What do Board Members of Smaller Healthcare Organizations Need to Know About Healthcare Information Security?

During a conversation with a friend earlier this week discussing healthcare information security, she made one very important point.  She is concerned about her personal data being taken or exposed in a ransomware attack or data breach if she decides to get treatment at one of the facilities near her house.  With the numerous ransomware attacks on healthcare facilities, this is now a major concern.

There has been a lot of publications on what to say to the board to discuss cyber security programs.  We have not observed anything aimed at the board members themselves to educate them on what to look for.  This is something that we want to change with this article.  Many of the hospitals that take care of patients do not have members with IT skills on their boards like large academic health centers or for-profit health systems do.

When I spoke at the American Hospital Association’s Rural Health Summit in 2019 in Phoenix, AZ, the moderator, John Riggi, asked how many board members were attending our cybersecurity session.  Over a quarter of the attendees raised their hands.  These are not people that fit the stereotype of senior executives of large companies.  They are often local or state government employees, elected officials, local businesspeople, or physicians that practice locally.  Many are retired.  They do not get stock options or compensation.  Their mission is to help their neighbors, friends, and people that cannot help themselves in rural areas.

This does not mean their job is less important than the board member who is or was a Chief Information Officer at a large academic health center or publicly traded corporation.  Board members of larger health systems, by virtue of their networks, also have access to significant IT, Information Security, and Risk resources that board members of smaller organizations won’t.  They have the same responsibilities and share the same patients.  They also have the same security issues to address, with much less resources both operationally and through networking.

Our goal in writing this is to give the board members who are responsible for cyber security for their local health district, rural hospital, or tribal health care facilities the tools they need to make judgements and measure effectiveness the way that the large academic health systems do.  The technologies are often similar.  Now, as part of the CURES Act Final Rule and potential changes to the HIPAA Privacy Rule, interoperability and security are now more important than before.

There are four key items that board members need to address as part of any program.  These are the Annual Security Risk Assessment, Risk Management Plan, Third-Party Risk, and Ongoing Metrics.  The effective uses of these measures can assist board members who may not have cybersecurity or IT experience the tools they need to fulfill their mission of providing oversight, and ensuring initiatives complete the vision.

Every organization needs an Annual Security Risk Assessment.  This is mandatory for healthcare providers.  CMS strongly recommends that organizations update them at least once a year and/or when major changes to practices or electronic systems occur.  This does not have to be done by someone special.  One of my recommendations is that organizations complete these themselves to get a better understanding of the environment.  Also, in our experience, team members are reticent to discuss concerns with consultants.  I have presented on how organizations can do this themselves given limited resources at Black Hat.  You can find the materials here.  This is critical because when you look at the press releases the HHS Office for Civil Rights (OCR) issues, they issue civil penalties for one or more of several reasons:

  • No Risk Assessment Completed
  • No Risk Management Plan Completed
  • Open Issues Discovered Not Followed up on
  • Not Reporting a Data Breach within 60 Days
  • Incorrectly Reporting Number of Data Breach Victims

This document serves as the baseline for organizations to build their programs from.  State and local health departments will require annual risk assessments to be completed.  Our recommendation is that if a risk assessment does not exist, use the materials provided to complete one for your organization.  Update it at least annually.  Do not try and retroactively complete ones for years you do not have, and do not have ones that span years.  Do your first ones internally or with some outside help and invest the rest of the money in addressing the issues.

Likewise, if the organization does not have a plan to address these risks, there will be issues.  In many of the cases where OCR issued penalties, it was because they did not address the items discovered in the risk assessment process.  Have the organization take the output of the risk assessment and address their top 20% highest scored risks first.  There needs to be a plan with accountable stakeholders, definitive projects with detailed plans and identified resources, realistic budgets and resource allocations, and definitive start and end dates.  The old days of risk acceptance, better known as finding a reason why identified risks cannot be addressed, are over.  Organizations are required to directly address these items, and not make excuses.

