What questions should health IT leaders ask about cybersecurity?
There has been an explosion in the demand for cybersecurity and the recruitment of Chief Information Security Officers (CISOs), especially in vulnerable and data-rich industries like healthcare and academic medicine. This demand results from a confluence of events and trends that have increased information security risk like never before:
- The continued proliferation and mass utilization of technology − The future of healthcare is inextricably linked to the embrace of technology. Going digital comes with consequences for any organization, as anything that is “networkable” can come under attack.
- The need to access and share data and information − In healthcare, this need is being driven by forces such as accountable care and population health. In this and other industries, there is a great thirst for analytics, mobile technology, and anything that sheds light on operations and furthers market knowledge.
- The dramatically increased value of data − This is especially true in healthcare, where patient records can be worth a lot more on the black market than, for example, credit card information.
- Institutions’ lack of preparation against cybersecurity threats − In a recent benchmarking report from BitSight, the only sector listed as less prepared for cyberattacks than healthcare was education.
“Many executives are declaring cyber as the risk that will define our generation,” says a recent report by PwC. Accenture predicts that U.S. health systems could stand to lose a total of $305B in the next 5 years from coordinated cyber attacks.
Core responsibilities for health IT leaders
CISOs are responsible for shaping strategy and planning for a robust security program, while working closely and collaboratively across departments in an organization. They have the unique responsibility of building out protocols and developing policies to protect an organization’s information assets. These protocols must align with broader business strategies to enable operations to run securely without being suppressed
Health IT leaders can break down their responsibilities related to cybersecurity into the following categories:
- Security Operations
- Policy Development and Implementation
- Risk Management
- Auditing and Monitoring
- Incident Response
- Education and Training
Questions for health IT leaders
What does it all mean for IT leaders in healthcare? The following are key questions that these leaders – and their CEOs and executive colleagues – must be asking and answering:
- What cybersecurity/information security program do we have in place? How mature is our security operation to handle the evolving cyber-threats that will take place in the coming years?
- How is information security viewed at all levels and across the organization?
- In our organization, who does our chief security leader or CISO report to? Does that appropriately reflect the position’s value and importance within the organization?
- Have we adequately invested in information security?
- How often do we update our board of directors on information security?
- How robust is our internal training and education program on information security?
- Does our organization have the appropriate security framework in place, including the right executives? (Also according to the PwC survey, 91 percent of respondents said their institution has adopted a security framework, or an amalgam of frameworks.)
If cybersecurity efforts will help define healthcare’s future, it is critical that IT executives and their c-suite colleagues are asking the right fundamental questions.