Healthcare boards lag in cyberattack preparedness. Explore the challenges and strategies for enhancing cybersecurity in the healthcare sector. Healthcare CISOs and CIOs must effectively communicate with board members to help them understand cybersecurity threats and how they affect the organization’s goals. Here are some reasons why healthcare boards lag other industries in preparing for cyberattacks.
The war against hackers is a long one. But with patient lives at stake, hospitals cannot afford to lose any time implementing improvements in their security practices.
1. Lack of Experience
Health systems rely on a range of connected technologies that are accessible over the internet, from radiology equipment to hospital elevators. That’s good for patient care because it allows data integration and support, but it can make hospitals vulnerable to cyberattacks. If hackers exploit these connections to siphon patient data, hijack drug infusion devices to mine cryptocurrency or shut down a hospital’s entire network until a ransom is paid, the impact on patients can be severe.
In 2017, the WannaCry cyberattack threw the United Kingdom’s National Health Service into disarray by hijacking thousands of computers and encrypting files. While no patients died, the attack snarled the country’s emergency rooms and forced doctors to ferry lab results between hospitals manually, cancelling around 20,000 appointments. The threat of ransomware is real, and while experts say that healthcare organizations can mitigate the damage by focusing on prevention, there’s no guarantee that they won’t be hit again.
As healthcare becomes more digital, cybersecurity has become a top priority for most organizations. Yet a recent study found that while 77% of board members surveyed indicated that cybersecurity is one of their top priorities, only 59% of healthcare directors felt the same. It’s clear that boards need to take up the challenge and make cybersecurity a top issue.
Board members who lack relevant experience are at a disadvantage when it comes to cybersecurity. That’s why the best approach to the issue is for health systems to build a diverse board that represents the demographics of their communities. Having representation from women, minorities and people with varying backgrounds will ensure that everyone’s perspective is taken into account when deliberating strategic issues such as cybersecurity.
However, finding qualified healthcare board members can be challenging. Board service demands a lot of time, personal commitment and risk, so it can be difficult to attract highly-qualified outsiders with the right mix of skills and experiences. That’s why some health systems have begun compensating their directors to help draw candidates who are willing and able to commit the necessary time and energy.
2. Lack of Accountability
Many hospitals rely on third-party service providers for cybersecurity and other services. This practice is often less expensive than hiring a full-time chief information officer and provides an opportunity to refocus IT staff on other projects and initiatives. However, it also increases the risk of cyberattacks. Board members need to ensure that these third-party contracts include measurable performance metrics, and that the board is aware of the risks associated with this arrangement.
The WannaCry ransomware attack of 2017 and the discovery of a new computer virus that could add tumors to CT scans are just the latest reminder of how vulnerable healthcare is to cyberattacks. The value of the medical and billing data stored in hospital systems makes it a prime target for hackers. Yet, despite the need for increased security, most hospitals have not invested in this area.
One reason for this is that the responsibilities of the board and management are often too siloed. The board is responsible for governance and oversight, while the CEO and management team are focused on operational efficiency, patient outcomes, and business performance. The lack of clear communication can result in a misunderstanding of the needs of the organization, particularly during an emergency or crisis.
While boards are increasingly being held accountable for their performance, the demands on them have never been greater. From CMS quality data initiatives and disclosure mandates to spillover from the public company arena, it is challenging for healthcare organizations to keep up with these demands. Additionally, they face increased scrutiny from debt rating agencies and more knowledgeable and assertive consumers.
In addition to their traditional role of overseeing the financial health of their organization, healthcare boards are increasingly involved in addressing workforce challenges. They are charged with identifying and supporting the growth of talent within the system, and they will be asked to reevaluate business practices in order to attract and retain the best employees.
This additional work has pushed some boards to compensate their directors. Although this is still rare, it is likely to become more common as the need for a skilled and dedicated board grows even further.
3. Complexity
Like all data-driven organizations, healthcare companies have a wealth of sensitive information to protect. This information is vital for patient care, and it also can be valuable to cybercriminals.
In addition to a wealth of information, the medical industry heavily relies on technology that’s connected to the internet. From diagnostic devices to MRI equipment to hospital elevators, these technologies provide access to a network and can be exploited for malicious purposes. Cybercriminals are increasingly targeting the medical industry because of this connectivity, which can be used to extort ransom or to gain access to private patient data for profit.
Moreover, the impact of a cyberattack on healthcare can be catastrophic. A single attack on a large healthcare company can shut down the organization, halt the delivery of essential services, and cause reputational damage. A successful attack can also expose the personal information of millions of patients to criminals, leading to identity theft and financial fraud.
The consequences of a cyberattack on a healthcare company can even lead to the death of patients. Whether by diversion of ambulances, delayed cancer treatment, or the loss of electronic health records, a cyberattack on a healthcare company will cost lives.
Healthcare boards need to focus on the risks associated with a cybersecurity attack before they become value killers. However, many board members are not well-equipped to understand the full scope of the risk. This lack of understanding can leave a board susceptible to mismanagement and even failure. A scandal resulting from poor risk management can ruin the reputation of a healthcare board member and expose him or her to lawsuits.
The best way to prevent a cyberattack on a healthcare company is by taking proactive measures to reduce vulnerabilities, increase defenses, and develop robust contingency plans. One way to do this is to collect dark web intelligence, which can identify suspicious activity and help stop attacks before they occur. Another way to prevent cyberattacks is by educating healthcare board members on the importance of protecting their own digital assets. This includes using strong passwords, keeping software up to date, and refraining from downloading files or attachments from unknown sources.
4. Lack of Collaboration
Healthcare systems are increasingly becoming targets of cyberattacks. Using tools like ransomware, attackers can infiltrate healthcare networks and exfiltrate patient data, disrupt medical systems and potentially endanger patients. With the confidentiality, integrity and availability of patient data, medical devices and entire healthcare systems at risk, it’s time for a change. Healthcare organizations must undergo a paradigm shift and place greater value on cybersecurity and proactively invest in security protections.
Healthcare boards need to engage in strategic discussions about cybersecurity threats and take action based on those conversations. But new research suggests that’s not happening. A global survey from Proofpoint and MIT Sloan found that when it comes to prioritizing and understanding cybersecurity risks, healthcare boards are far behind other industries.
Board members need to make it clear that they are responsible for pushing the organization’s cybersecurity agenda. But they must also have the right culture to allow for healthy discussions and debates that enable true collaboration. This is particularly important for large healthcare boards that have a tendency to suffer from “social loafing.” With larger board sizes, individual directors feel less accountable and engaged in the work. They may even come to meetings without spending the time needed to understand the issues or proposals on the table.
A healthcare board must also ensure that it has the resources to monitor and respond quickly to cybersecurity threats. That includes ensuring that it has the proper IT infrastructure in place to support its operations, including data backups and disaster recovery processes. The board should also set a clear policy on what is expected from executive management when it comes to monitoring and responding to cyberattacks.
Another critical piece of the puzzle is finding ways to limit the amount of time the CEO spends on board-related activities during a crisis. This means limiting calls from directors, creating protocols to screen them through the chairman of the board and ensuring that all board members are available for emergency calls.
When a board is able to engage in strategic discussions about the threats to its mission and vision, and when it can engage in true collaboration, the organization will be better prepared for the next wave of cyberattacks. That starts with laying the groundwork during that first meeting where goals are outlined and parameters set for true collaboration.
