How Is Corporate Governance Evolving to Manage Cybersecurity in the Healthcare/Hospital Industry?

Nicholas J Price

Every industry needs to step up its game to protect its shareholders, employees and consumers against cyber threats. Because of the sensitive and valuable information that hospitals and the healthcare industries have, they are prime targets for hackers and phishers. Compared with other types of industries, most healthcare providers are slightly ahead of the pack in setting up cybersecurity systems and programs to protect against a cyber breach that could affect thousands. However, their efforts are often not enough when you consider that the information now needs to be shared electronically with others in a highly secure way.

As cyberattacks continue to make national headlines, it's clear that technology continues to outpace cyber technology, whereas that trend needs to be reversed.

Cyber breaches are a huge threat to the hospital and healthcare industry. As part of their duties, board directors are responsible for overseeing cybersecurity departments to make sure they are sufficiently robust to ward away threats and scams. With no formal regulations about cybersecurity to date, the healthcare industry is fighting to stay ahead of the hackers to avoid major breaches of private information.

What Can We Learn From Past Breaches in the Healthcare Industry?

Once hackers tap into a hospital or healthcare agency's system, they are able to access all kinds of personal and private information. As an example, here are some of the healthcare providers that recently encountered cyberattacks that affected their patients:

  • Partners HealthCare System, MA: 3,300 patients victimized by a phishing scam
  • Ascension Health Facilities, TX: two phishing attacks potentially affecting 39,000 patients
  • Franciscan Health System, WA: phishing scam potentially affecting 12,000 patients

Some of these phishing scams directed patients to a third-party website that appeared to be a legitimate healthcare site. The sites were administered by hackers, who were able to easily download patients' names, addresses, Social Security numbers and medical information.

These incidents could be the tipping point for cyber breaches on a grander scale in the future.

Board Directors Need to Understand the Strategical Overview of Cyber Threats

Because of the high risk of cyber threats, board directors in the healthcare industry need to work closely with their IT departments to understand exactly how they approach cyber-protection, including their overall philosophy about cybersecurity. This should also include the use of a board portal to not only secure the information being passed between directors, but to also have a streamlined process to monitor cybersecurity procedures.

The risks inherent in today's corporate world demand that board directors in healthcare acknowledge that it's impossible for their IT departments to stop cyber breaches completely. Instead, they have to focus on finding threats before they cause damage and control them. Using tools like behavior analytics, dual-factor authentication and encryption, expert IT departments can create many roadblocks and obstacles to slow down potential threats so that they have time to identify and stop suspicious activity.

Creating a Wider Scope of Cyber Consciousness

The Institute for Critical Infrastructure Technology (ICIT) is a non-profit, non-partisan cybersecurity think tank in Washington, D.C., that promotes the message that we need to educate public and private sector leaders about the risks of advanced, persistent threats, cybercriminals and cyberterrorists.

The non-profit is committed to closing up the awareness gap about cyberattacks by educating legislators, federal agencies, infrastructure stakeholders and the public at large about cyberattacks. ICIT is taking the lead with cutting-edge research on cybersecurity trends.

ICIT supports the idea of creating awareness and offering education for businesses, children, families, consumers and employees about cybersecurity issues without creating unnecessary fear.

Training Hospital and Healthcare Employees About Cybersecurity

In many industries, including healthcare, IT experts have not yet figured out how to train employees to effectively and efficiently ward off cyber threats. Corporate managers need to impress upon their employees that IT departments can't do their work alone.

Responsible cybersecurity starts at the top and transcends financial, legal and human resources departments. These departments need to work together to develop a cybersecurity response plan and find a way to make it visible and alive within the corporation.

The corporations that are the most advanced in cybersecurity train their employees two to four times a year so that they are more apt to retain the information. Noticing things like misspelled words in website addresses and links that appear differently when hovering are simple things that companies can train their employees to be aware of. Employees also need to know what types of information hospital and healthcare providers need to protect (e.g., Social Security numbers, financial information, medical records and other healthcare information).

Corporations with cutting-edge IT cybersecurity departments periodically stage internal faux phishing attacks to practice how they will manage a real phishing threat. These types of corporate-sponsored dry runs help employees practice their responses and may help companies identify employees who need more training.

Tips for Board Oversight of Cybersecurity

Corporate governance is evolving by taking general and specific views of cybersecurity risks and measures with the goal of improving overall security. Corporate boards are learning about the pitfalls and risks that could lead to wide-scale cyber breaches.

Boards need a solid understanding of how their IT departments classify and secure sensitive data. In addition, they need assurance that these departments have built security into every step and juncture in the system that they can.

Boards need to be aware that the rise of one-size-fits-all malware services is not enough to protect patients in the healthcare industry. Cybersecurity needs to be highly customized, and these services are typically filled with security holes.

Other concerns that boards and IT departments need to discuss relate to increased threats because of mobile connections, increased mobility within the workforce and other equipment that is connected to the Internet.

Even the most robust cybersecurity measures can encounter problems because of the lack of security by other individuals and organizations that the healthcare industry needs to share information with electronically. For example, imagine the security risk for information that is transferred from a physician with an antiquated paper filing system and a lackluster cybersecurity system to a hospital or other healthcare provider with a much more sophisticated cybersecurity system.

Joining forces with other healthcare entities to combat cyber threats by joining a Healthcare Information Standards Panel (HITSP) or IT Information Sharing and Analysis Center (ISAC) is a good step for all healthcare providers to take to better protect their patients' information and to help board directors maintain proper oversight over their IT departments.

The Evolution of Cybersecurity Across Other Industries

Non-healthcare industries can certainly keep their eyes on the healthcare industry's lead on enhancing cybersecurity, but they should do so with the understanding that cybersecurity in the hospital and healthcare industries is continuing to evolve. As healthcare organizations become increasingly interconnected, they face exposure to the less-secure cybersecurity systems of those with whom they share information. We hope that technology will one day provide solutions to prevent phishing leaks from finding gaps due to interconnectivity.

Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.