ESG refers to a company’s ethics, actions and investments in environmental, social and governance areas. Through the pandemic, we have seen a rise in the demand from investors, employees, customers, and other parties for organizations to take proactive, responsible measures to improve outcomes for all stakeholders. As a result, ESG has become a critical initiative for boards of directors and leadership teams across most industries.
At first blush, cybersecurity may not seem germane to the ESG conversation, but forward-thinking organizations are analyzing cyber risk through the same lens. In an article published by the FS-ISAC this past November[i], Northwestern Mutual Chief Information Security Officer Laura Deaner and S&P Global Ratings Head of Insurance and Analytics Research Simon Ashworth declared “There is a C in ESG,” noting that “as a key operational risk that can have material implications for an entity’s brand, reputation and wider business profile, cyber increasingly warrants a distinct focus in its own right.”
The connection between cybersecurity and ESG has become even more evident in the first half of this year as ransomware attacks and breaches continue to wreak havoc on companies, utilities, academic institutions, government entities, healthcare providers and services firms.
Victimized healthcare organizations have found themselves in positions where they cannot deliver high quality and timely care, and where their patients have been harmed as a result of a breach (more on this below). As I’ll discuss in this blog, especially in consideration of their “duty of care” responsibilities to protect patients, healthcare leaders should follow the lead of other industries and make enterprise cyber risk management (ECRM) a top priority of their ESG programs.
A Legacy of Underinvestment Has Resulted in Successful Cyberattacks in Healthcare
Unfortunately, many healthcare organizations have been slow to respond to cybersecurity concerns over the last decade. They have underinvested in ECRM programs, while at the same time deploying new technologies, increasing their attack surfaces.
When I recently asked one of our customers, a CISO of a large health system, about his concerns about the rise of ransomware, he said: “Ransomware is solvable. At this point, you are either saying to your board ‘Thank you for your support’, or ‘I told you so.'” Fortunately for his organization, he is one of the CISOs saying “thank you”. He referenced his board’s commitment to enterprise cyber risk management and cited their ECRM program as a key component of their success in keeping their organization safe from ransomware.
Many other CISOs I speak to complain of limited budgets and lack of funding for comprehensive ECRM programs. It’s shocking to think that some are only given enough money to assess risk on a limited number of their information systems which house sensitive electronic protected health information (ePHI). Others are forced to use low-quality, non-comprehensive approaches to assessing risk that often do not even meet regulatory requirements.
Failure to conduct an enterprise-wide risk analysis is irresponsible, plainly put. If the risk analysis is not comprehensive, or if it does not follow systematic and well-defined standards or methodology, then the organization is not going to be aware of all of its risks. How can an organization respond to and manage risk if it does not truly know what the risks are?
Yes, Cyberattacks Harm Patients
The “social” part of ESG typically refers to how the company treats customers, employees, and indirect third parties, and is often associated with topics such as diversity and inclusion, working conditions, impact on local communities, as well as health and safety. The spirit of “social” is to make sure the organization has strong principles that take measures to ensure that its actions are at minimum not causing harm to others, directly or indirectly, and ideally making a positive impact.
Make no mistake: A ransomware attack, or breach of ePHI, can cause significant harm to patients. The goal of cybersecurity is to protect the confidentiality, integrity and availability of ePHI, in order to prevent harm from occurring to the patient, or to the organization.
Harm From Breach of Confidentiality
If confidentiality of ePHI is compromised, the patient could be harmed financially or reputationally. For example, their confidential information can be used by someone to commit identity fraud, or to access their insurance, bank, or credit accounts. They could also be harmed reputationally if, for example, they had a medical condition that became known and it influenced an employment or other business relationship decision.
Harm From Compromise of Integrity
Compromising the integrity of ePHI can result in poor clinical decisions and misdiagnoses with grave consequences. For example, if information related to blood type, allergies or medications is altered – even indirectly – that patient may receive the wrong treatment, which could lead to adverse reactions and harm to health. If we can’t trust patient data, how do we know we are making the right decisions about patient care?
Harm From Lack of Availability
In today’s clinical setting, technology is paramount to delivering the level and quality of care we set as standards. Clinicians rely on this information and delays in availability inhibit their ability to meet those standards.
