“Cybercrime is the greatest threat to every company in the world,” said Ginni Rometty, chairman, president and chief executive officer of IBM. Those words are resonating with health care organizations and health plans, according to Ravi Ganesan, president and chief executive officer, Core Solutions during his presentation, Cybersecurity & The Threat Landscape, at The 2019 OPEN MINDS Technology & Informatics Institute.
The issue is that data breaches are widespread in health care. In 2018, 41% of attempted breaches targeted health care organizations followed by financial institutions (20%), education (10%) and professional services (7%) (see Beazley 2019 Breach Briefing). In the session Mr. Ganesan and his co-presenter Roy Pellicano of Tri Angular Consulting outlined the data breach problem and potential solutions – along with how to make data security investments a market differentiator.
The data breach problem
First, the problem—some 60% of small businesses fold within six months of a cyber attack, according to the U.S. Securities and Exchange Commission. Damages from breaches of health care systems puts patients at risk, as a breach can disrupt access to medical records and critical systems. This can result in rescheduled surgeries and appointments or might require patients to be moved to other facilities to receive proper care. In addition to lost revenue, which can sometimes be recovered, there can be significant damage done to a health care organization’s reputation, which can be a fatal blow in this increasingly competitive environment.
“Making the argument that IT security is a revenue driver by creating value for the organization and that an effective cybersecurity program can differentiate you from your competitors as consumers do not want their private health information exposed in a cyberattack, can help you persuade management and your board that the investment is worth it,” Mr. Pellicano explained.
Data security as a market differentiator
To make data security a market differentiator you must first adopt it. Mr. Ganesan suggested professionals use the language of risk when making an argument for IT investments in cybersecurity “because that’s what everyone – business leaders and board members, alike – understands. Risk is not about fear; risk is about knowledge.” He reminded participants that, “Risk is ever changing. If you do a risk assessment once a year, you’re failing at it,” and did a short tutorial on how to determine your organization’s risk exposure and tolerance (see Is Your Executive Team Ready To Pay A Cyberattack Ransom?).
The key is to remember, cybersecurity is not “just” an expensive investment in information technology (IT) infrastructure (see Bringing New Tech To Scale Means Moving Beyond IT). “Cybersecurity is about assessing and mitigating risk. It’s also about compliance – but if you’re only considering HIPAA, you’re not thinking broadly enough. Lastly, and arguably most importantly, IT investments that ensure cybersecurity enhance business value,” asserts Mr. Pellicano. In other words, by investing resources in preparation and security, your organization is protected from attacks that can disrupt business and affect the bottom line. You can work with human resources and the finance department to determine how much it would cost your organization to be offline for a few hours, days or longer, and use that in your business case for the IT investment. You can also use this information—and tout the fact that your organization is a better partner because of its firewalls and protection—as a market differentiator (see Why Data Privacy Will Become A Competitive Differentiator).
Building Your Program
Once you know your risk profile, you can start the process of building a cybersecurity program, which consists of three elements: Governance – the framework for how to operate and protect the organization; Strategy – the risk-mediation approach to ensuring a balance between the organization’s security pressures, organizational goals, and business objectives; and Management – how to execute a plan so governance and strategy are understood, executed, and focused on business enablement.
With a cybersecurity program in place, it’s important to put metrics in place for all stakeholders – and, specifically, the board – to show how the program is effectively mitigating risk. Mr. Pellicano suggested that the metrics and resulting report for the board should be high level and easily digestible. He recommended limiting metrics to three and gave the following examples of board-level metrics based on organizational maturity: Low Maturity – Risk to profit if there is no security program in place, operating within the organization’s risk tolerance, and number of business goals supported by the program; Medium Maturity – Efficacy of training and awareness-building efforts, number of gaps in the security program, and alignment with competitors or minimum industry standards; and, High Maturity – likelihood of an insider threat and data breach, and, alignment with the regulatory environment.
With a more business-centric focus on IT investment in cybersecurity, it’s easier to make the argument that an investment in IT creates business value – something the chief financial officer can support – and you’re more likely to get leadership buy-in for your cybersecurity program.
Learn more about mitigating risk of cybersecurity attacks with these resources from The OPEN MINDS Industry Library:
- The Dark Side & Management Challenge Of The ‘Internet of Things’
- Your Data Security Deserves A Second Look
- More & Larger Health Care Databases Mean More Data Security Concerns
- Do You Have The Right Data Security ‘Attitude’?
- What Is Your HIPAA Security Score?
- Will Security & Interoperability Shape Our Health Care Future?
- Digital Security Isn’t Where It Needs To Be
- It’s The People, Stupid!
- Avoiding The “Wall of Shame”
And join me August 25, 2020 for The New CFO Challenge: An OPEN MINDS Seminar On Keeping Your Cost In Sync With Your Rates In A Changing Market, during the 2020 OPEN MINDS Management Best Practices Institute in Newport Beach, California.
- Addiction Treatment Services
- Autism & I/DD
- Children & Family Services
- Chronic Disease Management Services
- Cognitive Disabilities
- Correctional Health Care, Reentry & Diversion Services
- Disability Support & Long Term Care Services
- Juvenile Justice
- Managed Care Financing & Service Delivery Systems
- Mental Health Services
- Social Services
- Strategic News