By Marti Arvin, JD, CHCC
Picture the following scene. It’s the organization’s monthly board meeting and the chief information security officer (CISO) is getting ready to deliver her update.
The CISO provides an overview of the status of the new firewall implementation, followed by a discussion of how many Cryptolocker threats were identified and stopped in the network and the number of DoS and DDoS that occured in the industry in the last year.
She goes on to discuss the outcome of the penetration testing that was performed, and the status of setting up the security operations center (SOC), installing the data-loss prevention (DLP) software, and establishing the endpoint protection platform. She finishes with a warning to the executives that they could be the victim of “whaling,” which is a type of phishing attack.
The chief privacy offier’s (CPO) presentation is next. He starts with a discussion of the number of improper user accesses investigated, the number of breaches reported, and how many people have completed the privacy training. The CPO does not tie the information he presented back to that of the CISO.
The CPO’s presentation is cut off because of the lack of time. The board meeting adjourns. The privacy and security officers watch as each board member leaves the Zoom meeting lost in a miasma of technical details, their faces filled with frustration and confusion.
Every member of the board is intelligent and highly accomplished, but they don’t possess the granular expertise in privacy and security to comprehend half of what they were told or how to connect those threats to the health system’s business functions and goals.
Failure to Communicate
Board oversight of privacy and information security risks is as important as the board’s stewardship of the organization’s financial health—indeed, the two are linked.
Cybersecurity is one of the top concerns for senior leaders, according to the 2019 KPMG Global Audit Committee Pulse Survey. The respondents, all board audit committee members, ranked managing cybersecurity risk as the third-highest challenge for their organizations.
Only about one-fifth of the respondents expressed confidence their enterprise risk management (ERM) process was robust enough to address disruptive risk such as a digital and technology risks. About 41 percent of respondents indicated a key gap for their organization is that cyberrisk is siloed in information technology (IT). Only 25 percent of US respondents identified data privacy and protection as a top priority for the audit committee.
The high ranking of cyberrisk with a relatively low ranking of data privacy and protection as a priority seems consistent with a lack of understanding regarding the link between privacy and information security.
Not only is it important to put the discussion in terms leadership will understand and to make sure they recognize the tie between privacy and information security when discussing privacy and information security risks with an organization’s senior leadership, but it is imperative that the CPO and the CISO have a symbiotic relationship.
The Culture of Privacy and Information Security
“Tone at the top” is important when discussing these topics because the organizational culture is as important as any other business topic. Cybersecurity is not an IT issue nor is privacy a compliance officer issue—these are business issues. Helping board members understand this will be key to engaging and involving them in good privacy and information security governance.
A key factor is helping them think about good privacy controls and cybersecurity hygiene in context of their oversight. This includes considering strategic decisions and staying informed of the risk environment, revenue implications, their personal obligations as board members, and, most importantly, the organization’s obligation to the patient.
Linking privacy and information security risks to the traditional business oversight areas helps board members relate it to the business of healthcare. Board members should understand why good privacy and information security are part of a strong strategic plan. All healthcare organizations are interested in ensuring the operations are as efficient and effective as possible, and they need to consider the significant impact to operations that a significant privacy or cybersecurity event will have.
Strategic Implications for the Business
If the organization is looking at implementing a new electronic health record or initiating a telemedicine program, there are key privacy and security considerations. Discussing the implementation strategy while incorporating how key privacy and information security decisions can impact the organization’s risk profile with the new system or program will be important to bring to the board’s attention. The board members will not be exercising their fiduciary responsibility if they make decisions without a good understanding of the risk associated with the decisions. Quite simply, they don’t know what they don’t know.
Revenue Implications Beyond Response
A significant privacy and cybersecurity event can have numerous impacts on a healthcare organization. The initial impact will be the work of responding to the event. This not only includes the work of the IT staff, but the work of executives and others as well. Events like a ransomware attack have the potential to shut down or significantly slow down business. Solid incident response plans and downtime procedures can help, but executives need a clear understanding of their roles in these processes. Depending on the nature of the attack and how prepared the organization is to deal with it will determine how quickly the organization can return to normal operations.
The initial response to the attack may have costs associated with hiring third-party vendors for forensic analysis and/or breach response and call center services. There could also be impact to the bottom line due to the cost of lost clinic days, lost revenue from elective procedures put on hold, and increased inefficiency because downtime procedures are more time consuming and cumbersome.
If the CPO and CISO are trying to educate the board members on the risk of a privacy and/or cybersecurity event, the board needs to be made aware of all of the risks. Not only will the organization have the cost of responding to the event, but the cost of breach notification if the event involves data that triggers such an obligation. According to the “Ponemon 2019 Cost of Data Breach Study: Global Overview,” the average cost of a data breach per record in the healthcare industry is $429. There is also the risk of regulatory enforcement actions and lawsuits.
