The threat of confidential information being stolen and used for criminal purposes is an issue that’s hit boards of directors faster and harder than other issues in the past. Cybersecurity is also an area that tends to be largely foreign to board directors, where the focus has long been on financial and business expertise. As cybersecurity threats invade corporations, trustees in the health care industry need to cover the vast scope of security issues that they know little about.
A 2016 data breach survey conducted by IBM showed that about 80% of organizations reported being victims of cybersecurity threats. Another 50% of organizations fell victim to ransomware attacks. Cyber breaches are a costly venture with the potential to bankrupt organizations financially or reputationally. In the health care sector, the effects of breaches extend to the private sector. Most patients don’t even know that their information was stolen during a breach.
Board trustees in the health care industry need to stay on top of the latest information in cybersecurity. The American Hospital Association is working diligently to develop high-level resources to help hospital trustees work on cybersecurity issues that affect their hospitals.
Just as importantly, trustees need to develop solid plans to respond responsibly to a cybersecurity breach.
The Health Care Industry Faces a Broad Scope of Vulnerabilities
Hospital trustees need to take a multifaceted approach to cybersecurity. They need to know the reasons that criminals try to hack into their systems and what types of information they’re looking for. They also need to have a strong understanding of how their systems and information connect with other systems that compromise security. Hospital trustees also need to be aware of how mergers and acquisitions create potential new risks and vulnerabilities.
BDO, a consultancy firm, suggests that hospital trustees need to address many more areas of risk than they’ve been trained to look for. BDO identifies the following areas for board trustees to focus on:
- Awareness & Training
- Spam Filters
- E-mail Detection
- Anti-virus & Malware
- Access Controls
- Macro Scripts Software
- Restriction Policies
- App Whitelisting
- Categorize Data
- Policies & Procedures
- Security Operations Center
- Incident Response
- Application/System Inventory
- Cyber Insurance
- Business Continuity Planning
Obviously, it will take continual training to address all of these areas.
Basic Cybersecurity Systems Need Development
Just as hackers are increasing the breadth of their knowledge on how to invade electronic networks layer by layer, so cybersecurity experts are working just as hard to figure out how to counter their attacks.
Hospitals largely have basic cybersecurity systems in place. Simultaneously, IT teams are working hard to build even stronger capacity for security. Board trustees are aware that hospitals are already using passcodes and encryption for the most obvious processes. However, they may not be aware of additional measures their IT teams could be taking, such as automatic removal of information and increasing mobile encryption.
Digital health care is evolving in ways that create interconnectivity between patients, primary care doctors, specialists and other care providers. Are hospital trustees aware of the many places that their patients’ information is being sent and the new vulnerabilities the connections create? In most cases, the answer is “no.”
Hospital Trustees Need to Be Aware of Who Is Attacking and Why
Many hospital trustees are surprised to learn that hackers don’t always come from outside the organization. In fact, with the thousands of people their organizations employ, about 68% of hackers are working internally to steal information, according to the 2017 Data Breach Investigations Report by Verizon.
Hospital trustees need to be aware of the motives behind cybercriminal activity. Some of them are politically motivated, where criminals are looking for sensitive state secrets with the goal of crippling our nation’s infrastructure and weakening our military security. Others are individuals, partners and small groups looking to extort companies for financial gain. Hospital trustees need to be especially aware of insiders with their eyes on stealing information just to prove that they can.
Areas of Fraud Where Hospital Trustees Need Awareness and Training
Hospitals provide many good reasons for hackers to target their systems. It’s a place where they can get credit card information, confidential health information, personal information, business information and intellectual property all under one roof. All of this information could be combined and sold to be used by other criminals.
Hospital trustees need training in several areas of fraud, including:
- Medical device fraud
- Prescription fraud
- Identity theft
- Tax fraud
In addition to potential areas for fraud that are known, hospital trustees need to predict new areas of fraud that could open up.
Hospital Trustees Will Face Many Challenges in Cybersecurity
Technology has brought great improvements in healthcare. Unfortunately, as a society, we’ve largely overlooked the risks that come with it. Hospital trustees have many challenges ahead of them as they work to understand medical equipment interconnectivity, electronic data storage and vulnerabilities. Trustees will also need training on evolving medical practices like the growing field of telemedicine.
Training on understanding network systems is vital for hospital trustees. They need to better understand how open networks and multiple wireless networks work and interconnect. They also need to be able to address issues like independent contractors who bring their own medical equipment into hospitals and how that exposes risks to hospital-owned equipment and other networks that connect to these devices.
Additionally, training for hospital trustees needs to extend to the repair technicians who often need access to networks to repair owned and non-owned equipment and how that may increase cyber risk.
Training on Impact of Costs for Defense and Response
The main fiduciary duties of hospital trustees are financial planning, strategic planning and oversight. Hospital trustees need continual training to understand the financial risks that breaches can cause. Cybersecurity breaches can cost hospitals and health care providers millions, or even billions, of dollars.
The criminals are not the only ones profiting from issues related to cybersecurity. The hottest markets today are the cyber-defense, cyber-forensics and cyber-insurance industries. eWeek suggests that these industries will top $100 billion in revenues by the year 2020.
Hospital trustees will need to make innovative changes to be effective. Enhancing cybersecurity will mean that some hospitals will need to increase their budgets to upgrade computer systems and invest more money in security measures. An innovative approach that has many hospital trustees wondering about it is the possibility of aligning all providers in an integrated network. That would be a huge undertaking, but it would increase the likelihood that systems across the board would be safer.