Co authored by Poonam Puri

Increasingly, cybersecurity is at the top of the agenda for most hospital boards, audit/risk committees and senior management teams. Board directors are wondering whether they are asking the right questions and making the right decisions when it comes to the organization's overall cybersecurity strategy. Given the increased sophistication, frequency and magnitude of cyber threats, it is essential that directors have a good understanding of the cyber threats facing their organization and take appropriate steps to mitigate potential risks.

The successful Hollywood Presbyterian cyberattack resulted in emboldened hackers targeting other hospitals. In Canada, two Ontario hospitals were reported to having been victims of ransomware attacks. In March 2016, the Ottawa Hospital was subject to a hacker attempt on its computers, where the malware also locked down the files after someone using the computers clicked an infected link. The hospital's IT staff wiped its drivers in response, claiming that no patient data was harmed. Just under two weeks later, Norfolk General Hospital experienced the same type of hack, where its website infected visitors with malware. Norfolk General reported that the issue was quickly contained and no visitors were harmed.

Cybersecurity risk is not limited to external sources. In 2015, a clinic governed by the Chelsea and Westminster Hospital NHS Foundation Trust in the UK sent out a newsletter to about 800 HIV patients, in which it inadvertently disclosed the recipients' full names and email addresses to one another. The clinic was fined £180,000 (roughly $300,000 CAD) by the privacy regulator. It also suffered reputational damage and a loss of confidence amongst a vulnerable patient group and the community at large.

With proper diligence, your hospital can better mitigate the risk of cybersecurity threats and avoid being held ransom, subject to costly civil suits, or regulatory fines. While not an exhaustive list, it is recommended that boards implement the following strategies when it comes to cybersecurity.

Discuss Cybersecurity at the Board Level Regularly. Most board members are not experts in this area and tend to shy away from having robust discussions about cybersecurity. However, to fulfil their risk management obligations, they need to understand the threats the hospital faces and how it is managing those threats. Avoid a situation where the first time the board is briefed on cybersecurity is when the hospital is dealing with a cyberattack.

Know Where You Stand.

While the board should not be concerned about the minute details of how the organization's data is organized, it should have a general understanding of the type of data it holds, where it is kept (e.g., on servers or in the cloud) and how it is protected. This should include identifying the aspects of the hospital's operations that are at highest risk to cyberattack given their strategic importance or given where confidential or private patient information is stored or maintained.

Have a Strong Cybersecurity Plan – And Test It.

The board should ensure that the hospital's cybersecurity plan encompasses both securing its networks and investigating and responding to intrusions. It also must be broad enough to protect personal health information (PHI), those systems that store, use or transmit PHI, and all of the hospital's assets and devices. While the board does not need to know all of the details of the hospital's cybersecurity plan, it should at least be aware of the plan's reach and its parameters to ensure that the plan has the ability to address all cybersecurity risks and not just those associated with cyber threats. The board should also be reasonably comfortable that the cybersecurity plans meet current industry best practices. While having a cybersecurity plan is important, the board should mandate management to regularly test it in order to identify gaps in current response protocols and consider how best to fill them.

Have Strong Internal Policies for Staff. The board should ensure that employees are regularly educated through handson workshops and online tutorials and testing and facilitate understanding of the importance of intricate passwords, controlling access to information, data encryption, etc. Ensure Accountability. The board should have a clear understanding of who within the hospital's leadership is responsible for the execution and implementation of the cybersecurity plan. Cybersecurity should not be considered solely an information technology issue and be delegated to the head of IT. Many organizations place responsibility for cybersecurity at the C-Suite level, either as the direct responsibility of the Chief Information Officer or Chief Information Security Officer, or flowing through the Chief Information Officer's organization up to the Chief Operating Officer, Chief Financial Officer or Chief Executive Officer. Consider Getting Cyber Insurance. The damages resulting from cybersecurity incidents can be very large, but often these damages are not covered by a hospital's ordinary insurance policies. Some insurance companies now offer plans that specifically cover the risks associated with cybersecurity incidents and breaches. The board should consider, in light of its cybersecurity plan and the hospital's individual risk tolerance, whether cybersecurity insurance of this nature is appropriate.

When it comes to cybersecurity matters, the board's role is no different from when it deals with other risks factors facing the organization. Boards should not hesitate to call upon independent external counsel and consultants to guide it in developing, implementing and testing the steps outlined above. This will go a long way in ensuring that the board has a reasonable understanding of the cyber risks facing the organizations and to make informed decisions.

Originally published in the November 2016 edition of Boards, by The Governance Centre of Excellence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.