Cyber Vitals: Keeping Cybersecurity on the Board Agenda

Contributor: Vidya Murthy, WEMBA’42 
To learn more about Vidya, click here.

 

You are likely well aware that cyber risk directly correlates to an increase in digital footprint. Independent of the rapid digitalization that healthcare has undergone through the pandemic, it is important the cyber risk be sufficiently understood and discussed as you kick off board meetings in 2021.

When every other day brings news of a new breach, and the U.S. Department of Health and Human Services Office for Civil Rights (HHS) “Wall of Shame” tallying greater than 46 million records, the quantification of cyber risk can be daunting.

Time to identify and contain a breach averaged 329 days in healthcare, which is 49 days longer than the average, per IBM’s annual data breach report for 2020. The report further outlines that the average cost of responding to a breach is $3.86 million, while healthcare, for the tenth year in a row, was the highest industry, with an average cost of $7.13 million. This is a 10.5% increase over the year prior, while 13 of 17 industries assessed experienced an average total cost decline.

With statistics like these, it’s hard to imagine a board meeting discussing anything BUT cybersecurity related risk. But we all know that’s not the case.

To help achieve continuous board oversight, here are a few ideas to inspire keeping cybersecurity on the agenda regularly:

  1. Avoid the weeds.
    The messaging from the technology team should discuss trends, how these impact business units/efforts, what can be done to mitigate these challenges, and how that translates into resource requirements.
    For example, macro-trends from the Internet of Things (IoT) have revolutionized the connectivity of medical devices, from making RFID-connected instruments, to software as a medical device.
    This means connected devices (whether as a manufacturer or healthcare delivery organization) now pose a landscape of potential vulnerabilities. How is the organization maturing in managing the related cyber risks?
  2. Know the universe of risks. 
    Cyber risks include a multitude of functions and operations. Most often however, we heard that “the people” are the weakest link. Perhaps this is because the people are the highest level of variability. Reality is that all three facets - people, process, and technology - must be sufficiently assessed to know where potential weaknesses are, how those can be mitigated, and what the business impact is for a potential exploit.
    When thinking through enterprise risk management, are cyber risks sufficiently addressed? Third party vendors, geographic restrictions, contractors, product development practices, and the list keeps going. In today’s connected environment, it would almost be the exception for a facet of operation to not have cyber risks associated with it.  
  3. Security never stops.
    The last 9 months have reinforced that fatigue is a real thing, so it’s understandable why cybersecurity may be infrequently discussed by the board. However, risk is constantly changing, and therefore the intake process to define, identify, and remediate risk must be robust enough to capture and account for the evolving landscape.  
  4. Cybersecurity is patient safety.
    Healthcare cybersecurity has evolved from a privacy concern, to impacting patient safety. September 2020 saw the first death attributed to a cybersecurity incidence.

While we’ve all known the risks in healthcare are different than in the broad IoT, the loss of life is not a milestone anyone wanted to see. The threat to patient safety is no longer theoretical and highlights the importance of addressing fundamental problems.

In assessing the list of known vulnerabilities in medical devices, 73.5% were found to be driven by user authentication issues and code defects. While historically it may have been sufficient to say it hasn’t been exploited, that is no longer acceptable. We cannot be complacent when there are lives at stake. 

Healthcare is a complicated technology landscape, and the need to support patients with operating devices never diminishes. There are no ‘off’ days in care, let alone in the middle of a pandemic. But the status quo for addressing vulnerabilities demonstrates the need to fundamentally re-imagine what managed cyber risk looks like. 

Moving up the supply chain and beginning with devices that have been secured from the point of development is a great first step. Hospitals making procurement decisions that weigh cybersecurity risk equally to clinical care needs understand the power in designing security into a device and the risk connectivity introduces to a healthcare organization.

The conversations with boards will likely be hard and uncomfortable. But if 2020 has taught us anything, it’s that we need to normalize changing our opinion and reprioritizing the complicated matter of managing cyber risks. 

 

Contact Vidya at: vidya@medcrypt.com