Have you prepared your board for the next cyberattack?

Michael R. Rinard II

Michael R. Rinard II

Michael R. Rinard II (michael.rinard@mymlc.com) is the Chief Compliance Officer and Chief Legal Officer at Mosaic Health System in St. Joseph, MO.
7 minute read

by Michael R. Rinard II

A hospital system’s boardroom has become key to the organization’s cybersecurity risk management program. As courts define the governance responsibilities of board members, it is important to assess whether your compliance program is setting the proper controls and providing access to information about the organization’s cybersecurity readiness and preparedness. As healthcare becomes more innovative in its delivery of care and more dependent on technology, so does the risk of a cyberattack on its daily operations.

It is common for organizations to believe cyberthreats are the job of the technology security team alone. This could not be further from the reality of the risk. Courts have expanded the responsibility and the role of board members to not only simply be aware of known risks, such as 1996 In re Caremark decision,[1] but also be involved in the active monitoring and active oversight of those risks as part of the board members’ duty of good faith to the organization.[2] Board members are expected to be actively involved in the implementation and monitoring of the organization’s compliance and reporting systems and not merely passive consumers of compliance concerns.[3]

Cybersecurity risk

Trends in healthcare

Healthcare has become a popular target for cybercriminals due to the sensitive nature of the data that it holds and the criticality of the data for operations. “In 2023, the healthcare industry reported data breaches costing an average of $10.93 million per breach — almost double that of the financial industry, which came in second with an average cost of $5.9 million [per breach].”[4] This makes it the 13th year in a row that healthcare leads the highest average per breach.

This risk is much more than simple financial concerns. Consider that many biomedical technologies are linked to the same servers that the rest of the organization uses for normal routine operations. When a cyberattack happens, cybercriminals can shut down medical devices, which impairs the safety of patients who may depend on those devices to survive.

How can board members fulfill their duty of care?

The boardroom is a crucial control in every organization’s cybersecurity risk management system. A lack of board member engagement creates an overall weakness in the whole system of cybersecurity preparedness. As economic growth depends more on innovative digital systems, boards may put their organizations at serious risk when they are not engaged in the cybersecurity system of protection. Although courts do not detail what they specifically expect boards to do, the following are some good guidelines for discussion with your board members in board meetings.

Recommendations

One of the most serious hurdles and jobs of the compliance team is helping board members understand that they are critical and significant in the control of the overall system of cybersecurity governance. Although a board member is not expected to be a cybersecurity expert, they are expected to help govern the process and policies that the operations team executes. They should ask questions, become educated about the risks, and ask engaging questions to ensure that the compliance, cybersecurity, and operations team are prepared for the risks that come with running an operation.

The second critical feature for a board to meet its obligations is ensuring a resolute committee is dedicated to privacy and cybersecurity. It is common for privacy and cybersecurity issues to be brought before an audit committee, where it is “squeezed in” to make sure it is discussed. With the limitation of time that meetings have and the immense issues that boards face in healthcare today, it is imperative to have a separate group dedicate their time and report to the overall board the risks, opportunities, and preparedness plans. In addition, the U.S. Securities and Exchange Commission (SEC) released a new rule regarding cybersecurity disclosure and board governance rules.[5] The SEC has required disclosure of material cybersecurity incidents and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. In addition to disclosure obligations, the SEC has also emphasized cybersecurity experience and expertise of at least one board member on a cybersecurity committee to advise the board.[6] Company annual reports will monitor this reporting under Form 10-K.[7] Although the SEC governs public trading companies, private organizations should expect to see the expansion of these requirements by the U.S. Department of Health and Human Services Office for Civil Rights at some point in the future. It is an opportunity to begin building these processes today and educate on how they improve our readiness for any cyberattacks.

The third critical feature is making sure that hospital operators, compliance professionals, legal professionals, and board members are viewed as part of the cybersecurity team. It is vital that a chief information officer and chief security officer have the support and collaboration of all to ensure they successfully prevent and mitigate attacks. It is easy for members of your organization to believe that the cybersecurity professional has the sole job of protecting digital assets; however, cyber professionals will not only have difficulty becoming effective, but your organization will have difficulty retaining such expertise. Continuity of the program is as essential as establishing one.

Finally, as you are building a cybersecurity committee, make sure that the organization is looking for board members who not only have an interest in the topic but also have some technical background in it. It is expected that private companies will eventually be required to do so, but more importantly, if you have already established such practices if a breach occurs, the likelihood of a massive breach is lower, and any investigation by the government will be mitigated due to having these controls in place. It provides the organization with credibility as well as best practices to mitigate and help prevent such incidents. Not only will it help when the government comes to investigate, but it also helps control cybersecurity insurance costs by being proactive and innovative rather than waiting for a legal requirement to “force” the issue.

This document is only available to members. Please log in or become a member.
Become a Member Login
 

What to read next...

SOC it to me: Adding to your foundation of compliance


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings