Cybersecurity in Healthcare: Everything Boards Need to Know
It seems that with every day that goes by we’re hearing more and more about issues in the media related to cybersecurity—particularly cybersecurity issues in healthcare. Unfortunately, much of the information is so highly technical that it’s difficult for board members to make reasonable sense of it, let alone make informed decisions about how to apply that information to their organization in a meaningful way.
Addressing cybersecurity in healthcare isn’t an easy task. The average hospital has from 45 to 65 different security vendors and its security toolbox. These systems are often siloed making it extremely easy for healthcare boards to overlook cybersecurity risks.
Let’s break it all down into layman’s terms so that your board understands what cybersecurity risks are, what systems you need to protect, and how technology can help you get the job done right.
Why Cybersecurity Should Be on Your Healthcare Board’s Agenda
Before we get down to the nitty-gritty of cybersecurity, let’s get into why cybersecurity should be a major topic for board discussions.
According to HIMSS (Healthcare Information Management Systems Society, Inc.), Your healthcare organization should be looking at protecting electronic information in the three following areas:
- Confidentiality of information
- Integrity of information
- Availability of information
It’s your board’s responsibility to protect information from unauthorized access, use, and disclosure. These three areas of data protection are known as the CIA triad.
As a healthcare organization, you need to collect lots of sensitive information to address your patients’ needs. Every day, you’re storing and transferring personally identifiable information including your patients’ medical information and employee records. You have to think of it in the same way that you’d protect your own driver’s license number, address, and social security number.
As you aim to better understand cybersecurity, where healthcare board needs to be aware that the right cybersecurity measures protect a variety of people including:
- C-suite members
- Vendors and market suppliers
Healthcare boards also need to be aware of liabilities for themselves and the full board related to cybersecurity issues. There are some fairly new cybersecurity laws healthcare boards should be aware of, and there’s the potential for new laws to be passed in the relatively near future.
Breaking Down the Definition of Cybersecurity for Healthcare
Cybersecurity is a term that gets tossed around quite a bit but what does it really mean?
Essentially, cybersecurity in healthcare refers to a collection of security measures that your healthcare organization puts in place to protect systems, networks, and other programs that could be subject to digital attacks by nefarious groups or individuals.
Why would someone want to do such a thing? The reality is that cybercriminals have a variety of reasons for breaking into your digital networks.
The main motivations behind cybercrime are:
- Financial gain
- Making a social or political point
Generally, they attempt to access, change, or destroy sensitive information or interrupt normal business processes to get a payoff.
The nuances in the industry make it particularly difficult for health care organizations to protect systems and information. Here are 3 reasons why:
- Healthcare organizations collect enormous amounts of sensitive data.
- There are more devices than people.
- Cybercriminals are becoming more innovative and sophisticated.
With this information in mind, let’s take a deeper dive into the types of threats your healthcare board needs to learn more about.
- Phishing. This is the most common type of cyberattack. Phishing occurs when a cybercriminal sends out fraudulent emails that look like they came from a reputable source. The criminals hope to steal sensitive data like credit card numbers, social security numbers, and login information.
- Ransomware. With this type of security breach, hackers infect your system with malicious software. Their goal is to block access to files or shut down your computer system until you pay a ransom. Sometimes they’ll restore your system once the ransom money has been paid, but ransomware tactics are risky business and there’s no guarantee that you’ll be back up and running even if you pay large amounts of money.
- Malware. This tactic is somewhat similar to ransomware. Malware is a type of software that hackers used to gain unauthorized access to computers or to damage them.
- Social engineering. You could think of social engineering as a way for cybercriminals to trick users into revealing sensitive information. With a social engineering tactic, a criminal usually either requests money or access to confidential data. It’s not uncommon for criminals to combine social engineering tactics with the three other threats listed here to entice users to click on links, download malware, or trust sources that are malicious.
Overseeing Healthcare Cybersecurity Measures
With so much involved in cybersecurity, where does your board even begin to protect your healthcare systems and information? The simple answer maybe for your healthcare board to hire a CISO (Chief Information Security Officer) to keep your board informed about cybersecurity risks and protections.
Your CISO should focus on protecting the following three entities:
- Endpoint devices like computers, smart devices, and routers
- Your computer networks
- The cloud
HIMSS recommends taking an inventory of all the systems within your organization that need protection starting with the following:
- EHR systems
- E-prescribing systems
- Practice management support systems
- Clinical decision support systems
- Radiology information systems
- Computerized physician order entry systems
Your healthcare board should also be concerned with anything that falls under the auspices of the Internet of Things (IoT). Think about things like the following:
- Smart elevators
- Smart heating
- HVAC systems
- Infusion pumps
- Remote patient monitoring devices
A highly qualified CISO will also know the rules for HIPAA, GDPR (in the European Union), Section 5 of Federal Trade Commission, and any other laws your board should be familiar with.
We’ve covered quite a bit here, and we’d be remiss if we didn’t talk about cybersecurity measures that protect your board’s work. A BoardEffect board management system is an all-in-one platform that contains all the tools your healthcare board needs to conduct board meetings and share files and messages at any time. BoardEffect’s portal offers built-in state-of-the-art security so there’s no concern over cybercriminals hacking into your board business. It’s a highly effective tool for managing all your board activities and processes, and it’s an easy thing to take off your plate so you can focus on the overall security of your healthcare organization.