HHS: How hospital leadership can get past 'technobabble' to improve cybersecurity

Hospital and health system boards and executive steering committees are often briefed with  "technobabble," leaving cybersecurity in the hands of IT security teams, HHS said in a March 8 report.

The agency's cybersecurity framework outlines how leaders can get more involved in preventing ransomware and other cyberattacks.

The monetary hit is indisputable: Healthcare has the highest breach cost of any industry, at an estimated $408 per record, the report found, with records containing medical, insurance, personal and financial information being sold on the dark web for up to $1,000 each.

Here are some tips from the HHS report:

Healthcare organizations must ask themselves these five questions:

  • What assets need protection?
  • What safeguards are available?
  • What techniques can identify incidents?
  • What techniques can contain the impact?
  • What techniques can restore capabilities?

The top business reasons for implementing the framework are:

  • Breach risk reduction.
  • Improving patient safety.
  • Increased compliance.
  • Civil litigation penalties.
  • Decreasing medical liability rates.
  • Protecting customer base.
  • Avoiding fines and penalties.
  • Mergers-and-acquisitions considerations.
  • Impacting credit ratings.
  • Detailed documentation.
  • Reasonableness standard in court.

Five key issues to take up with boards include:

  • Approach cybersecurity as part of enterprise risk management.
  • Understand the legal implications of cybersecurity regarding unique organizational circumstances, including reporting and disclosure.
  • Engage cybersecurity expertise both internally and externally.
  • Directors need to set expectations that an enterprise cyber-risk management framework should be adopted and adequately staffed and budgeted.
  • Board member discussions should include identification of cyber-risks and which to accept, mitigate, transfer and avoid. 

The report's authors included Claude Council, PhD, senior manager of cybersecurity for Tampa, Fla.-based Shriners Children's; Mitchell Parker, chief information security officer of Indianapolis-based IU Health; Paul Curylo, acting CISO of Falls Church, Va.-based Inova Health System; Phil Meadows, information security officer of Charleston, W.Va.-based Vandalia Health, and Ron Yeager, vice president and CISO of Scottsdale, Ariz.-based HonorHealth.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars