Ed Gaudet is the CEO and Founder of Censinet, a healthcare risk management platform, and member of the Health Sector Coordinating Council.
Healthcare delivery organizations (HDOs) are facing a cybersecurity pandemic. Every year, the number of attacks and incidents continues to exponentially grow and cause significant financial impact on an already stressed industry. There’s already a 40% increase in the number of reported breaches in the first four months of this year over last. That’s the good news.
Ransomware is rendering electronic medical records and other critical data and systems useless, which significantly impacts the ability of HDOs to deliver timely care or, in some cases, continue to operate. The University of Vermont Medical Center reported losing over $60 million in revenues due to a ransomware attack in October 2020. Less than a year later, Scripps, a $3.1 billion not-for-profit healthcare organization based in San Diego, reported losing over $100 million in lost revenue due to ransomware.
Two independent studies last year attributed hospital cyberattacks to reduced care capacity and worsened health outcomes including delays in procedures and tests, longer hospital stays, diversion of patients to other facilities and increased mortality. Given these trends, HDOs must assign accountability for cybersecurity to their boards of directors.
Life in an earthquake zone depends upon proper foundations. Cybersecurity is no different. HDOs must have a solid foundation built on three organizational pillars: accountable board and executive leadership, an integrated cyber and enterprise risk program, and a proactive board governance and oversight process.
Here are three steps to building this foundation:
1. Formalize Cybersecurity Governance And Oversight Under A Standing Committee
Most HDOs have their boards review cybersecurity. However, due to the complexity and technical nature of cybersecurity, accountability is often left to the CIO or CISO. The stakes are too high for complexity to stand in the way of proper oversight. Not all board members know how to perform an esophagectomy or detailed financial audit, but they are fiduciary to the financial stability of a health system.
The recent frequency and impact of cyber incidents have driven boards to formalize the governance and oversight of cybersecurity under their own standing, or operating, committee. A standing committee for cybersecurity enables its members to facilitate deeper discussions and develop a level of understanding and expertise of a complex topic, which enables the full board to leverage the committee’s recommendations and decisions. It also prioritizes hiring board members with cybersecurity expertise.
While this does not relieve the full board of its core oversight responsibilities, it helps facilitate focus to understand and address issues. A cybersecurity standing committee can prioritize cybersecurity appropriately, giving it the time needed on board agendas to ensure the right people, policies, procedures and controls are in place and appropriately funded.
2. Establish An Integrated Cyber And Enterprise Risk Program
Cyber threats and attacks risk all electronic healthcare data and electronic systems. HDO boards and leaders must understand the dependencies and risks across these digital clinical and business processes when making decisions. However, legacy organizational structures and operating models make this difficult due to existing silos of cyber, operational and enterprise risk.
An integrated approach to risk management will enable the board to more effectively and efficiently measure the progress of the HDO’s cybersecurity program and govern its effectiveness across the HDO’s enterprise. Cybersecurity risks should be managed across these HDO processes and systems:
• Daily Operations: email, patient scheduling and administration, accounting and financials.
• Clinical Operations: EMR, labs, radiology and discharge.
• Third Parties: critical vendors and products.
• Supply Chain: medical supplies, pharmacy, PPE, laundry services and HVAC.
• Innovation/Research: drug discovery, wearables, telehealth and the institutional review board.
• Joint Venture/M&A: acquisitions, affiliated practices and sites and special projects.
Using an integrated approach, boards can verify that the management team is effectively addressing cybersecurity risks across the HDO’s enterprise. Broad discussions about cybersecurity programs and gaps help the board consider appropriate trade-offs between business objectives and risks to assure sufficient staffing resources, training, tools and investments are made to reduce risks across the enterprise.
3. Measure Progress And Govern Effectiveness Of Cybersecurity Program
Given the inevitability of a cyber incident, HDOs must consider cybersecurity risk a top-three critical business issue facing their board today. Boards can help mitigate cyber risks and damages by actively measuring progress governing the effectiveness of the overall cybersecurity program. The leadership team must frame cybersecurity risks and controls in a language that the board understands and can use to challenge assumptions, provide guidance and oversight, and help make meaningful risk decisions. The board needs answers to the following 10 questions:
1. What do we need to protect to achieve our goals and objectives?
2. What are our policies, procedures, processes and controls to meet our governance objectives?
3. Where are the gaps in coverage, people, skills and education?
4. Where do we need to invest in cybersecurity and why? What’s the risk of doing nothing?
5. Do we have enough insurance (e.g., cyber, directors, etc.)?
6. Do we have an inventory and know the location of all digital and physical assets?
7. How quickly can we detect, respond and recover from an incident today? Do we test these times?
8. How does management stay current with changing technologies, threats, regulations, reporting obligations and disclosure requirements?
9. How do we measure progress?
10. How do we compare with HDO peers? The overall industry?
The leadership adage “a fish rots from the head down” is axiomatic to the issue of cybersecurity accountability in healthcare. It must start and end at the top. Cybersecurity needs to be part of a board’s fiduciary responsibility. HDO boards must be accountable for governance and oversight to ensure that their organization is adequately managing cybersecurity risk.
However, HDOs have a ways to go before basic cyber hygiene such as two-factor authentication and network segmentation are lingua franca among their board members. When healthcare boards naturally refer to their cybersecurity committee with the same level of priority, import and frequency as audit and compensation committees, cybersecurity will be represented under the full fiduciary power and authority of the organization.