Effective teaching and training begins with setting clear goals. The “SMART” corporate training philosophy has guided many successful training programs. Each training objective should be Specific, Measurable, Achievable, Relevant and Time-oriented. Establishing a clear training plan is as important for hospital board members as it is for employees.
For board members generally, there are a number of core principles that inform a clear understanding of the cybersecurity threat posed to their companies and the best means to address them. In January 2017, the National Association of Corporate Directors (NACD) published its updated edition of the “Director’s Handbook on Cyber-Risk Oversight.” The publication lists five principles to consider in preparing a cybersecurity training program for board members:
- Cybersecurity is an enterprise-wide risk management issue, not just an IT issue – Too often, even bulking up cybersecurity expertise in an IT department can have the unintended consequence of creating a sense of complacency because there is now an expert in place piloting the cyber risk ship.
- Understand the legal implications of cybersecurity risks as they relate to a company’s specific circumstances – As Amy Aixi Zhang notes “to convince board members and CEOs to act, they must first be convinced of the acute consequences of failing to implement proper cybersecurity measures” in their industry.
- Training should be ongoing, with adequate access to cybersecurity expertise and regular and sufficient time on board meeting agendas – In many cases, placing a cybersecurity expert on the board is the best approach.
- Be clear to your board that members should expect that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
- Focus training on the identification of which risks to avoid, which to accept and which to mitigate or transfer through insurance – This will entail clear understanding of the company’s cyber risk appetite and the process for action during and after an incident.
Training to Meet the Hospital Cybersecurity Risk
It is fair to say that U.S. healthcare has and will continue to face “unprecedented complexity and change.” The BDO Center for Healthcare Excellence & Innovation has developed a presentation that addresses the underlying principles above and specifically focuses on the unique aspects of cybersecurity risk in the healthcare environment. It is informative for anyone engaged in cybersecurity training in this area. The American Hospital Association also prepared a Fact Sheet in July 2017 listing key measures recommended for combating cybersecurity risk in hospitals. These serve as good resources as well.
What then should be included in a training program for hospital board members? Here is an outline of key training components and some resources for further development. This is not a comprehensive list, and each hospital or healthcare provider will want to tailor its training program to address the specific aspects of its operation.
- Understanding the magnitude of the risk
U.S. companies and government agencies suffered a record 1,093 data breaches in 2016. On May 12, 2017, the New York Daily News reported that a ransomware hack had struck up to 100 countries, crippling the British healthcare system, among other damage. A startling 93 major cyber-attacks hit healthcare organizations in 2016, up from 57 in 2015. This was reflected in a 63% increase in attacks on the healthcare industry for the period from January 1, 2016 to December 12, 2016. In addition to ransomware attacks, medical equipment itself provides an increasing opening to a hospital system. From there, hackers move about freely to all areas, including medical records. “Sophisticated attackers are now responsible for 31% of all major HIPAA data breaches reported in 2016, a 300% increase over the past three years,” according to a report by TrapX Security.
- Company practices and processes for addressing cybersecurity risk
The board should be trained on the details of the company’s preventative measures to mitigate cybersecurity risks and responses to attacks. Such measures include password, logoff and encryption protections and regular audits to assure compliance with the hospital’s own procedures. The Department of Health and Human Services has compiled a list of the “Top 10 Tips for Cybersecurity in Health Care” that is useful. The board should also fully understand the legal requirements relating to the prevention of cyber-attacks though medical devices and be trained in effective means to oversee the company policy in that regard.
- Board accountability for incident response
Training should provide an understanding of the company’s procedures for a cybersecurity investigation and incident response once a cyber-attack is discovered in order to have sufficient knowledge to assess its effectiveness. The board should also understand the National Institute of Standards and Technology’s (NIST) January 2017 draft update to the Framework for Improving Critical Infrastructure Cybersecurity — also known as the Cybersecurity Framework. The plan provides details on the management of cyber supply chain risks. The training should enhance the board’s ability to test, evaluate and modify, as appropriate, the hospital’s incident response and data breach plans in order to ensure that the plans remain current in the complex and changing healthcare cyber threat environment.
- Engaging regional or national information-sharing organizations
The training should assist board members in developing a plan to continually and regularly learn more about the cybersecurity risks faced by hospitals. While this may involve expanding internal expertise, including potentially adding a cybersecurity expert to the board, it should also focus upon ways the board can identify, build relationships and exchange information with other similarly situated healthcare providers and regional and national clearinghouses.
- Review the hospital’s insurance coverage to determine whether the current coverage is adequate and appropriate given cybersecurity risks.
Board members should understand that cybersecurity risk is not a “novel issue.” While the risk of cyber attacks is certainly different from more traditional strategic, financial, operational, hazard and reputational risk, it is important to help inform the board of the need to make cybersecurity risk an integral part of the hospital’s existing governance, risk management and business continuity framework. Hospital board members should be trained to take an active role in the risk management decisions of the company and understand the intricacies of cyber risk insurance, which is also a rapidly evolving and, at times, confusing product.