The threat from ransomware and other IT security challenges is expected to increase as hospitals acquire and hold ever-larger quantities of valuable patient electronic health records. The nature of the IT security threat changes so rapidly that ongoing education of hospital leaders is critical.
Hospitals have looked for effective ways to keep their leaders engaged on an issue that is not directly focused on the central organizational mission of providing patient care. The support of executives and hospital boards has proven critical to boosting both security resources and rank-and-file compliance with security adjustments in the wake of the malware attacks, according to hospital security leaders. The practical impact of leadership support includes faster acceptance by staff of the changes that some security technologies inject into an organization.
“CIOs [chief information officers] and CISOs [chief information security officers] need to be spending time with their boards to make sure they understand the risks and responsibilities and the oversight that’s needed at the board level with something like this,” one expert said.
Organizational support allows the CIO to enlist the help of departments such as education, communication and marketing in sharing knowledge and spreading information. Education plays a key role in preventing individual employee actions from devastating an entire organization. Information about how malware could affect other departments would alert other departmental leaders about the danger and also encourage them to look for vulnerabilities and find solutions.
Structural Changes
Some organizations have implemented changes to their structure and to the interactions among key leaders to better respond to evolving information security threats. Examples include establishing a board subcommittee to review security issues and another subcommittee on overall compliance and risk, through which the CIO communicates with the board. Meetings can occur a few times each year or more if needed.
Among the unanswered questions regarding structural responses to the growing health IT security threat is how a hospital should organize its IT leadership. Slightly more than 50 percent of hospitals have a full-time CISO while others assign the security executive’s role to another officer, such as a CIO or chief technical officer. And for those hospitals that have a full-time CISO, about half have him/her report to the CIO; others have the CISO and CIO as peers, both reporting directly to the CEO or the board.
One expert noted, “A CISO with an equal voice may lend a hand to being able to more quickly report what is happening with cyber security instead of having another layer in the chain.”
.
Additionally, higher-ranked CISOs can have more autonomy in hiring and technical asset allocations and greater ability to deviate from the typical three-year lifecycle of technology assets if a cyber threat changes.
However, having a CISO report to the CIO has its advantages. For example, if the CISO has independence and receives support for his/her role and the information security program, it can result in positive outcomes.
Cost Effective Investments to Prevent Cyber Attacks
Examples of steps taken by hospitals to strengthen their ability to prevent or limit cyber attacks include:
- A “silver bullet” software package that can provide 80 to 90 percent of the help an organization needs to prevent malware attacks. It focuses on individual computer users to prevent them from unknowingly opening malware attachments in an email—the most common way in which such attacks are initiated. Malware also can enter through ads that are clicked or even just viewed while browsing the Internet.
- A separate communication challenge for healthcare IT security leaders to learn from hospitals that have been attacked.
- Spending a full day with IT security leaders of other health systems or vendors to discuss differences in their responses, the latest vulnerabilities and different ways to prevent attacks.
- Comparing the organization’s cyber security effort to those of other hospitals in the region on practices such as the number of staff on security teams, the number responding to incidents, and details of incident response plans.
The information above was excerpted from a leadership report, “Aligning Leadership in the Era of Ransomware,” from the Healthcare Financial Management Association, published July 28, 2016. For a copy of the full report, contact Carlin Lockee at clockee@veralon.com.
iProtean, now part of Veralon subscribers, the advanced Mission & Strategy course Beyond Payment Changes: Disruptors of Our Health System, featuring Marian Jennings, Dan Grauman and Jim Rice, is in your library. Our experts discuss the disruptor/payment change link, changes driving disruption and preparing for demand destruction.
Coming soon, Governance in an Era of Population Health, featuring Jim Rice, Karma Bass and Marian Jennings.
For a complete list of iProtean, now part of Veralon courses, click here.
For more information about iProtean, now part of Veralon, click here.