Facebook’s $5-billion settlement with the Federal Trade Commission (FTC) over the Cambridge Analytica privacy scandal and other breaches amounts to the most costly fine in FTC history, but drew criticism from some in Congress who felt it added up to a slap on the wrist. That’s because Facebook executives, including Mark Zuckerberg, were not found criminally liable. However, Ty Greenhalgh, HCISPP, managing principle and founder of the cybersecurity firm Cyber Tygr, sees a silver lining in the settlement that could help set an example for cybersecurity initiatives in healthcare.
Under Facebook’s settlement with the FTC, Facebook’s board is required to form an independent privacy oversight committee. That committee will be responsible for appointing outside officials that must periodically certify whether Facebook is taking adequate actions to protect user privacy. According to Greenhalgh, this requirement “finally puts privacy in the boardroom,” and makes a company’s C-suite accountable for cybersecurity failures if and when they happen.
“There’s a big push for executives being held liable criminally and civilly for working in the best interest of their shareholders. And someone saying, ‘Oh, I didn’t know we needed to do a risk analysis’ isn’t going to fly anymore,” Greenhalgh says.
This kind of corporate accountability for cybersecurity is too frequently absent in healthcare organizations, even as healthcare has become one of the most vulnerable sectors for privacy and cybersecurity breaches. According to Greenhalgh, for cybersecurity protection measures to be successful, policies need to be implemented from the top down. That means getting the attention of—and investment from—the C-suite and the board of directors.
The problem with preventing privacy and security breaches isn’t that chief information officers (CIOs) or chief information security officers (CISOs) don’t know that their healthcare organizations are at risk. After all, breaches are unavoidable in the news. It’s hard to miss the impact of the Anthem breach, Equifax breach, or the recent Capitol One breach. CIOs and CISOs may suffer from overconfidence, though, because the IT and information security professionals in their organizations are assuring them that “we’ve got it covered.”
A report from the US House of Representatives’ Oversight Committee on the Equifax breach describes in detail how the company’s reporting structure was a major factor of the breach, contributing to failure to make needed security patches.
In a blog post exploring these failures, former Washington Post reporter Brian Krebs notes that “Workforce experts say the main reason many firms don’t list their security leaders within their top executives is that these people typically do not report directly to the company’s board of directors or CEO. More commonly, the CSO [chief security officer] or CISO reports to the CTO, or to the chief information officer.”
Greenhalgh says CIOs and CISOs understand the risk, they just struggle in communicating it to the board of directors, and it’s the boards who hold the purse strings when it comes to investing resources in prevention efforts. If a CIO or CISO presents to the board and starts out using “geek speak,” the board members’ eyes tend to glaze over, he says. The board won’t allocate the funds if they don’t fully understand the scope of the problem.
The obvious solution is for healthcare companies to make sure there’s at least one board member with a background in cybersecurity or privacy—and someone who knows the difference between privacy and security. If that isn’t possible, CIOs and CISOs need to start speaking in terms boards do understand, or find someone else who can, says Greenhalgh.
If the right people can get a board’s attention, there are three areas of focus they should understand:
- The business need for cybersecurity
- The potential damage of insider threats
- The risk of patient harm if the proper steps aren’t taken
Building the Case for Cybersecurity
Greenhalgh says that when boards don’t understand cybersecurity risks, they often try to throw money at the problem and buy more cybersecurity insurance. One problem with this is that many insurance policies won’t cover breaches by foreign actors, because those threats are viewed as an act of war. Those policies wouldn’t have helped healthcare companies affected by the WannaCry and NotPetya malware viruses, which were linked to North Korea and Russia. Dealing with those types of threats requires a more comprehensive security infrastructure and investment.
Greenhalgh says a board needs to understand the danger of inside threats and how that can impact a hospital’s finances, and communicating this threat means putting a face on it. An inside threat isn’t necessarily malicious. For example, a radiologist working in a hospital’s lab might plug his phone into a USB hub and be oblivious that he or she could be spreading a virus from their phone to the entire lab. Obviously, there’s a human and financial cost to having radiology equipment and computer infected by malware. The same thing could happen on a patient floor if a visitor to the hospital connects their smartphone to the hospital’s network, creating a malware entry point that could threaten all the medical devices—and the patients reliant on those devices—on the hospital’s network.
It’s for this reason that the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Health Information Security (AEHIS) asked the Food and Drug Administration, as it relates to cybersecurity, to affirm that the terms “patient safety” and “patient harm” aren’t synonymous.
“Patient safety signifies all the risk leading up to where a patient can be harmed,” CHIME and AEHIS wrote in comments for draft guidance on premarket medical device cybersecurity. “From an ecosystem standpoint patient safety may not represent a single patient, rather, it can signify the general principle of patient safety as a whole.”
Greenhalgh says boards really need to understand the very real patient safety ramifications of having to take CT scanners or electronic health records (EHRs) offline due to malware.
“If any devices, CT scanners are down or if the EMR [EHR] is locked up, if the system isn’t functioning correctly, the quality of patient care falls off the table,” Greenhalgh says.
There still is a chance that these kinds of arguments aren’t getting the results that cybersecurity experts would like to see in the C-suite and on boards of directors. The sheer volume of data breaches in healthcare is creating a new normal, and communication tactics that include “fear,” “uncertainty,” and “doubt” (or “FUD,” as it’s known in the industry) aren’t selling anymore, says Greenhalgh.
“Until we hit a point where it is more painful to not deal with it than deal with it—and what that point is going to be—it will mean more harmed patients,” Greenhalgh says.