It’s well reported how hospital boards struggle to oversee cybersecurity and confidently prepare their organizations for a potential cyber attack. A recent report from Diligent Institute revealed how boards feel challenged by the rapidly evolving cyber threat landscape.
Many hospital boards place cybersecurity at the top of their priority lists. In fact, recent research from Allianz Group found that business interruption and cybersecurity were now considered top corporate risks. Investing in IoT security solutions is crucial for healthcare delivery organizations (HDOs) to address these risks and protect their networks from evolving threats. The question is, then, why is it so difficult for senior leaders within healthcare delivery organizations (HDOs) to get their arms around cybersecurity?
The Board's Role in Managing Cybersecurity Risks
When thinking about why HDO boards have trouble understanding how to protect their organization against cyber threats, I immediately recall a board meeting I attended earlier in my career. The purpose was to present the recommendations of a Strategic Security Roadmap (SSR) exercise conducted for the healthcare organization.
Like many healthcare boards, the members were a mix of active physicians, the CEO, and the Executive team. During the meeting, we were given 10 minutes at the end to share our report and proposed structure for a revised Cybersecurity Management Program (CMP). After eight minutes of walking the board through recommendations of the SSR report, there were two minutes of questions. Unfortunately, the language the Director of Security used to answer was highly technical, and the board members were lost. At this point, it was clear to all involved how important it is for the Security team and the board to speak the same language.
As seen in this example, the board failed to give information security the serious attention it needed.
In addition, for this HDO, despite evolving over the years from anti-virus, patching, and firewall management into other domains such as the ISO 27002 framework, the organization’s CMP was never complete or taken very seriously by those at the top. The Security team constantly faced funding restrictions and a lack of staff resources. Directors of Security came and went with little change.
Reporting Cybersecurity to the Board
Far too often, cybersecurity is presented to HDO boards as a shopping list of shiny objects. Proposed solutions only loosely tie back to healthcare delivery objectives. There is little strategy for how to integrate cyber programs and tools, and there is a lack of understanding of the costs and resources required to ensure safe, reliable care delivery in a time of escalating cyber threats. Strengthening Healthcare IoT security is essential to addressing these gaps and protecting both patient data and medical devices.
To get buy in and investment from the board, a formal CMP must be written in language that both sides can understand. A plan that addresses underlying healthcare delivery objectives, rather than focusing on the shiniest and newest security products and services, is critical to ensure progression in the crucial area of healthcare cyber defense.
Unfortunately, communication issues between security professionals and hospital boards are commonplace, hampering the improvement of cyber defense strategies to meet constantly changing healthcare cyber threats. The result is a growing number of healthcare delivery organizations remain vulnerable to attack.
In fact, Diligent Institute’s report also found that half of the organizations they interviewed have no technical expertise on the board at all. This clearly demonstrates how important it is for security professionals to stay clear of jargon and to translate and communicate cybersecurity threats in terms of healthcare delivery risks and potential impacts.
Avoid using fear, uncertainty, and doubt (also known as "FUD") in board conversations, as this can quickly lead to a breakdown in trust. Instead, define the probable costs of inaction compared to the costs and benefits of action. Include objective conversations about regulatory compliance and protecting brand image, as well as the potential penalties and costs that accompany breaches.
Another challenge is the little time that is actually spent together by the board and cybersecurity teams. For example, a report by Harvard Business Review found that few directors and security leaders have any meaningful dialogue about cybersecurity priorities and strategies, with less than half of board members regularly interacting with their CISOs. Almost a third only see their CISOs at board presentations. To minimize risk and reinforce the online security of our healthcare settings and other critical national infrastructure, there must be a regular, direct line of communication between the board and the cybersecurity leadership team – and all must speak the same language.
