As a board member, you may consider cybersecurity to be an operational issue for senior management and the IT department, but experts say, “its weighty implications for the entire organization now require directors to consider it as a critical risk management concern” that requires trustees to play an active role its oversight.
2015 has been a bad year for cybersecurity breaches in hospitals, systems and health plans; e.g., Anthem cyber-attack affected 78.8 million individuals; UCLA Health cyber-attack affected 4.5 million patients. Electronic health records combined with the significant profitability of acquiring protected health information ensure that cyber-attacks will continue to increase in the coming years.
How profitable is protected health information? Stolen medical records sell for approximately $10 per record—10 to 20 times greater than the value of a stolen credit card.
The authors of “From the Internet to the Boardroom: Health Care Director Oversight of Cybersecrity,” a new member briefing from the American Health Lawyers Association, outlined seven trustee responsibilities related to cybersecurity. They are:
- To be cyber literate
- To oversee the entity’s risk assessment of its information security practices
- To ensure that appropriate resources are dedicated to cybersecurity
- To consider obtaining cyber insurance
- To oversee relationships with third-party service providers
- To assign responsibility for cybersecurity oversight
- To ensure the organization has a crisis management plan in place
Ensuring effective oversight of cybersecurity is a “must do” for boards of directors. There are many laws that require providers to protect the confidentiality of their patients’ information, and a breach can cause significant damage to the organization. Boards should understand their responsibilities for oversight of the information security program—these are similar to their oversight responsibilities for other risks facing the organization. The authors of the report noted, “Directors must use their judgment and knowledge to provide effective guidance to management to ensure that the provider’s information security program is appropriately designed and operated given the business realities facing the organization.” (“From the Internet to the Boardroom: Health Care Director Oversight of Cybersecurity,” AHLA Member Briefing, October 2015)
iProtean subscribers, the advanced Finance course, Integrating Population Health Management into Your Strategic and Financial Plans, Part One, is now in your library. Marian Jennings, Mark Grube and Nathan Kaufman discuss physicians and population health management, the infrastructure required, return on investment for population health initiatives, risks for smaller organizations and evaluating capital allocation priorities.
For a complete list of iProtean courses, click here.
For more information about iProtean, click here.