There are many examples of where the loss of ePHI availability impacted the timeliness and quality of patient care. Recently, a ransomware attack at a large healthcare system took IT systems offline for approximately three weeks, causing the organization to shift to paper processes. Ambulances had to be diverted to other hospitals delaying emergency care. Test results were not available, delaying treatments and potentially causing conditions to worsen.
The situation was downplayed by the organization’s public relations department, which claimed paper-based systems were substituting while IT systems were down. However, the experience frustrated and angered patients and employees alike, some of whom were concerned about the effect on patient care. A nurse on the frontline stated, “… there are times of pure chaos and hell where we feel that we are putting our patients and our license at risk.”[ii]
Governance of the Enterprise Cyber Risk Management Program
From an ESG perspective, enterprise cyber risk management requires the board to make sure the executive team is keeping it informed about cyber risks that the company faces. The board should ensure that management is taking appropriate actions to reduce risks to acceptable levels, and risks should be monitored and discussed on an ongoing basis. It is incumbent upon the board of directors to decide upon what level of risk the organization is willing to accept and which ones it will mitigate, transfer (if possible) or avoid.
In order to accomplish this, healthcare organizations must ensure they are comprehensively identifying risks to each system with ePHI, assessing the effectiveness of current security measures, determining the likelihood of a successful breach, assessing the amount of harm that would occur, and calculating a well-defined risk score. Once risks are scored, management can evaluate various courses of action in order to respond to risks above the organization’s risk tolerance threshold.
A commitment to comprehensive ECRM demonstrates a responsible, thoughtful, and reasonable approach to the cybersecurity program. In other words, it answers the question – have we done enough? If an organization comprehensively evaluates cyber risk across the enterprise and then takes action to reduce risks below its risk tolerance threshold, it is demonstrating that it is acting responsibly, even if a breach or a ransomware attack were to occur. As such, ECRM must be a key part of the ESG program, and it must be done right.
Additionally, risk analysis and risk management must be ongoing. It is not a “one and done”. It’s a continuous process and must be kept up-to-date as changes in the environment occur. After all, most healthcare organizations are rapidly introducing new applications, devices, locations, and users that all increase the organizations’ vulnerabilities and exposure to threat actors. If they are going to introduce new risks into their environment, then they must assess and respond to these risks. Not doing so is akin to rolling the dice with patient data and patient safety.
Resourcing Cyber Risk Management Appropriately is an ESG Duty
As part of the ESG strategy, it is the responsibility of the board and the executive team to ensure they are investing the time and resources to conduct a comprehensive risk analysis, and that they are responding to risks that are above their risk thresholds. Organizations should invest in high-quality, comprehensive risk analysis in addition to additional security measures that mitigate high risks.
In healthcare, risk analysis has a very specific set of requirements under the HIPAA Security Rule and the guidance of the Office for Civil Rights (OCR)[iii]. Inadequate, high level, non-comprehensive risk assessments that have not met the specific OCR guidelines have resulted not only in preventable breaches from occurring but also in dozens of organizations paying billions of dollars in fines, settlements, lawsuits and other related costs.[iv]
Too often, we hear that organizations can only spend the amount they have spent in the past on risk analysis. Boards and executives need to accept that conducting comprehensive risk analysis will often be more expensive than what the organization has spent in the past. They should be looking at best practices across the industry and at those firms that have implemented comprehensive ECRM programs as examples of what they should be doing.
We are living in a time where technology has become critical to patient care, and threat actors are taking advantage of that sea of change and targeting providers like never before. Cyberattacks are accelerating, and the timely and effective delivery of care is being disrupted. Investing in a comprehensive ECRM program that will ultimately prevent avoidable ransomware attacks and breaches and subsequent harm to patients must become a front-and-center objective of the ESG program.
[i] There is a C in ESG (fsisac.com)
[ii] https://www.encinitasadvocate.com/news/story/2021-05-13/did-hackers-steal-records-before-ransomware-attack-sc
[iii] https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
[iv] https://www.beckershospitalreview.com/cybersecurity/ransomware-attacks-on-healthcare-organizations-cost-nearly-21b-last-year-study-finds.html
