make headlines, but smaller organizations are at risk too. Given the severe consequences of a successful attack, board members need to recognize the problem as one that poses more than a theoretical risk.
The danger comes not just from cybercriminals intent on harming the organization, but from systemic issues of culture and governance that can make achieving that goal easier. For example, executives may hesitate to voice concerns about vulnerabilities, potential consequences of inaction, or inadequate technology that makes a particular healthcare organization an appealing target for cyberattack. No one enjoys bringing bad news, but board members can’t address risks and problems they don’t know about.
What is the board’s responsibility when it comes to cyberattacks? It’s easy to dismiss cybercrimes as unfortunate but unavoidable incidents. However, most are preventable. This shifts the conversation from one of “bad luck” to one of governance.
That means your board has a clear responsibility to actively engage in formulating and overseeing strategies that mitigate the risk associated with cyberattacks.
Beyond strategic success, this is a matter of fiduciary and legal obligation. In an era of increasing regulation, improper oversight of digital assets could be viewed as a breach of duty or negligence. Failure to exercise due diligence in cybersecurity governance doesn’t just put the organization at risk, it could result in personal liability for board members.
To fulfill these obligations and protect both the organization and its leadership, here are five ways boards can drive cybersecurity objectives to help protect your healthcare organization.
Recognize the risk of long-term organizational damage.
Remember the widely publicized ransom attack on Change Healthcare that wreaked havoc on pharmacy functions, billing and other healthcare operations across the country? UnitedHealth Group execs remember it too. Not surprisingly, as the parent company, UHG expects to lose roughly $2.45 billion between downtime, ransom, recovery and other expenses related to the attack.
You know who else remembers? The patients, pharmacists, vendors and countless others whose lives and work it affected. The general public retains at least some memory of the incident as well, which could color their perception of the brand for years to come.
Between financial costs and reputational damage, this was a very expensive event for Change Healthcare and UnitedHealth Group, a blow that could easily kneecap a healthcare organization’s long-term growth prospects or even pose an existential threat. No leader can afford to take a laissez-faire approach to risk at this level.
Prioritize resolving technology gaps.
New buildings and programs are exciting. New technology platforms and systems may seem less appealing, but they’re the foundation that supports your organization’s future. Many hospitals rely on antiquated legacy systems that serve as an open door to hackers.
Whether it’s billing, medical records, or any other information management system, upgrading older technology brings a dramatic increase in security features and options. (And that’s on top of the efficiency gains that can come from adopting modern business technology to support the complex data management demands of a large facility or system.) Boards should clearly communicate their recognition of the central role technology investment plays in maintaining adequate cybersecurity.
Reframe budgetary discussions.
You’re aware of the risk. You’re taking it seriously. But there’s only so much wiggle room in the budget, right? Budget limitations are real, but so are the costs of a cyberattack — and they’re much higher than the costs of prevention.
Technology upgrades, system changes and rigorous organization-wide cybersecurity training are significant expenses. The costs can seem insurmountable for smaller or cash-strapped hospitals and healthcare systems. And yet, bearing those costs may be the best way to prevent vastly more expensive damage that lingers for decades.
This unwelcome truth should shape conversations around budget priorities and the many competing needs that organizations wrestle with in today’s high-pressure healthcare environment. Your investment in modern technology ensures business continuity, not just convenience.
Actively seek vulnerabilities in systems and processes.
Investing in expert penetration testing and consulting to identify chinks in your cyber-armor is a great idea, but there’s more you can do to raise awareness of the organization’s vulnerable points. Boards should clearly communicate to leadership at all levels that information about risks and security missteps is welcome; neither the blame game nor “kill the messenger” energy serves the organization well.
Getting insights from the folks who have an intimate understanding of the organization’s systems, processes and tech tools positions the board to understand where gaps and vulnerabilities exist. And that understanding is critical for remedying them.
Navigate a Deepening Governance Challenge
The landscape of board responsibility is becoming increasingly difficult as global standards evolve. For instance, the NIST Cybersecurity Framework (CSF) 2.0 recently introduced the “Govern” function, elevating cybersecurity from a technical task to a core pillar of enterprise risk management on par with finance and reputation. This framework expands the board’s scope significantly, requiring an understanding of fourth-party management—the security of your vendors’ own vendors. Because an organization’s supply chain is only as strong as its weakest link, boards must now oversee the due diligence of an entire ecosystem of digital relationships.
To manage this complexity, many healthcare boards are re-evaluating their composition. Leading organizations are increasingly creating a dedicated seat for a Cyber-Director, a board member with a background as a Chief Information Security Officer (CISO) or similar senior technology experience. Having a technical expert in the boardroom ensures that the board can effectively challenge management’s assumptions, interpret emerging threats, and satisfy the rigorous “duty of care” required in today’s digital environment.
Find support in your stewardship role
There’s a lot of responsibility that comes with board membership, and no shortage of tough challenges to navigate. Our healthcare and cybersecurity experts can help you discover new ways to steward limited resources for a more resilient, sustainable and cyber-secure organization.
