cybersecurity laptop with icons

Cybersecurity

Incorporating Cyberrisk Management into Enterprise Risk Management

The board’s role in prioritizing strategic cyberthreats and risk mitigation

By John Riggi

Editor’s note: This article is excerpted from “Why and How to Incorporate Cyber Risk Management into Enterprise Risk Management,” published in August 2020 on the American Hospital Association website. You can read the full article here.

Cyberattacks have far-reaching consequences that directly threaten patient care, patient safety and broader public health and safety, by potentially denying the availability of hospital and emergency medical care to the community. Ransomware attacks, data theft and compromised data privacy are the best-known examples and consequences of cyberharm, but there are many more. For example, hackers have demonstrated they can remotely disable lifesaving medical devices as a result of a ransomware attack. They have forced hospitals to close or redirect ambulances by blocking access to electronic medical records and other essential systems.

Cyberattacks are a clear and present danger to patient care and safety. That was already a well-accepted premise, which became even more clear when cyberattacks on health care facilities increased after the COVID-19 outbreak, despite certain ransomware gangs publicly declaring that hospitals were “off limits” during the crisis.

Just as the nature of cyberthreats and their consequences have changed, so have the demographics of cybercriminals. The threat profile is evolving to include more foreign-sponsored, organized attacks. Hostile nation states such as North Korea and Iran, which are under intense financial and internal political pressure to overcome economic sanctions, have enlisted cybercriminals to raise money through cybercrime such as ransomware attacks, theft of intellectual property, bank funds and cryptocurrency.

The FBI has the lead authority for cybercrime investigation and attribution, while the Department of Homeland Security (DHS) has primary responsibility for protection of the U.S. critical infrastructure from cyberthreats. Based upon their investigations, access to classified information and collaboration across government and the private sector, the FBI and DHS are great resources to help health care organizations understand the nature of the cyberthreats they face and to help defend against them. The FBI and the DHS often issue joint cyberbulletins that identify the latest cyberthreats, malware signatures and adversary tactics, which help hospitals set their cyberdefenses.

A Culture of Cybersecurity

Does your organization’s approach to cybersecurity align with the current environment? This question cannot be answered solely by considering the electronic defense measures your organization has in place. IT can lead cybersecurity efforts, but cyberrisk needs to be incorporated into the overall enterprise risk management framework and receive the attendant level of executive leadership support, including from the C-suite and board. A top-down culture of cybersecurity is the most important defense against cyberthreats.

Questions for Assessing an Organization’s Cyberrisk–Enterprise Risk Management Integration

The first step for individual organizations is to determine the extent cyberrisk management and enterprise risk management are currently integrated. The following questions will help organizations find their baseline:

  • In your organization, is cyberrisk ranked as enterprise risk?
    • If so, is it ranked within the top five? Top three?
  • What is your top enterprise risk issue?
  • How often is cybersecurity briefed to the board?
  • What board committee has oversight, and how is it engaged?
  • Is the cybersecurity budget measured as a percentage of the IT budget or the enterprise budget?
  • Is there a methodology to quantify the strategic cyberrisk profile of the organization and align cybersecurity resources and budget based upon the risk?
  • Do you prioritize all strategic cyberthreats and risk mitigation controls by impact to:
    • Care delivery and patient safety – first and always
    • Reputation
    • Mission-critical operations
    • Confidence of patients, staff, community and investors
    • Data protection and privacy, including health records, personal health information, financial and payment data and intellectual property
    • Revenue
    • Legal and regulatory exposure
    • Mergers and acquisitions
    • Strategic business risk

The discovery and discussions needed to find answers to these questions will help prepare organizations to actively integrate cyberrisk within enterprise risk management.

It is the leadership of an organization, the C-suite, which has the most influence on the behavior and culture of an organization. A top-down, consistently reinforced “culture of cybersecurity” that leverages the “culture of care” already present in hospitals can be an extremely low-cost and highly effective strategy to mitigate cyberrisk in hospitals.

Hospital leaders generally do recognize the importance of safety culture and extending it to cybersecurity. The challenge is how to effectively convert culture into practice. Health care organizations are recognizing the need to incorporate cyberrisk into enterprise risk, but are struggling to make the transition because they are unsure how to proceed. This is often because:

  • Boards, chief executive officers, chief information officers, chief information security officers and chief experience officers have different responsibilities and may not be aligned on cybersecurity.
  • Non-IT leaders in hospitals may feel they lack the requisite technical skills to understand and translate cyberrisk into enterprise risk. It is critical for IT leadership to help bridge this gap.
  • Legacy risk management approaches may have limitations for addressing modern cyberthreats.

There are welcome signs that health care organizations are overcoming these obstacles and improving their protection against cyberattacks. Not only do most hospital leaders consistently rank cybersecurity among their three most important enterprise risk issues, 70% of U.S. hospital boards have taken the tangible step of including cybersecurity in their risk management oversight.

