Healthcare board members must get on board with cybersecurity before it’s too late

An increase in ransomware attacks and recent industry studies keep pointing to how important it is for the healthcare industry to really be on board with cybersecurity.  The need arises from the fact that healthcare providers are one of the biggest targets of cyberattack due to the important data they hold.  A challenge to getting on track with a proactive security approach is the hospital boards’ grasp of the notion that cybersecurity really isn’t only an IT issue.

The lag with understanding that cybersecurity is an overall business issue lies behind numerous factors, starting with the fact that the board speaks a different language than IT.  Hospital board members can only value security if they’re able to relate to it from their perspective.  A breakdown of how to approach this can be helpful for a CIO who wants to try and involve the board or even for a board member who is trying to learn more about cybersecurity in a way they can understand and relate to it from a non-technical angle.

Before even beginning the breakdown though, something has to be said about security professionals within organizations occupying mid-level management positions and not getting a place at the table to inform the board of security risks.  Until this changes, none of what is advised below can help healthcare board members (or board members of any type of organization for that matter) gain a clear understanding and awareness of cybersecurity.

So, if you’re a board member reading this and you’re serious about cybersecurity, the first step you must take is to get your security professional in an upper-level management position with a seat at the boardroom table during meetings.  If you’re a CIO reading this, your job is a bit harder because you have to convince the board to make this change.  Just remember what board members hold valuable: organizational costs, reputation and growth.  Present to them how your position helps with these aspects and how essential it is for you to have access to them during meetings; and hopefully at some point they’ll make the change.

Once the above security obstacle has been resolved, organizations can continue to work on board member cybersecurity awareness in the following ways.

Consistent Reporting

• If you’re a CIO, you should ensure to consistently present security related information to your board.  Consistent updates on the infrastructure’s cybersecurity standing can help board members keep security in mind, but also potentially have questions on the subject matter.  In order to be effective, your reports can’t be too long, that is, if you want them to read them.  They should highlight what’s been done, what’s left to be done, and what’s holding you back from getting it done.

• If you’re a board member, you should ask for consistent updates on your infrastructure’s security measures.  It’s comforting to think that your security executive will keep you informed on potential threats or important cybersecurity updates, the hidden issue with this thought process is that your security executive might not think you want to know everything that is going on or that you may not read the report, or even understand it.

Cybersecurity Value

• When it comes to understanding the value of cybersecurity, the easiest way to put it in a non-IT format for an organization’s board members to understand is to either assign a dollar value to the security risk at hand (how much will it cost your organization to ignore the vulnerability) or to place an example of a company that faced a similar situation, where they were breached due to not taking action.

• Presenting costs or business consequences (with an actual case study, so to speak) should be enough to initiate some form of reaction from the board.  The reaction will lead to the board approaching their lead security officer on the topic with questions on how improvements can be made to repair existing infrastructure vulnerabilities.  CIOs should be prepared to have solutions in mind and to openly discuss concerns with a potential lack in resources or experienced staff (if that is the case).

Security and Business Strategy

• The complex beast that involves running a business: staying ahead of the market, knowing what is trending or not trending, innovative ideas to improve organizational workflow are the same as what is involved in running an effective security program: staying ahead of threats, knowing what attacks are prevalent or passing, continuously monitoring for threats and vulnerabilities in different ways to attempt improving the existing security measures.

The only way healthcare board members can become invested in cybersecurity is if they are able to relate to it in a way that makes sense to them.  If you’re a CIO who is having a hard time doing that, just remember that you need to show them the monetary value or the catastrophic consequences that arise from not doing security right.  If you’re a board member who is finally realizing you need to understand cybersecurity for the benefit of your organization, give us a call or have a chat with your chief security officer and then give us a call.

Cybersecurity is no longer an option for healthcare providers or any business entity.  It’s only a matter of time until you get hit by breach or realize the importance of getting ahead of your risks to avoid disruption that will bring you to action.  As a leader in cybersecurity, we’re hopeful it’s the latter and not the former.

Photo Courtesy of U.S. Department of Agriculture