If the leadership makes excuses as to why they cannot directly address items, then that is an issue to discuss.  Ransomware and patient application connectivity require a watchful eye on security.  If the plans presented contain any of the following, they are flags for potential serious security implementation issues:

  • Eliminating Risk instead of risk mitigation
  • Purchasing products instead of developing programs to mitigate risks
  • Extensive use of outside consultants as opposed to developing internal resources
  • Implementing without resource allocation plans, policy changes, training plans, or communication plans
  • Not addressing legacy systems
  • Not addressing continual upkeep and maintenance to stay current and certified. We have seen this especially with credit card processing solutions, which require currency to stay compliant with Payment Card Industry – Data Security Standards (PCI-DSS) requirements.  These are mandated by the merchant banks and credit card companies.

Also, if the organization is implementing new technology and not considering any of the following:

  • How will it be monitored for performance and effective service levels?
  • How will it be monitored for security and exceptions?
  • Who will be providing day to day maintenance?
  • Who will be conducting the initial security reviews and risk assessments?
  • What is the plan for addressing security on a continual basis both at implementation and during operation?

These are actual misses that we have seen doom projects and cause security issues.  If these questions cannot be answered for these projects, then they need to be addressed.

Third parties also present significant risk.  A generation ago, a small hospital or doctor’s office could have done all the work needed to stay operational within the four walls.  Now, with the complexity that revenue cycle alone must face, outsourcing is a necessity to stay in business.  There are significant complexities that organizations must ask about security, however.  Many of these are tough questions because of the general past lack of awareness of security.  This is something that we can change.  These are questions that we need to ask as part of third-party vendor awareness:

  • Are they handling Protected Health Information?
    • If they are, do we have a Business Associate Agreement?
  • What assurances do we have of their security? Do they have a current HITRUST or ISO 27001/27017/27018 certification?  Do they complete an annual risk assessment and plan?
  • Does their hosting have SOC2 certification?
  • If they process credit cards, do they have a current Payment Card Industry – Data Security Standards (PCI-DSS) Attestation of Compliance (AOC)?
  • Do we have written assurances they will be keeping their solutions current?
  • How will we be notified if there is an issue?
  • Do they have insurance?

If these questions are not being asked, or are being glossed over by the organization, this is cause for serious concern.

The most important question is how are you able to ensure there is a reasonable and appropriate degree of security?  What can you ask for, as a board member, to determine whether the organization is on the right path with cyber security?  What documents can show you progress?  These are the ones we recommend:

  • Risk Assessment Status and Completion Dates
  • Risk Management Plan Key Management Items, Accountable and Assigned Team Members, Completion Status, and Completion Dates
  • Risk Register Open Items, Progress, and Estimated Completion Dates
  • Nice To Have Items:
    • PCI-DSS Compliance Status and Metrics
    • Major Cybersecurity Events
    • System Compliance Status for supported operating systems, applications, and supporting systems
    • Vulnerabilities Discovered/Vulnerabilities Addressed
    • Third-party vendor security status, including review dates, submitted artifacts, status, and review completion dates
    • New and updated systems reviewed, discovered items, and remediation plans
    • Security training/communication plan status

These documents are designed to be much like the Income Statement, Statement of Cash Flows, and Balance Sheet, and articulate together.  The Risk Assessment, Risk Management Plan, and Risk Register are the Information Security equivalents of those critical financial statements that interested parties use to gauge the financial health of a business.  The Nice To Have items are the equivalent of individual financial transactions.  They are just as critical, as good security health is a direct impact on financial health and performance.

Board Members of healthcare organizations have incredible responsibilities, no matter the size.  The net effect of legislation over the past few years, such as the CURES Act Final Rule, gives the same level of responsibility to local health districts, rural hospitals, and tribal health networks that their much larger counterparts have for providing information.  The security requirements have always been the same due to HIPAA and HITECH.  Academic Health Systems have had the advantage of very knowledgeable board members either directly or indirectly to assist with these functions.  This article was designed to give the board members of smaller organizations who do not have those resources on hand information they need to better support the missions of the organizations through improved oversight.

About the author

Mitch Parker, CISO

Mitch Parker, CISO

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.

1 Comment

  • Mitch great article! Nice work crafting everything up in a consumable manner for the board and or executive leadership. I have a similar set of notes compiling that I source when pushing cultural change across the enterprise. It can be challenging for CISO’s to balance cyber awareness versus cyber overload when communicating with board members. Greatly appreciate your insight which will help these efforts!

    Thank you

Click here to post a comment