Cybersecurity-Board Members Hold the Keys
By Bill Ahrens and David Parry
Healthcare Board Members and Corporate Officers have a fiduciary responsibility to ensure that their organization is properly managed, financially sound, committed to achieving the corporate mission, and is in compliance with laws and regulations. Among their many requisites is a thorough understanding of the organization’s environment and risks.
One of these risks – data breaches – is a significant threat that cannot be ignored. If cybersecurity is not a current corporate priority, Board and Executive Team Members must work together to establish the appropriate Board oversight and Management operational systems for an effective cybersecurity program.
According to the Ponemon Institute, the average cost of a data breach for healthcare organizations now exceeds $2.2 million. In 2016, the healthcare sector experienced 377 data breaches – its highest number ever.1
Elevated levels of healthcare cyberattacks are expected to continue as an increasing number of diverse systems (including biomedical devices) become connected to the main corporate network, and intrusion methods become more sophisticated.
Laws and regulations require healthcare organizations to implement appropriate security measures, and substantiate them through documentation and audits. In 2016, the HHS Office for Civil Rights (OCR) issued an updated audit protocol with expanded administrative, physical and technical safeguard requirements, and launched its Phase 2 HIPAA Audit Program (Audit Program).
While the primary purpose of these audits is to learn what tools, technical assistance and guidance are needed by organizations, the OCR also acknowledges that they may take further actions if significant deficiencies are revealed – which could subject an organization to major fines and potential reputational risk.
Organizations should act now to use these updated audit rules as an opportunity to understand and remediate their security shortcomings, even if they are not among the more than 200 healthcare entities being audited under the Audit Program.
We do not yet know HHS/OCR’s plans under the new administration, but persistently high levels of cyberattacks coupled with the need for HIPAA compliance point to an increasing number of OCR breach investigations and compliance audits in 2017 and beyond.
The need for cybersecurity to be a corporate priority continues to increase; Board Members and Corporate Officers who do not provide reasonable fiduciary oversight for cybersecurity are exposing the organization – and perhaps even themselves – to significant risks and potential liabilities.
Management must apply the same level of direction, expertise, and structure regarding cybersecurity as they have historically given to other critical areas such as the corporate mission and finances. A cybersecurity update should be a standing Board agenda item.
In addition, Board Members should assess their knowledge and expertise on cybersecurity; if appropriate, Boards should obtain additional education or supplemental consulting, or add a Member with security expertise.
Management’s ownership and ability to administer the cybersecurity program along with the required tools, processes and policies should be both enabled and confirmed by the Board. Does Management have the knowledge and resources to run an effective cybersecurity program? Is cybersecurity perceived and run as a corporate-wide and multi-disciplinary risk management program?
Cybersecurity is not just a technology issue: it must involve leadership from all corporate disciplines (e.g., finance, legal, clinical, human resources, information technology) and encompass activities throughout the organization.
Cybersecurity requires significant considerable work and there is no simple, one-time solution. While technology solutions play an important role, the biggest impact will come from educating employees to always practice good security hygiene. The following ten, relatively straightforward security steps can provide significant protection:
- Maintain security policies and procedures, with mandatory ongoing user education and awareness training.
- Apply secure, baseline builds using only approved devices and software, and stay current on patches/releases.
- Use a multi-layered network with firewalls and segments/subnets to limit unauthorized or malicious content.
- Perform frequent system back-ups that are stored offline and offsite, and test system restorations and recovery plans.
- Regularly conduct risk assessments to validate security and regulatory goals are being met.
- Monitor network and system logs, perform penetration tests, and address unusual or unauthorized activities.
- Restrict user access to work needs and use limited, segmented privileged accounts.
- Use encrypted, two-factor authentication and secure connections for remote and mobile devices.
- Develop and communicate a removable media policy (e.g., flash drives) that requires encryption and scans before uploads.
- Create an Incident Response Plan, do mock tests, and encourage employees to report both minor and major incidents.
A Board-driven and Management-led cybersecurity program will enable your organization to take the right steps to protect itself from data breaches or harmful events. Cybersecurity is about identifying, understanding and effectively managing risks, but even the best cybersecurity programs cannot eliminate all risks.
Board and Management discussions should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as legal implications and specific plans associated with each approach.