All too often, we read headlines like these: “Large National Health System Takes a $150M Hit Following Ransomware Attack” or “Cyber Attack Considered 'Credit Negative' for Florida Hospital.” Such attacks underscore the importance of strong cybersecurity as cyberattacks can have an adverse financial effect on healthcare organizations. While the increased number of cybersecurity incidents and data breaches have resulted in an increased awareness and concern from healthcare senior executives and boards—which is good news—IT security leaders and Chief Information Security Officers (CISOs) still feel like “lone rangers” when tackling the cyber risks of the organization. Healthcare executives have a bigger role to play in leading the organization to ensure the cybersecurity maturity of their organization.
CISOs continue to do their best to protect their organizations based on their knowledge and resources, but ultimate accountability of an organization’s cybersecurity resides with its most senior executives.
In business law, directors and officers have a “duty of care” or “fiduciary duty” and are expected to apply this to cybersecurity by taking reasonable steps to protect their organization’s reputational, financial, and legal best interests. It is critical that healthcare executives understand what they should be asking their CISOs or security leaders to support their organization’s cybersecurity maturity and resiliency—ultimately reducing the overall risk to their organization.
There are 3 core areas that set the foundation for practicing duty of care and driving the organization toward a mature cybersecurity program:
- Identify what’s at risk
- Secure a continuous risk management program
- Ensure your organization’s resiliency
This article covers these areas and key questions healthcare executives should ask their CISOs. Doing so will either provide confidence in their organization’s cybersecurity maturity or a clearer understanding of areas that may require additional attention.
Identify What’s at Risk
The first and most foundational element of a cybersecurity program is being able to identify what may be at risk. The answers to the following 3 key questions will help provide an understanding of areas of strength and continued opportunity for executives to support their security team in reducing risk.
1. Is there a complete inventory of assets (hardware and software)? Do we know which assets are not up to a secured standard, and where we are most vulnerable?
The most important part of this first set of questions is understanding where your organization is most vulnerable and then working with the security leader to determine the level of risk based on likelihood and impact. Doing so will help your organization determine whether it can accept the risk, mitigate the risk, or transfer the risk through cybersecurity insurance.
2. Do we know where all our sensitive data is? Are we documenting with whom we are sharing it?
Almost daily, executives across the country learn of significant healthcare data breaches (those affecting more than 500 patient records). These breaches require public disclosure, which can have a severe reputational impact for the organization. Understanding where the sensitive data is stored and who it is being shared with will help organizations prioritize their efforts in securing the systems that could cause the biggest impact.
3. How integrated is Information Security with other departments, such as Supply Chain, Legal, Human Resources, and Compliance?
If any one of these departments do not meet regularly with each other and understand the inter-dependencies and collaboration needs, additional risk is likely being introduced. For example, the supply chain department should meet with the cybersecurity team to gain pre-established cybersecurity and regulatory requirements, ensure these requirements are embedded into every purchasing request, and are following a process for the cybersecurity team to verify that prospective vendors meet all the necessary security requirements prior to the purchase. Establishing these protocols will allow the organization to eliminate vendors from consideration due to the additional risk they may bring to the organization or provide the security team time to plan for risk mitigation efforts ahead of implementation.
Secure a Continuous Risk Management Program
Day-to-day management of risks is the second foundational element of a mature cybersecurity program. It is important to have an ongoing process for identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats. Ask the following 3 questions of your CISO to ensure your organization is addressing risk in a comprehensive and consistent manner.
1. How well do we implement periodic software updates and patches? Do we have standards in place for patching and vulnerability management?
Consistently prioritizing vulnerabilities is a critical component to reducing risk. It is unrealistic to think your organization can fix every vulnerability as soon as it appears, especially in healthcare, given the number of systems utilized across the enterprise. However, if you have addressed the questions in the section above, inventorying all your assets and understanding where your most sensitive data resides, you can more effectively allocate resources to remediate the most impactful vulnerabilities. Ensuring your organization has a well-established and measurable vulnerability management program will serve as a strong baseline toward risk management.
