Many pieces go into building a robust cyber risk management program. It’s not just in the building blocks of the program itself but how the program gets managed and adjusted over time, including how you obtain and leverage cyber insurance, stay on top of regulatory changes, test your system, and respond to learnings, and involve experts who can help you along the way.
The goal is to create a cyber-resilient organization, reducing the impact of a potential cyberattack. Everything from the architecture of your systems to the controls you have in place to the protection that can help recover loss after the fact plays a role in how dangerous a cyberattack can or will be to your organization. Since you may not be able to prevent a bad actor from targeting your organization, you can prevent the catastrophic loss, extended downtime, and negative impacts on patient safety by planning now. Building a team of internal subject matter experts and partners will help you ensure you’ve given your organization the best possible chance of identifying cyber attackers early, made it as difficult as possible to penetrate your systems, and slowed their ability to cause harm.
We recently gathered cybersecurity, cyber insurance, and healthcare law experts for a panel discussion about best practices in cyber risk management. Of the incredible insight shared during the panel discussion, below are each expert’s top takeaways and advice from their perspective of healthcare cyber risk management.
Kevin D. W. Hewgley, Senior Vice President with Lockton Companies, the world’s largest privately held insurance brokerage firm
- Look for and engage in the free loss prevention services your insurance carrier provides. If you aren’t sure what services are offered, ask your broker for what they can provide.
- Ask your broker to spend an hour and walk through your cyber policy with you. It won’t cost you anything, and you can ask those probing questions!
- Bring IT, Risk, Legal, HR, and Operations to the table and spend an hour doing a “blue sky project” with the goal of understanding their privacy and cyber concerns. In other words, if you weren’t bound by the normal constraints of finances, timelines, and other resources, what would this group of people like to see addressed or accomplished in your cybersecurity and privacy strategy?
Bob Chaput, NACD.DC, MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH, NACD CERT Cyber Risk Oversight Certificate. Bob is the Founder and Executive Chairman of Clearwater and the author of the acclaimed book Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management.
- Pressure-test your cyber liability insurance coverage with desktop scenario walk-throughs.
- Pressure-test your incident response & reporting policies and procedures through desktop exercises.
- Engage your c-suite and board in developing and maturing an enterprise cyber risk management program that addresses cybersecurity as a genuine business risk.
- If you don’t have any of the above (e.g., cyber insurance, incident response, ECRM program), get them now!
Jon Moore, MS, JD, HCISPP, Chief Risk Officer and Head of Consulting Services for Clearwater
- Be proactive in building a reasonable and appropriate security program for your organization.
- Build your program on a framework like the NIST Cybersecurity Framework.
- Look to your strategic goals and objectives, unique IT risks, and compliance requirements, both regulatory and contractual, as inputs into defining a security program that is not just compliant but also facilitates the accomplishment of your strategic goals and objectives instead of inhibiting them.
- Establish an ongoing program that monitors the effectiveness of your cybersecurity practices on an ongoing basis and adapts to changes in your strategy, risks, and compliance requirements.
Amy Leopard, JD, CIPP/US, FHIMSS, Partner with the Bradley law firm and American Health Law Association board member
- Stay on top of evolving legal and regulatory requirements for data protection, incident response, and reporting obligations. They continue to evolve rapidly.
- Involve your attorney in cyber risk assessments, the mitigation process, and the forensics necessary to support incident response. Your communications with counsel for legal advice and the work product of investigators retained by counsel to provide that legal advice may be privileged if they are kept confidential.
- In response to the increased pressure, you may face from regulators and your board to meet these evolving requirements, work toward more mature cyber programs with clear management responsibilities and competencies to measure and monitor cyber risks.
- Prepare now for abbreviated timeframes proposed for reporting material cyber events (72 hours for critical infrastructure sectors and four days for publicly traded companies).
Though each expert focused on a different perspective within healthcare cyber risk management, they all share the same wish for healthcare leaders to think broader and more holistically when considering cybersecurity, cyber insurance, and regulatory compliance. Though there’s much work to be done to protect patients and their data and mitigate the damage an incident can have on a healthcare organization, the advice and best practices described above offer leaders an excellent foundation for getting started.
If you have questions or need additional resources and guidance on the best practices outlined in this article, the Clearwater team is ready to help. You can schedule a call or access our on-demand library of articles, white papers, and case studies.