Multiple health entities have had class action lawsuits filed against them for privacy and cybersecurity incidents. The Office for Civil Rights (OCR) has stated they will investigate all data breaches reported to them involving more than 500 individuals. Between January 1, 2016 and October 29, 2017, OCR settled 28 cases and imposed civil monetary penalties (CMP) against four organization for $60.4 million. The average settlement was over $1.76 million dollars. The average CMP was $2.82 millon. Knowing these risks helps the board understand what their action or inaction could mean. Identifying the potential impact to the bottom line is a business risk discussion that is relatable.
Obligations of the Board of Directors
Failing to adequately understand any risk is a risk in and of itself. The board members are expected to exercise their duty of care to the organization—they can’t simply assume their organization is complying with the law.
The board liability for privacy and cybersecurity issues could be created in at least two ways. First, ignoring the risk altogether by failing to ask for any information where a reasonable and prudent person in the same or similar circumstance would ask. Second, if there is evidence the risk was brought to their attention and the risk was not addressed appropriately. It is critical to get the board past viewing such issues as “IT issues,” and to instead understand it is an ERM issue.
The board needs to understand the exposure they face by simply listening to privacy and cybersecurity threats to the organization but failing to act because they don’t understand what they are being told. When the CPO and CISO present the cybersecurity posture of the organization to the board, their presentation should invite questions and include easily understood terminology. Poor presentation skills of the CPO or CISO won’t excuse a failure to exercise proper oversight.
Eliminating jargon and using analogies can help the board’s understanding. Consider, for example, a situation where the CISO is trying to secure funding from the board to implement a security operations center (SOC). Instead of explaining in technical terms what the SOC monitors and the alerts it provides, she could explain by comparing the current system to having locks on the doors and windows of your home. If a break-in occurs when the homeowner is away, there is no way to know it occurred in real time. Adding a monitored alarm system, however, allows the alarm company to provide an alert as soon as the break-in happens.
The home alarm might not stop the theft. However, it does allow the homeowner to respond more promptly and initiate corrective measures. The SOC would serve a similar purpose for the organization’s cybersecurity environment.
The CPO could play off the same analogy to address a related issue by telling the board that while there is a monitoring system and the doors and windows are locked, the valuables the system is designed to protect are in the garage, which is not connected to the home security system. Such an example can provide the board members with an understanding of the purpose and benefit of the SOC and how privacy and security are linked. It can also create an easy way for them to remember the discussion.
Another factor for consideration is how the board’s involvement in the oversight of the privacy and cybersecurity programs is documented. This can prove either highly beneficial or highly detrimental in demonstrating the board’s oversight and is often reflected through the board meeting minutes.
Minutes for multiple meetings that reflect discussion of the privacy and information security risks and recommendations for addressing those risks without action by the board could demonstrate a “sustained or systematic failure” of the board to exercise oversight—a circumstance that creates liability on the part of board members, according to the court findings in the case of In re Caremark International. But if the minutes reflect a robust discussion of the risk and possible solutions with action items for implemention, it would likely be viewed as evidence of the good faith oversight required of a director. The case law around director liability makes it clear that if the director acted in good faith, even if the decisions are later discovered to be faulty, there is generally no breach of duty.
Communication is Key
Privacy and cybersecurity risks in healthcare are only continuing to grow. It is imperative that organizations, particularly their governing bodies, shift to understanding this as an ERM issue. Presentations on these topics must be made with easily understood terminology that allows those in leadership roles to engage and make informed decisions. When discussing privacy and cybersecurity with the board and senior leadership, jargon should be avoided in favor of layperson terms and relatable analogies.
Getting the board and senior leadership’s attention for these issues can be difficult. Identifying that under some circumstances there could be personal liability for them in failing to address key risk areas like privacy and cybersecurity can be a helpful motivator. But like many other things in life, success can be found by keeping it simple.
KPMG. “Keeping Pace with Disruptive Risk and Digital Transformation: 209 Audit Committee Pulse Suvery.” https://assets.kpmg/content/dam/kpmg/ca/pdf/2019/10/2019-audit-committee-pulse-survey.pdf.
Ponemon Institute. Cost of a Data Breach Report, 2019. www.all-about-security.de/fileadmin/micropages/Fachartikel_28/2019_Cost_of_a_Data_Breach_Report_final.pdf.
Marti Arvin (firstname.lastname@example.org) is executive advisor at CynergisTek.Leave a comment