During the past two years, healthcare organisations (HCOs) have been battling an invisible adversary that has stretched clinicians to their limits. At the same time their IT teams have been struggling to contain a very different pandemic: one of cyber risk which threatens to overwhelm the IT systems on which life-saving procedures depend. But while vaccines and medicines are helping to reduce the number of COVID-infected patients admitted to hospitals, the cyber threat remains largely untamed.
Doing so will require closer collaboration between IT and healthcare business leaders, based on mutual trust, respect and understanding. Recent global research suggests there’s still a long way to go.
Zoning out on Cyber
On the face of it, HCO boardrooms do understand the importance of effective cybersecurity on one level. Almost all (92%) of the IT and business decision makers (ITDMs/BDMs) we polled from the sector say their boards are concerned about the impact of ransomware attacks. In addition, nearly a third say that cyber is the biggest business risk today and almost two-thirds claim attacks have the highest cost impact.
They’re right to be concerned. Separate research reveals that healthcare was the second most frequently targeted industry in terms of cloud-based phishing attacks, and third in terms of ransomware infections in 2021. Trend Micro detected over 12,000 such incidents over the course of the year.
However, on another level, boards are woefully unengaged and accountability is far from clear. Some 30% of healthcare respondents say they hold the CEO responsible for managing risk, versus a similar number (27%) who say the same about the IT team. Part of the problem is a lack of awareness of cyber by senior leaders. Less than half (45%) claim the concept of cyber risk management is known extensively in the organisation. Even fewer (40%) think the C-suite completely understands the risks associated with cybersecurity, lower than the average across all sectors.
Why have boards zoned out when it comes to cyber? Many respondents believe it’s because the topic itself is a complex one and constantly changing, which is true. Others point to the C-suite itself as the issue, arguing it doesn’t try hard enough to understand, or even that it doesn’t care. Better communication from CISOs would help to solve the complexity challenge, by presenting cyber in business risk terms. But a “don’t know, don’t care” attitude could be much harder to shift.
The Impact of Disengagement
Another symptom of this IT-boardroom misalignment on cyber is the level of practical engagement the latter participates in. Only around half of healthcare IT teams discuss cyber risks with the C-suite at least weekly, and nearly a fifth do so quarterly or even less frequently. Even when they are called into a meeting, both ITDMs and BDMs have felt pressured into downplaying the severity of cyber risk to the board, for fear of sounding too negative, or repetitive.
Both of these findings are extremely concerning. The cyber-threat landscape is volatile and fast-moving. Corporate risk can therefore be extremely fluid, requiring regular board updates to ensure decisions are being made with the latest, most accurate information available. Meetings don’t have to last long, but they should be frequent. Once a quarter feels inadequate considering current threat levels in healthcare. However, during those meetings, cyber experts brought in front of the board must be encouraged to speak frankly. Otherwise, the C-suite will walk away with a false sense of security, which does more harm than good in the long run.
In fact, we found that this is perpetuating an ignorance and unwillingness to engage with cyber. Almost half of healthcare respondents believe cyber risks are still treated as an IT rather than business risk. And, more depressing still, nearly all (91%) say their organisation would be willing to compromise on cyber in favour of other business priorities like digital transformation.
Integrating Cyber into Business Risk
What does this mean in practice? It means inconsistent boardroom attitudes to cyber risk from month to month. And it means that when investment comes it is reactive and sporadic, usually focused on fixing one problem without looking at the strategic whole. That can lead to a surfeit of cyber tooling which adds complexity and cost for IT teams already struggling with skills shortages.
Instead of viewing cyber as a siloed part of IT risk, boards must be made to understand that it’s essential to the strategic success of the organisation. Rather than compromising on security to spend more on digital, they must look to build security into every business project by design and default. That’s the only way to mitigate the impact of potentially crippling incidents like ransomware outages and mass data breaches.
This will require the right platform-based security tools, to enhance security without adding overheads. But first, HCOs need an honest discussion about cyber, framed in the language of business risk. For that, we need CISOs prepared to meet their boards more than half-way.
By Bharat Mistry, Technical Director at Trend Micro
