Fireside Chat with Clearwater Compliance's Mary ChaputHow healthcare organizations can overcome common cybersecurity roadblocks By: Mary Chaput
*This is part of a series of fireside chats with Clearwater Compliance and SecureWorks. For more on healthcare and cybersecurity, visit the Clearwater Compliance blog post.
SecureWorks sat down with Chief Financial Officer of Clearwater Compliance to talk about the cybersecurity challenges healthcare organizations face and how they can overcome common roadblocks.
Knowing how to prioritize security spending is vital for healthcare organizations as they face the challenges of managing and protecting a complex environment filled with mobile devices, digital records and increasing regulatory demands. Security is not just a concern for the IT team. Protecting patient information and intellectual property requires support from the highest levels of the organization on down. In this fireside chat with Mary Chaput, chief financial and compliance officer of Clearwater Compliance, we will examine how healthcare organizations can improve the prognosis of discussions about their cybersecurity budgets, and persuade decision-makers to make the right security investments.
Q: Are organizations investing sufficiently in cybersecurity?
A: In a recent IDC survey, 40 percent of participating healthcare providers said that their IT budgets were increasing, which means that 60 percent were not. Also, of the 40 percent whose budgets were increasing, security was fourth on the list after analytics, patient engagement and customer management. The problem is that too many people think this is an IT problem, but it's really a patient safety issue. If a patient's health information is not kept confidential, accurate and available, there can be serious repercussions to both the patient and the organization. We've got to change the conversation. Cybersecurity must be treated as an enterprise risk management issue.
Q: How can organizations get the funds they need to invest in cybersecurity?
A: We've found an effective way is to cost a data breach specifically for your own organization; that usually opens some eyes. The Ponemon Institute does research almost annually and calculates an average cost of a data breach, most recently $380 per record for the healthcare industry. But that research doesn't include costs unique to an organization that may be harder to calculate. The result can be two or three times that amount depending on reputational, legal, operational and regulatory repercussions.
I worked on a report in 2012 sponsored by the American National Standards Institute (ANSI) about the Financial Impact of a Breach, and used that information to put a business case together for increased investment. There's an Excel model for free on the ANSI webstore, and it can be modified to accommodate any unique characteristic of an organization.
Q: Can you give us an example?
A: Sure. For example, if your organization happens to be a rural hospital, and there aren't any alternative for those patients in the area, well then, loss of revenue will certainly be less than if your organization is located in a city where there's a lot of alternatives. That factor can be used if no other uniqueness is known. Calculating the likely impact of a breach can be a powerful attention-getter.
Q: How can an organization decide what they should start with? How do you set the priorities?
A: Risk Assessments, also known as Risk Analysis, are the foundation of a risk management program. They are absolutely the first step in safeguarding health information. How can you protect your information if you don't know where it is, what vulnerabilities exist that might be exploited and what threats could take advantage of those vulnerabilities? These are fundamental elements of a risk assessment. The first step is taking an inventory of all the assets or media where electronic health information is stored, maintained or transmitted. Then align the assets with known threats and vulnerabilities. Once you have these “triples” - assets-threats-vulnerabilities - you can set the priority by scoring the likelihood of a bad thing happening and the impact if it does on a scale from 1 to 5, with 5 being the highest likelihood and impact. That exercise gives you a risk-rating for each triple, and the priorities for risk treatment should be those with risk ratings above your risk threshold.
If the impact is high and the likelihood is high, the priorities become pretty clear!
Q: Who should be accountable for information security?
A: For public companies, the pressure for the Board to step up to the plate started as long ago as 2005 when the SEC introduced a new section in annual 10-K reports for organizations to discuss the “most significant factors that make the company speculative or risky.” Since there were no requirements to quantify the likelihood of any disclosed risk, the risk factors that were ultimately disclosed included all possible risks rather than those specific or relevant to the organization, making the information useless to investors.
In December 2009, the SEC approved rules to enhance information provided to shareholders so they might better evaluate corporate oversight and governance in regards to the extent of the Board's role in the risk oversight of the company. In 2010, the SEC revised its guidelines to instruct firms to clearly state the risk and specify how the particular risk affects the organization. Specifically, companies should not present risks that could apply to any issuer or any offering.  There was significant push back to this guideline as organizations felt, and probably rightfully so, that doing so would expose vulnerabilities that now could be exploited.
The march towards more Board involvement continued. In June 2014, in a speech at the Cyber Risks and the Boardroom Conference, then SEC Commissioner Luis Aguilar warned of the “severe impact” that cyber-attacks could have on the capital markets, public companies and investors. He highlighted the responsibility of the Board of Directors, and elaborated on the lack of technical expertise on many boards to evaluate management's actions to address cybersecurity issues. He recommended performing a NIST-based cybersecurity assessment and the hiring of “appropriate personnel to carry out effective cyber-risk management while providing regular reports to the Board.”
More laws and regulations followed in the ensuing years. For example, in March 2017, the 'Cybersecurity Disclosure Act of 2017', was introduced in the U.S. senate, and requires publicly traded companies note in their filings whether any members of their boards of directors have cybersecurity expertise, and if not, describe what cybersecurity experience was taken into account when identifying and evaluating nominees for the board.
It's been a long haul but I think Board members and Executive Leadership, even those working in non-public organizations, are starting to understand that the responsibility for the protection of health information is theirs. Unfortunately that doesn't necessarily mean they know how to do it.
Q. Any other advice you can give organizations struggling to make cybersecurity a priority?
A. Information security is everybody's responsibility – any function or department that creates, receives, maintains or transmits health information has the responsibility to protect it. This is a team sport and every team member needs to be involved. We recommend creating a Working Group with representatives from every applicable function, conducting a risk analysis and identifying your highest risks, thoughtfully analyzing appropriate safeguards and controls in place to mitigate those risks. Some controls may affect operations to some degree, that's why it's critical to have members of the Working Group in agreement with the solution. Secure a sponsor in the C-Suite, who can provide guidance, feedback and support to your recommendations. Provide training to the Executive Team and Board on the correct framework and processes to be established and strengthened. This should help put information risk management on their agendas and place the accountability where it belongs.
Mary Chaput is one of the country's foremost experts on compliance with PHI privacy and security regulations. As the Chief Financial Officer of Clearwater Compliance, Chaput brings 35 years of deep operational management and financial experience for publicly traded companies in the information services and healthcare industries. She is widely published in industry publications such as Becker's Hospital Review, Healthcare Finance News, Compliance Today, Payers and Providers, New Perspectives Quarterly Journal, HFMA Blog and CFO.com.
 2015–2016 Healthcare Provider Technology Spend Survey, IDC
 2017 Cost of Data Breach Study, Ponemon Institute, June 2017
 Risk Disclosure in SEC Corporate Filings; http://repository.upenn.edu/cgi/viewcontent.cgi?article=1088&context=wharton_research_scholars
 SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance; https://www.sec.gov/news/press/2009/2009-268.htm
 17 CFR 229.503(c). and SEC Pushes Companies for More Risk Information; http://ww2.cfo.com/risk-compliance/2010/08/sec-pushes-companies-for-more-risk-information/
 SEC weighs cybersecurity disclosure rules; http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rules
 Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus; https://www.sec.gov/news/speech/2014-spch061014laa
 New Bill Forces Cybersecurity Responsibility into the Board Room; http://www.securityweek.com/cybersecurity-disclosure-act-2017-forces-security-responsibility-boardroom