Cyberrisk Is Enterprise Risk

As cybersecurity threats increase, so does the urgency to elevate cyberrisk management. Cyberattacks affect more than data and systems: Patient safety, access to systems and facilities (and therefore public health), intellectual property and reputation are all at risk. Where do you draw the line between what is cyberrisk and enterprise risk? You can’t. So why tolerate divisions between cyberrisk management and enterprise risk management?

The cyberrisk-is-enterprise-risk philosophy is gaining acceptance in health care and in other sectors. The idea is not new. In 2014, the National Association of Corporate Directors recommended: “Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.”

  • In 2019, Deloitte reported that the percentage of all public companies that appointed tech-focused board members increased from 10% to 17% over the last six years.
  • The New York Department of Financial Services created a regulatory requirement for senior management at regulated companies to be involved in cybersecurity.
  • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) reported that 49% of all boards now address cyberissues at least quarterly.
  • A 2019 study commissioned by enterprise insurance company Aon recommends cyberrisk be integrated into the broader risk management framework because: “The management of cyberrisk still remains largely fragmented and inconsistent across corporate functions. Risk managers need to take a more active role in facilitating the identification and evaluation of cyberrisk, collaborating across functions (Legal, IT, Security, Operations).”

These recommendations haven’t been lost on hospitals. As noted, 70% of U.S. hospital boards now include cybersecurity in their risk management oversight.

Addressing cyberrisk at the enterprise level could contribute directly to reducing vulnerability if it brings alignment among various roles in the organization. Stakeholder alignment is the second-most important variable to health care cybersecurity, according to a 2018 study. The report notes: “As of today, policies mostly address data privacy, not data security…If, through governance, the board can create strong stakeholder alignment on the importance of cybersecurity to the organization, this will help minimize the likelihood of cyberattacks.”

Effectively Integrating Cyberrisk within Enterprise Risk Management

Cyberadversaries most often begin their attacks on health care organizations, not with a technological hack, but rather as a psychological and social engineering effort that seeks to exploit the trusting and helpful nature of most people in the field. That is precisely why organizational alignment and top-level support are essential to good cyberdefense. The aforementioned study on hospital cyberrisk oversight summarizes the connection: “Specifically, pressure from the board of directors appears to be essential in creating substantive cyberresiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by health care IT security professionals.”

"The cybersecurity culture of the organization — the people — are the best defense or weakest link, and the most cost-effective defensive measure."
— American Hospital Association

 

Fortunately, cyberrisk management can be incorporated into leading enterprise risk management frameworks used by hospitals today. The AHA is currently co-leading a legislatively derived task group directed to develop resources on how to incorporate cyber into enterprise risk. In May 2020, the U.S. Department of Health and Human Services released a report that describes cyberrisk management approaches and risk calculation methodologies that health care organizations can apply, with special guidance for smaller organizations.

While cyberrisk management is best integrated within overall enterprise risk management, it still needs individual attention.

  • When risk management is integrated, organizations should retain (or create) the chief information security officer (CISO) role. If the organization is not large enough to sustain a CISO, consideration should be given to designating someone who’s primary responsibility is cybersecurity.
  • Ensure the CISO/cyberlead reporting structure provides sufficient status, authority and independence to be fully effective in protecting patients and the organization. The common reporting structure is for the CISO to report to the CIO. This structure works very well for most organizations, until it does not. For example, some may view the security function more akin to an IT audit function, which may represent a conflict of interest if located within the IT department. In other instances, a conflict could arise if the CIO’s priorities contradict with the CISO’s priorities or are otherwise misaligned with them. For example, when selecting new equipment, a CIO may prioritize cost savings over security features.

Once cyberrisk is calculated and its integration with enterprise risk management is assessed, it is beneficial to have an independent, outside expert review the efforts. Qualified experts, which organizations like the American Hospital Association can provide, are able to identify gaps, make recommendations and fulfill the valuable but difficult role of speaking truth to power to tell senior leaders what still needs to be done.

Advancing Toward Enterprise Cyberrisk Management

The motivations and perpetrators behind cyberattacks against health care providers have changed, and the attacks themselves have become more sophisticated and more harmful. Today, cyberrisk is greater than the IT/CISO organization’s ability to protect the entire organization against it and mitigate its impact.

Cyberrisk is present everywhere in the organization. It is embedded in every care delivery function, technology, vendor relationship and business transaction across the enterprise. That is why cybersecurity needs to be a consistent, organizationwide effort, and why it is made more effective by instilling vigilance into the existing culture of care. Staff need to understand that cyberhygiene is as necessary as medical hygiene in protecting patients from “viruses.”

One practical way to advance toward enterprise cyberrisk management is to thoroughly integrate and align cyberrisk management within enterprise risk management. Achieving this integration can be challenging and requires C-level and board-level support, but it can be very successful with the right understanding and right approach.

John Riggi jriggi@aha.org) is senior adviser for cybersecurity and risk at the American Hospital Association. Previously, he led strategic programs in cybersecurity and counterterrorism for the FBI and CIA.