With hospital data breaches and ransomware attacks happening with alarming regularity, cybersecurity is a big area of concern for health systems. But it's not always the most straightforward topic to understand.
Becker's asked health system chief information security officers how they convince their boards and other leaders about the need for cybersecurity funding, even though it is such a complicated — and ever-changing — issue. Here are 10 executives who shared insights.
Note: Their responses have been lightly edited for clarity.
Amar Yousif. Vice President and CIO of UTHealth Houston: Hospital boards have evolved to include more sophisticated technology expertise in the last decade. Consequently, one should not myopically focus on "simple" but also "relevant" when communicating complex cyber topics. They'll get it. Consider ransomware control, which the cybersecurity industry usually attempts to communicate in military terms: demilitarized zones, disrupting the kill chain, intrusion detection, and weaponized malware.
When presenting to a hospital board, I propose shifting from military terminology to a public health framework. Malware spreads and infects user populations in ways similar to how infectious diseases attack communities. Therefore, concepts and terms that describe a community's public health status — such as infection vector management, intervention, risky behavior, incidence, prevalence, etc. — should be used to allow for more relevant mental models to describe the problem and possible solutions.
Michael Kearns. CISO and Director of Infrastructure of Nebraska Methodist Health System (Omaha): I try to illustrate how the threat landscape has grown exponentially. More and more of our vendors are getting hacked which in turn puts our protected health information at risk. I like to use the analogy that the hackers are not only banging on the front door to get in but are coming in via the loading dock door. When you go to the grocery store, imagine buying cereal that has roaches in it. The roaches didn't come in via the front door; they came in from something we purchased. Crude, but it gets my point across.
Robert Perry. CISO of Carilion Clinic (Roanoke, Va.): I believe CISOs should resist the temptation to use "FUD" — fear, uncertainty and doubt — to scare the board into cybersecurity funding. My approach is to describe the current cyber landscape in layperson's terms and assign risk ratings to key areas — risk in this case being the chance of a cyber incident occurring and the severity of the incident should it happen. I then describe current and proposed projects in terms of reducing those risks. I jokingly say my alternate title could be "chief risk officer." This approach allows the board to see how proposed funding will reduce cyber-risk to the organization.
I also find it useful to use a benchmark like a simplified version of the National Institute of Standards and Technology's Cybersecurity Framework to show our progress over the last year and goals for the following year. This way, leadership can see the progress being made in cybersecurity and see how investments are positively impacting our cyber posture. The cybersecurity landscape is constantly changing, but investing in cyber with a guiding principle of risk reduction avoids cybersecurity "whack-a-mole" where money is spent addressing transient threats that make headlines one week but go away a few weeks later.
Erik Decker. Assistant Vice President and CISO of Intermountain Healthcare (Salt Lake City):
- By keeping patients front of mind, CISOs can reiterate that cyber-safety is patient safety.
- Healthcare leadership knows that cyberattacks are paramount. CISOs are the experts and have an opportunity to raise this with their board in business terms.
- Frequent, regular communication about cybersecurity precautions and potential threats helps CISOs build relationships, trust and understanding of cybersecurity challenges with the board.
- CISOs can't promise an attack will never be successful, but if they can reference the amount of investment needed to achieve a reasonable level of safety and security, that is the best way to go about having the conversation.
Todd Bell. Executive Director of IT Security and CISO of Valleywise Health (Tempe, Ariz.): At Valleywise Health, we have a good understanding of the current cyber-risk impact for our healthcare operations. Having our CEO, Steve Purves, on the American Hospital Association board provides a front-row seat of how numerous healthcare organizations are being victimized by ransomware events. As CISO for Valleywise Health, I appreciate that our CIO, Kelly Summers, is a strong sponsor to educate and inform our C-suite and our elected board of directors. In my prior job roles, not every CIO was a strong advocate for cybersecurity, but having this partnership with my CIO helps broaden our cybersecurity program to be effective.
Being mission-critical to support our valuable patients is our top priority since a ransomware event is a very disruptive event that wreaks havoc for patient care. We do our best to keep our executive leadership informed about cyber events and how our cybersecurity program needs to evolve at the speed of the internet. The threat landscape changes every week, and being the CISO at Valleywise Health is forcing innovation and technology transformation to adapt to new adversary tactics and techniques. Operating a cybersecurity program is exhausting work, as we are always on high alert and are constantly adapting how we must protect the continuity of our hospital operations.
Patrick Voon. Executive Director of Information Systems Security and CISO of Loma Linda (Calif.) University Health:
- Remind them that we manage cyber-risks according to business impact, and we maintain a posture of defensibility when a breach occurs.
- Threats are real and we are a prime target — describe the current cyberthreat landscape in the healthcare industry by showing (graphically/visually) salient points from trusted independent sources. And show actual threats we see and block every day.
- How well or poorly are we doing? Risk management: Show the effectiveness of our current capabilities in combating the cyberthreats, or highlight our gaps that require additional investments in cybersecurity capabilities (people, process and technology) to reduce our cyber-risks to an acceptable level based on business impact. Defensibility: Show how we compare with like organizations in terms of our cybersecurity capability maturity, and seek support for improving areas where our maturity levels are behind others.
- Report on the progress and performance of our cybersecurity investments to show value while effectively mitigating cyber risks. Recommend investment adjustments (increase, decrease or redistribute) to the cybersecurity roadmap.
Jeffrey Vinson. Senior Vice President and Chief Cyber Officer of Harris Health System (Bellaire, Texas): You have to speak to the board in terms of how this cybersecurity initiative will help with patient safety and better patient outcomes. Once you do that, the support for cybersecurity funding can go much easier.
Jack Kufahl. CISO of Michigan Medicine (Ann Arbor): The language of information security is largely a specialized maze of jargon and idioms, which is a prohibitive barrier to those outside the domain to understand. If you are in the position of conveying a cyber-risk to a board or executive, it is critical to naturalize the language you use into a context they may better understand and provide real-life examples of the situations you are trying to prevent or behaviors you need to reinforce so they have a better context for what may otherwise come across as noise to their ears. Being explicit about what the before-and-after expectations are also help executives so they can understand what dollars or decisions are required to affect that change.
Vikrant Arora. Vice President and CISO of Hospital for Special Surgery (New York City): We accomplish this through communication and alignment. We communicate aggregate cyber-risk to all leaders and the board in an easy-to-understand, consistent and periodic manner. Additionally, cyber investments are aligned with all dimensions of digital business enablement including care delivery, operational support and consumer engagement.
Anahi Santiago. CISO of ChristianaCare (Newark, Del.): As cybersecurity executives, CISOs are tasked with communicating highly technical and complex concepts in a way that can be understood by the business and clinicians. This same approach is taken with leaders and the board. Ultimately, it comes down to our ability to distill the conversation to organizational risk and effective risk-management practices that are aligned with organizational culture and risk appetite.