April 27, 2017

Carter Groome • Chief Executive Officer
First Healthcare Advisory Solutions

In 2017, Healthcare Boards Still Detached When It Comes to Cyber Awareness

8 approaches to building a more cyber savvy healthcare board

The 2017 KLAS-CHIME Healthcare Provider Security Assessment notes that only 16% of healthcare organizations feel they have a fully functional security program and more than half of the organizations that are still developing their security program are spending less than 3% of their total IT budget on security.

The year of healthcare ransom attacks, 2016, was sure to awaken healthcare board’s to the possibilities, risks and organizational impact of being another victim of ever present malicious acts carried out on our industry. Information Risk Management funding is increasing at a sluggish clip, as evidenced by the recent KLAS-CHIME survey. To expedite an understanding of where additional budget allocations will have measurable impact, boards must first take the mantle of leadership by engaging both personally and strategically in cyber security.

Clearly more organizations are looking to hire security officers, and conducting risk assessments are becoming common, yet there is still a cultural blind side to cyber security awareness in our industry that starts at the top. Additional funding is helping to an extent but boards must take the mantle of leadership by engaging both personally and strategically. Understanding how a cyber threat can impact the safety of your patients, your reputation, your revenue and competitive position is just the beginning of how boards must get involved.

Changes Needed at the Board Level – 8 Approaches

Devoting more attention to cyber threats at the board level is an essential step in setting organizational wide goals and precedents for education and awareness that goes beyond simple HIPAA and PCI compliance.

Here are a couple preparedness approaches a Board of Directors can take to influence how all of the employees and business associates of your health entity view their role in cyber security and privacy.

  1. Become informed/stay informed
  2. Assign a board member to liaison with cybersecurity initiatives
  3. Ensure adequate resources are provided to cybersecurity efforts
  4. Establish metrics to regularly report on threat versus mitigation efforts
  5. Empower continuous monitoring efforts
  6. Authorize internal and external evidence-based audits
  7. Conduct table top exercises to test process, procedure and personnel incident response
  8. Establish relationships with experts to respond to cyber crime incidents

Dividends of Proactive Healthcare Boards

Historically, executives have calculated that it cost no more to clean up after a cyber attack than to prevent one in the first place – and the preventative measures might not work anyway.  In 2017, this is a perilous position and the stakes in healthcare continue to rise. Organizations that are more proactive in understanding cyber threat risk at the highest levels will be better prepared at all levels of the workforce. Conveying examples of how board members are protecting the patients and assets of the organization while sharing how thoughtful cyber hygiene can reduce risk in the workplace, and at home, is a powerful way to get everyone involved and make your organization more resilient.

As healthcare providers from large networks to private physician practices remain highly vulnerable to email or social engineering exploits, increased awareness and behavioral improvements that start at the board level will have measurable impact across an organization, an office or on an individual.

Tune In to Our Upcoming Educational Webinar – May 17th at 12 noon EST

Learn more about First Health Advisory’s executive briefings, coaching and workforce resilience programs at our AEHIS webinar, Implementing a Robust Workforce Education Strategy to Reduce Risk and Improve Cybersecurity Posture, May 17th at 12 noon EST. The Association for Executives in Health Information Security (AEHIS) fosters information risk management and program maturity collaboration of 600+ health security leaders from a strategic, architectural and business oriented approach.