Hospital and health system boards and executive steering committees are often briefed with "technobabble," leaving cybersecurity in the hands of IT security teams, HHS said in a March 8 report.
The agency's cybersecurity framework outlines how leaders can get more involved in preventing ransomware and other cyberattacks.
The monetary hit is indisputable: Healthcare has the highest breach cost of any industry, at an estimated $408 per record, the report found, with records containing medical, insurance, personal and financial information being sold on the dark web for up to $1,000 each.
Here are some tips from the HHS report:
Healthcare organizations must ask themselves these five questions:
- What assets need protection?
- What safeguards are available?
- What techniques can identify incidents?
- What techniques can contain the impact?
- What techniques can restore capabilities?
The top business reasons for implementing the framework are:
- Breach risk reduction.
- Improving patient safety.
- Increased compliance.
- Civil litigation penalties.
- Decreasing medical liability rates.
- Protecting customer base.
- Avoiding fines and penalties.
- Mergers-and-acquisitions considerations.
- Impacting credit ratings.
- Detailed documentation.
- Reasonableness standard in court.
Five key issues to take up with boards include:
- Approach cybersecurity as part of enterprise risk management.
- Understand the legal implications of cybersecurity regarding unique organizational circumstances, including reporting and disclosure.
- Engage cybersecurity expertise both internally and externally.
- Directors need to set expectations that an enterprise cyber-risk management framework should be adopted and adequately staffed and budgeted.
- Board member discussions should include identification of cyber-risks and which to accept, mitigate, transfer and avoid.
The report's authors included Claude Council, PhD, senior manager of cybersecurity for Tampa, Fla.-based Shriners Children's; Mitchell Parker, chief information security officer of Indianapolis-based IU Health; Paul Curylo, acting CISO of Falls Church, Va.-based Inova Health System; Phil Meadows, information security officer of Charleston, W.Va.-based Vandalia Health, and Ron Yeager, vice president and CISO of Scottsdale, Ariz.-based HonorHealth.