- As healthcare cybersecurity continues to evolve and become more intricate, hospital boards should ensure that they have a comprehensive understanding of the necessary data breach prevention measures.
One of the important things that hospital boards need to understand is what exactly their role is when it comes to cybersecurity, according to Kurt Salmon Director of Technology Services Gerard Nussbaum.
“Each of the members of the board of directors has a fiduciary duty to work in the best interests of the organization,” Nussbaum explained. “Board members are there to assure that there is an appropriate system of controls with respect to cybersecurity and that system of controls is working appropriately.”
These duties derived, in part, from the Caremark Doctrine, he added, a case that clarified the role of a board of directors. For example, the board needs to obtain assurance that the systems of controls are in place and that they’re functioning properly.
In order to do that, boards need to make sure they’re educated broadly on the needs of cybersecurity.
“They need to make sure that they are given appropriate information to keep current on the new types of threat,” Nussbaum maintained. “That they have a regular and consistent update on the organization's cybersecurity infrastructure, and that they understand and can integrate cybersecurity risks, as well as the appropriate mitigating actions, in with the broader organization's enterprise risk management structure.”
Nussbaum added that it is not the board of directors’ role to run cybersecurity. There are several schools of thought about whether a board should have members who are cybersecurity experts or if they just need “an appropriate understanding” of what is going on.
“Cybersecurity, in this respect, even though it seems to be a new topic, is not that different from the board's need to assure that there are appropriate fiscal controls,” he said. “For example, a board has an audit committee. It works with the auditors, both the internal auditors and the external auditors, to ensure that there are control systems that assist in assuring that nobody is stealing money, committing fraud, etc.”
It will also depend on the board whether they need a computer or a cyber committee.
“Some boards are fortunate to have people who actually have a greater understanding of this; however, even if a board doesn't have people who are experts in the computer field or in the security field, it still should be able to discharge its duties.”
Finding the right balance between data security, efficiency
Another key thing for hospital boards is that they understand that it is not their job to balance the risks, Nussbaum cautioned. Instead, they need to ensure that management is appropriately documenting the risks and documenting the probability of those risks and presenting the board with management’s recommendations on how to balance risks with costs and operational efficiencies.
Moreover, a board must then identify if management has put in place the appropriate mitigating controls for those risks that cannot be avoided.
“It's a fine line between the board ensuring that management is doing its job and seeking to directly manage the issues,” he explained.
In healthcare specifically, Nussbaum admitted that recent surveys have shown that the industry is not moving quickly enough to involve its boards.
Healthcare is also not sufficiently educating the appropriate board committees to ensure they understand the cybersecurity risks and the necessary mitigating actions - required security risk assessment, understand how management is balancing the risks, and their likelihood or probability of occurrence with the mitigation, he stated.
“Mitigation has costs, both in terms of investments you have to make and whether that money goes towards products or people.”
Having regular briefings with management is also essential, so the directors can be sufficiently educated on the key risks and mitigation actions being taken.
One area that healthcare boards may want to ask management about is the encryption of PHI, according to Nussbaum.
“The HIPAA Security Rule marks [data encryption] down as addressable versus required, but the real answer is, unless you can come up with a good reason why you're not encrypting that data, you should be encrypting it.”
It’s not about second guessing management, but rather that board members can combine the knowledge they’re given in briefings to be able to ask sufficient questions about the adequacy of the systems in place and the company’s response to any deficiencies.
Understanding healthcare cyber liability insurance
By default, if an organization does not have cyber liability insurance, then it is deciding to self-insure, according to Nussbaum.
“Most healthcare organizations are not in a position to self-insure their key risks, and therefore, they should be seeking out cyber liability insurance coverage,” he said. “One that offers not only the fiscal shield, but also the services that many insurance companies in this business provide to help assess risks and provide support in the event of a breach or incident. Those services vary among insurance companies.”
Many hospitals are also not investing sufficient money into cybersecurity as a whole, he added.
Citing data from a recent HIMSS survey, Nussbaum explained that most healthcare organizations are spending less than 3 percent of their IT budget on cybersecurity, while financial services is spending over 16 percent.
“Clearly, healthcare has a lot of very valuable data,” he said. “A healthcare record usually contains name, address, Social Security number, and health plan I.D.s, enabling a criminal to run up fraudulent bills. Thus, you have a very valuable record; by the time an insurance company determines that a lot of these claims are fraudulent, these people have disappeared.”
What 2016 holds for healthcare cybersecurity
Healthcare data security issues will likely continue to encompass numerous areas, such as ransomware and third-party cybersecurity attacks, according to Nussbaum.
“If you look at the number of incidents and the causes of those incidents, I think that focusing on just the new hot things, sort of elides the fact that we got a lot of issues,” he explained.
For example, unencrypted devices are still being lost and stolen. However, ransomware will continue to be a top issue of concern.
“Healthcare is a soft target because of the underinvestment in cybersecurity. Additionally, healthcare must grapple with the challenges that many people in the organization have access to information,” Nussbaum stated. “Furthermore, connectedness introduces a lot more attack surfaces: places where someone can get in.”
Continuing on the issue of interoperability and connected devices, Nussbaum said that connectedness is a very important tool to help improve care. However, organizations need to be aware of the number of potential attack surfaces.
“If more people have access to the data, if the data is made accessible in more ways, that adds attack surfaces,” he maintained. “We have to balance those issues.”
Connected medical devices, and increased use of connected biomedical equipment is another important area that needs a strong healthcare data security focus.
“We're in the business of caring for people, so we need to make sure that the tools we use to enable us to care for people don't become something that [cyber attackers] can use against us,” he said. “We have to secure them.”
Healthcare boards will often think first about information technology assets, he added, and will ask CIOs about EHR and lab systems, for example.
“Part of what the board needs to be saying to the organization is, ‘Does our cybersecurity assessment include all devices within our organization? Do we understand who is in charge of ensuring their cybersecurity?’”