Getty Images/iStockphoto

How to Effectively Communicate Healthcare Cyber Risks to C-Suite Execs

To effectively communicate healthcare cyber risks to C-suite executives, cybersecurity professionals must translate technical jargon into business deliverables.

Effectively communicating healthcare cyber risks to C-suite executives is crucial to securing the vital cybersecurity resources needed to combat the multitude of data breaches and cyberattacks that torment the healthcare sector daily.

But with other priorities that may take precedence, cybersecurity and IT teams may find it difficult to effectively quantify and communicate the magnitude of cyber risks to the C-Suite.  

"If you are running a health system, your main area of expertise is not necessarily cybersecurity or cyber accountability," Mathieu Gorge, CEO of VigiTrust and author of The Cyber Elephant in the Boardroom, explained in an interview with HealthITSecurity.

"One of the main issues between the disconnect between IT, security, and compliance professionals and the senior decision-makers is that they don't necessarily speak the same language."

Cybersecurity teams must communicate the current cyber threat landscape, translate technical jargon into tangible business deliverables, and collaborate effectively in order to convey cyber risks.

Helping the C-Suite Understand the Healthcare Cyber Ecosystem

"You can only protect what you know about, and you can only manage the systems that you have visibility over," Gorge said.

"One of the key things you need to start a proactive and effective discussion with the board is to get them to understand the ecosystem that the health system is working with."

Cybersecurity professionals encounter cyber threats every day in their line of work, making it easier to understand the full magnitude of the current cyber threat landscape. Healthcare ransomware attacks are a nearly everyday occurrence, software vulnerabilities threaten to upend security systems, and medical devices may become the latest attack vector.

The C-suite may have a completely different experience. A recent study from (ISC)² revealed that 55 percent of survey respondents with job titles like CEO, CFO, CIO, and COO described themselves as "very aware" of ransomware. Over 40 percent of respondents described themselves as "somewhat aware" of ransomware threats.

If C-suite executives had a deep understanding of the reality of cyber risks, these percentages might be a lot higher. A study from IBM Security and Ponemon Institute found that healthcare data breaches cost an average of $9.23 million per incident as of 2021.

On top of steep costs, cyberattacks and data breaches can lead to ambulance diversions, EHR downtime, appointment cancellations, and patient data exposure. The aftermath of a cybersecurity incident can cause reputational harm to the organization and risks to patient safety and privacy.

"This is somebody's life," Gorge stressed. "If my credit card gets stolen, I can get a new credit card. If my health data gets stolen, I don't get a second one. It's completely irreplaceable."

Communicating the harsh realities of the current cyber threat landscape is essential to fostering a culture of cybersecurity and obtaining the crucial resources needed to combat these threats.

Translating Cyber Risk to Business Risk 

"We all want to do the same thing; we want to do what's right. But we're not necessarily understanding the problem," Gorge maintained.

"One of the issues with cyber accountability is that when you talk to key decision-makers at the board level, they tend to focus only on delivering the best care that they can. Cybersecurity and cyber accountability are not always priorities. Even if it becomes a priority, the challenge for them is to understand what they need to do in plain business terms."

In addition to focusing on delivering patient care, healthcare organizations are still businesses with financial goals and risks to manage. Communicating cyber risk reduction as another business deliverable is one way to convey the importance of cybersecurity in familiar terms.

"I often say that I'm blue in the face hearing that board members and key decision-makers don't understand risk," Gorge remarked.

"They don't necessarily understand cyber risk, but they understand risk. They deal with risk every day. Especially in healthcare, they deal with reputation risk, brand risk, and insurance risk. We just need to translate the cyber risk into one of those additional business risks so that they can discuss it and take corrective action."

The upfront costs associated with implementing a comprehensive cybersecurity program may be steep, but executives must understand that the price of neglecting cybersecurity are much greater.

Healthcare data breaches often lead to lawsuits, some of which result in hefty settlements. Excellus Health Plan, Blue Cross Blue Shield Association (BCBSA), and affiliated companies recently reached a tentative settlement in a class-action lawsuit stemming from a 2015 cyberattack that impacted 10.5 million individuals.

Excellus will have to pay upwards of $3.3 million and up to $1 million in legal fee reimbursements. Prior to this settlement, Excellus was also hit with a $5.1 million civil monetary penalty to resolve alleged HIPAA failures.

The lawsuit alleged that Excellus, BCBSA, and its affiliates failed to safeguard protected health information (PHI), delayed customer breach notification for too long, and did not give customers enough information on how to protect themselves in the aftermath of the breach.

These allegations can serve as a cautionary tale for healthcare organizations. Costly compliance penalties and lawsuits are likely to come along with any data breach, and conveying that to the C-suite is one way to show the importance of cyber risk management.

"If you start looking at all your investments in security and compliance as assets for the organization, you can then put a dollar value on those assets and put that dollar value on your balance sheet," Gorge suggested.

"Now that it is a financial item, there is absolutely no way that cyber risk is going to fall off the grid. It is going to be discussed at every board meeting."

Communicating the Importance of Collaboration

"If you build a culture of security throughout the organization from the admissions people to the surgeons, to the IT people, and all the way up to the board, you have a much better chance of protecting the data and managing that additional risk surface," Gorge emphasized.

Fostering a culture of cybersecurity is crucial to maintaining security across an organization. COVID-19 prompted a widespread shift to virtual care and working from home, which opened up numerous new endpoints and security risks.

Executives should promote cyber hygiene at all levels—any employee from providers to the C-suite can fall for a phishing scam that disables systems and causes operational disruptions.

In addition, the current cybersecurity workforce shortage is straining IT teams at a time when cyberattacks are a constant threat. (ISC)² found that the global cybersecurity workforce must grow by 65 percent to defend critical assets and data effectively.

C-suite executives are positioned to advocate for cybersecurity, allocate resources toward security efforts, and champion a collective responsibility for cybersecurity across their organizations. Because of this influence, communicating cyber risks to the C-suite is vital to success.

Next Steps

Dig Deeper on Cybersecurity strategies