According to the HHS Office for Civil Rights (OCR), cyber incidents in health care are on the rise. From 2018-2022, there has been a 93% increase in large breaches reported to OCR (369 to 712), with a 278% increase in large breaches involving ransomware.
Ascension, a healthcare provider with 140 hospitals across 19 states, recently suffered a cyberattack that disrupted multiple critical systems. Another significant breach occurred earlier in February, impacting Change Healthcare and affecting hundreds of hospitals and facilities worldwide.
While the increasing frequency of incidents serves as a wake-up call for healthcare cybersecurity specialists, it urges a concerted effort to improve security posture and prevent repeatable attacks, which are naturally likely to occur. Despite the obvious barriers like complex IT environments and multiple entry points, less apparent issues also exist, such as the lack of effective communication at the board level. Specifically, studies from sources like the National Library of Medicine highlight a significant gap in understanding among upper management regarding the security risks and their impacts on organization-wide risk management. Without effective communication, healthcare cybersecurity initiatives, even with secured budgets, cannot be implemented efficiently, potentially resulting in persistent dangerous vulnerabilities and further successful attacks.
Walk Through a Timeline: The WannaCry Attack
Notably, one of the most well-known cyberattacks in history, the WannaCry attack on the NHS, which happened in May 2017 and caused widespread disruption across the NHS, affecting over a third of NHS trusts in England and resulting in the cancellation of approximately 19,000 medical appointments and operations, highlighted the problem of ineffective communication in healthcare.
The National Audit Office (NAO) report and the House of Commons Committee of Public Accounts report investigating the attack found that NHS Digital issued critical alerts and guidance on patching systems vulnerable to the EternalBlue exploit, which WannaCry used, in advance. Despite these warnings, many NHS organizations had not applied the necessary patches by the time of the attack due to multiple communication gaps. Specifically, NHS Digital did not have the authority to enforce action, leading to inconsistent patching and preparedness, implying a general lack of effective risk communication to senior management and accountability within NHS organizations.
Potential Barriers for Effective Board-Level Communication
Of course, much has changed and improved since the WannaCry attack, and the reasons for miscommunication in the NHS were fundamentally rooted, involving more than just misunderstandings. However, at the local level, the barriers to communication between IT and senior management remain relevant to this day. Let’s discuss the most common reasons why there is still a misunderstanding about the importance of investing in IT security and implementing appropriate initiatives.
Firstly, cybersecurity involves technical jargon and complex concepts that can be difficult for non-technical board members to understand, especially as they are busy and have limited time to dive in and learn these things, resulting in cybersecurity being deprioritized in favor of other pressing issues.
Secondly, cybersecurity measures are often viewed as cost centers rather than value drivers. Senior management may be reluctant to allocate budgets for something that they perceive as not immediately contributing to the bottom line. This may be because some executives believe existing measures are sufficient or underestimate the likelihood of a cyberattack.
Best Practices To Overcome Communication Barriers
Translating technical jargon into business language that meets the board’s goals is important. Use clear, concise terms to explain complex cybersecurity concepts. Present cybersecurity as a business risk using metrics and key performance indicators (KPIs) that the board is familiar with, such as potential financial losses from data breaches and compliance violations. Highlight the potential cost savings from avoiding breaches, regulatory fines, and protecting the organization’s reputation. Demonstrate how an investment in cybersecurity can prevent significant financial and operational disruption.
Use case studies and real-world examples to illustrate the potential impact of healthcare cybersecurity threats. Stories of breaches at similar healthcare organizations can help boards understand the stakes. In addition to the above-mentioned attack on Ascension, another recent example is the Ardent Health attack, which closed emergency rooms in at least three US states.
Another option is to create a healthcare cybersecurity governance committee that includes both IT leaders and board members. Having board members on this committee ensures a deeper understanding and ongoing dialogue on cybersecurity issues.
Additionally, you can organize tabletop exercises that simulate a cyberattack scenario. Invite board members to participate so they can experience firsthand the decision-making process during a healthcare cybersecurity incident. This can reinforce the importance of preparedness and robust cybersecurity measures. Occasionally, bring in external cybersecurity experts for training sessions or to present on emerging threats and healthcare industry best practices. The insights from external experts can sometimes carry more weight and provide fresh perspectives.
Moreover, create executive summaries with dashboards and visual tools to present data on cybersecurity metrics. Interactive and visual representations, such as graphs, charts, and trend lines, can help board members better understand the status and progress of cybersecurity efforts. These tools also assist in articulating the needs for actions like necessary downtime and other initiatives, gaining support from the executive team, which is sometimes essential for implementing such initiatives organization-wide.
Most importantly, highlight how robust cybersecurity directly impacts patient outcomes and safety. Draw connections from privacy to trust, and from secure systems to uninterrupted patient care. This can help the board see the mission-critical role of healthcare cybersecurity initiatives.
About Mike Walters
Mike Walters is President and co-founder of Action1 Corporation, a provider of the integrated real-time vulnerability discovery and patch management software. Mike has more than 20 years of experience in cybersecurity. Prior to Action1, Mike co-founded Netwrix, which was acquired by TA Associates.