A cybersecurity summer reading list for hospital boards
June 8, 2015 in Medical Technology
Three years ago, most healthcare boards of directors knew more about online video games than online security. Now they’re paying very close attention to cybersecurity, especially the boards of for-profit health systems.
What used to be viewed as an operational issue is now a trustee responsibility because of the likelihood of lawsuits following a data breach. Boards across the U.S. want to avoid the headaches recently experienced by Target and Wyndham in the wake of well-publicized breaches.
There were four shareholder derivative lawsuits filed against 13 of Target’s directors and officers following its big breach in November 2013. They’re being sued for breach of fiduciary duty and waste of corporate assets, among other things. These cases have been consolidated and are still pending.
Wyndham dodged a bullet last year when a similar shareholder derivative suit was dismissed, but that decision has been appealed.
Fortunately, there’s an excellent resource from the Institute of Internal Auditors Research Foundation titled “Cybersecurity: What The Board of Directors Needs To Ask.” There are six questions they feel are particularly important:
- Does our organization use a security framework?
- What are our top 5 risks (ranging from the proliferation of BYOD and smart devices to the outsourcing of critical business processes to third parties)
- How are we educating our employees about their roles related to cybersecurity?
- Are both external and internal threats considered when planning/monitoring our cybersecurity program?
- How is security governance managed within our organization?
- In the event of a serious breach, has management developed a robust response protocol?
While it’s likely that we’ll see more CIOs and CISOs serving on healthcare boards in the future, the IIA report encourages all board members to get actively involved in cybersecurity initiatives. The report’s concluding words are, “Cybersecurity is no longer an agenda item for IT; it is an agenda item for the board as well.”
Another great resource for hospital boards is the American Hospital Association’s “Cybersecurity and Hospitals: What Hospital Trustees Need To Know About Cybersecurity Risk and Response.”
If trustees would simply read and use these two reports, healthcare organizations across America would be on the proactive path to protecting the security and privacy of their information assets. Do you trust your trustees to take the necessary action?