If you’re looking for good reasons to start running cybersecurity and digital risk programs, consider the following:
- The number of data breaches in healthcare has increased approximately 6 times since 2010
- By November of 2019, data breaches for the year had already surpassed 40 million affected individuals in over 400 breaches, according to Modern Healthcare.
- The black market rate for buying a full medical record can go up to $1K per record, vs $110 for a credit card number, and $1 for a social security number, as Experian reports.
Despite these facts, many healthcare organizations are not at a sufficient maturity level in their cyber and digital risk programs. Up until the recent threats of data privacy legislation, there had not been true enforcement or inspection of healthcare compliance from a third-party perspective. Breaches are self-reported to the OCR, mainly driven from the understanding that this is the ‘right thing to do.’ Less because there is an authority hovering over these organizations to ensure they are following the letter of the law.
Did you know only 4.9% of cases reported to HHS’ Office for Civil Rights were investigated? I have worked with clients across industries in risk, compliance, audit, and security management programs throughout my career. Here’s some of the anecdotal evidence from my own, and my esteemed colleagues’, experiences that I will share:
- Until recently, healthcare providers have been laggards in their security and IT risk management posture in comparison to other regulated industries, such as finance, insurance, and energy.
- When you compare these industries’ characteristics to healthcare, it’s hard to support the idea that a strong risk and compliance management program are not necessities for healthcare organizations.
- The table below (left) draws some conclusions as to why.
As a risk professional who has worked with clients in many industries outside of healthcare, I constantly ask my clients:
- Why should non-IT healthcare executives care about digital security and cyber risk?
- How does this affect patient care and patient outcomes?
- What’s the risk and cost associated with that risk, if we don’t invest in gaining a specified level of maturity with our cybersecurity risk programs?
When I ask these questions of healthcare management, I get all kinds of answers. Some inspiring, some encouraging, and some downright scary!
How do you form a compelling argument to give to your board of directors or executives that convinces them they should care, and invest, in their data privacy, cybersecurity and digital risk program?
It starts with education for the CIO, CTO, CEO and/or board of directors to help them understand why they should care, and ultimately why there needs to be an investment made to appropriately respond to their risks. This is much easier said than done for a healthcare provider, who oftentimes can be a part of a non-profit, with less resources and dedicated hours. Understanding the impact of the IT, cyber, digital and/or data privacy risks to their patients, and prospective patients, is key.
That’s where having a meaningful risk management program, and third-party risk program, comes into place. A program that can provide a dashboard for the CIO and board of directors to quickly gain an understanding of the true digital and cyber risks to their organization’s internal and third-party networks. And ideally this understanding is based on the impact to PHI and critical data.
But the ideal risk management program I just described is not the right place to start for most healthcare organizations.
In speaking with numerous CIOs and CISOs about how they have successfully, and unsuccessfully, presented business justification cases to the executive team to capture additional funding, our SureCloud team has assembled a PowerPoint template to jumpstart your preparation. This presentation deck is meant to be your quiver. Choose to pull out the arrows that you think will be the most effective. Remember the old speaker’s adage: know your audience. Does your audience need more education about what healthcare security threats are out there? Do they need to better understand why their current compliance-based program isn’t truly doing risk management? We have slides to address both.
It’s best to manage your expectations. Things may not change after one presentation, overnight, or even after a few presentations or months. Many times, the adoption of risk-based culture is a dramatic cultural shift that involves conversations with many levels of stakeholders, executive buy-in, and a series of incremental wins over years. But we all have to start somewhere, right?