2. How are staff made aware of cybersecurity-related topics? Evolving threats? Ransomware? Phishing?
Most healthcare organizations now require cybersecurity and privacy training upon hire, and some require annual training for employees. However, as “people” continue to serve as the biggest cybersecurity risk through their intentional or unintentional actions, continuous training, reminders, and testing are critical to ensure your teams are retaining and abiding by good cybersecurity practices. A very impactful part of your risk management strategy is ensuring you have an effective cybersecurity training program in place. Such a program should include a regular cadence for training, continuously updated materials that reflect the constantly changing threat landscape, and ongoing measurement through testing (such as phishing and social engineering exercises).
3. Do we attend to security 24/7? Do we have the right in-house skills or the right partner to support daily operations?
Continuous cybersecurity monitoring is a cornerstone to risk management. With the influx of international cybersecurity criminals, after-hours intrusions are common. This makes 24/7 threat monitoring necessary. But monitoring alone is not enough without staff to respond to these threats in real time. Coupling effective tools with the right balance of experienced resources (whether in house or through a managed services arrangement) to perform timely remediation is imperative for successful risk management.
Ensure your Organization’s Resiliency
Because ransomware groups continue to aggressively target healthcare as a critical infrastructure, healthcare organizations must prepare for when the day comes. Half of ransomware attacks on healthcare organizations disrupted delivery.1 It is therefore extremely important to be able to anticipate, withstand, and recover from an attack or compromise in a timely manner.
The following 3 questions can help you better understand your organization’s ability to respond and recover when an incident occurs.
1. Do we have a multi-layered defense-in-depth security strategy? Does it consider today’s threats and our current business needs (e.g., cloud solutions, interoperability, and API use)?
While technology solutions continue to advance, they are still not enough to effectively manage risk and ensure resiliency when a cybersecurity incident does occur. Therefore, the most successful approach is to deploy a multi-layered defense-in-depth strategy with a security architecture to protect administrative, technical, and physical controls. Continuously monitoring and addressing gaps in these 3 areas will not only reduce your risk but also ensure your ability to prevent, withstand, and recover from a cybersecurity incident.
2. How up-to-date is our cyber incident response plan? When was it last tested?
One of the most critical avenues toward cyber resiliency is the development and continuous updating and testing of a cybersecurity incident plan. Testing the plan within IT, security, and key business users and leaders is what sets organizations apart in their ability to reduce overall risk. Best practice is to perform testing multiple times per year to ensure readiness across the organization to respond and recover more quickly, reducing the overall short-term and long-term impact.
3. How confident are we that we can successfully restore our critical systems in response to a disaster or major disruption? Has this been tested?
Healthcare relies on its data to make critical, sometimes life-sustaining decisions. Therefore, a major element of successfully managing an incident depends on the confidence that any potential impacted systems have been backed up. To achieve HIPAA compliance, healthcare organizations must back up electronic health record (EHR) data daily. However, many organizations have implemented more frequent back-up processes to operate more effectively if an incident were to occur. It is crucial to frequently test these backups and your ability to obtain the data quickly. All the details and testing procedures should be described in your organization’s disaster recovery plan and revisited as part of your annual security assessment process.
Cybersecurity Starts at the Top
Corporate board directors are struggling to oversee the rapidly evolving threat of cyberattacks, and many consider cyber and data security as their most challenging issue.2 Boards are asking a lot more questions as they hold healthcare executives accountable for reducing risk and making impactful investments toward cybersecurity maturity and resiliency. Senior healthcare executives need to establish collaborative and continuous communication with their cybersecurity and IT teams, so they can help prioritize and support efforts that will lay the foundation for successful security and resiliency.
Key Questions to Ask Your CISO
 Fox, Andrea, “Half of Ransomware Attacks Have Disrupted Healthcare Delivery, JAMA Report Finds,” Healthcare IT News, Jan. 10, 2023, https://www.healthcareitnews.com/news/half-ransomware-attacks-have-disr…
 Jones, David, “Corporate Boards Struggle to Understand Cybersecurity and Digital Transformation,” Cybersecurity Dive, Feb. 6, 2023, https://www.cybersecuritydive.com/news/corporate-boards-cybersecurity-d…