Getting the Board ‘On Board’ with Cybersecurity Spending

Last week, my expensive smartphone accidentally slipped out of my hands and hit the concrete floor in my garage. Without a protective case, cracks “spidered” in different directions across the entire face of the phone. And that’s just on the outside. The phone no longer operates as it should and will likely require replacing soon. You may ask, “Why didn’t you purchase a case?” Looking back, it would have made perfect sense, especially considering the cost of a case is 1/20th that of the phone. However, because I had previously dropped this particular device, and other smartphones, countless times without experiencing such consequences, the urgency wasn’t there. I was lulled into a false sense of security and it will end up costing me in the end.

Much like the phone hitting the floor, health records are extremely vulnerable. With threats looming from external hackers and malicious insiders, many providers have opined that breach is inevitable. Yet in spite of this, most providers are still spending less than four percent of their IT budget on security. That’s according to a KLAS Research report entitled, Cybersecurity 2017: Understanding the Healthcare Security Landscape. In the world of digital medical records, is that an adequate allocation of funds to protect highly-sensitive patient data? In reality, there’s probably no magic number. However, in determining the appropriate spend, providers must factor in the cost of not investing enough.

In 2016, the Ponemon Institute estimated the cost of a data breach to be around $4 million on average. Others, including healthcare consulting firms, have estimated the true average to be as high as $7 million, after factoring in the consequences to a hospital’s reputation and the loss of productivity resulting from a breach. Additionally, if there are HIPAA compliance issues, financial exposure can be even higher as providers can be fined up to $1.5 million per violation per year.

In a recent breach of healthcare records, the Department of Health and Human Services Office of Civil Rights (“OCR”), fined a hospital $3.2 million for its alleged impermissible disclosure of protected health information (PHI) and non-compliance with multiple standards of the HIPAA Security Rule over many years. In February, another U.S. hospital was fined $5.5 million to settle a HIPAA suit over a lack of audit controls leading to 115 thousand people having their PHI accessed and disclosed. Examples like these serve as a good reminder that providers must consider the complete financial picture of data breaches as they plan security programs and budgets. So how do you muster the support for the proper funding?

In a presentation during the HIMSS Cybersecurity Forum, Mitch Parker, Executive Director of Information Security and Compliance at Indiana University Health, discussed the importance of involving various groups of people related to your healthcare organization’s cybersecurity efforts—in particular, the board of directors. He outlined a number of critical steps that will help you engage in board level discussions about security.

  • Broaden Your Efforts Beyond IT – Do not allow cybersecurity to be dropped into an IT bucket.  Because it is a business challenge, not simply an IT problem, it is essential that you articulate the realities; that information-security issues often have their roots in many non-IT causes. Thus, it behooves the organization to broaden its efforts beyond IT.
  • Avoid Buying Your Way to Success – The board needs to understand that buying technology alone is inadequate. Start by explaining why breaches occur. Look beyond the technology gaps and expose process issues. This provides board members with a greater and more holistic understanding of the issues facing the hospital and/or health system.
  • Keep Board Members Engaged – Board members often come from various backgrounds and industries. Each brings to the table their unique experience and perspectives. Leverage industry research and peer content to keep the board informed about the state-of-the-industry and trends. Doing so will broaden their understanding of the challenges facing the provider space.
  • Align Strategically – Align your goals to those of the organization. Articulate the reasons for why they are inseparable to both the hospital’s overall information systems and organizational strategies. Furthermore, ensure that your metrics focus on augmenting and supporting the overall organizational strategy. This will help to ensure that cybersecurity is not an afterthought.

As you discuss this with the board and other executives in your organization to gain support for funding your cybersecurity program, it may be helpful to articulate the value that justifies specific investments. One of the common areas where healthcare providers struggle to quantify value is identity governance. It can be challenging to grant the right applications and data access to a wide variety of users. SailPoint can help you identify gaps in how you manage access from on-boarding new users, to aligning access when a user changes roles, to automating compliance reporting. And to help you estimate the returns from an identity governance solution, SailPoint will provide you with a free business value assessment. Simply email your request with contact information to One of SailPoint’s analysts will contact you shortly after to initiate the assessment.