Holding The Board Accountable In The Age Of COVID

By Art Ehuan, The Crypsis Group, and Ari Schwartz, Center for Cybersecurity Policy and Law

For years, healthcare organizations have been the targets of cyberattacks because of the valuable data they control and their imperative to focus their spending on patient care and operations. Now, when nations are looking to these organizations to both heal a pandemic-stricken populace while also extending telehealth services to treat other medical issues, they are even more vulnerable to opportunistic threat actors. Healthcare is—now more than ever—a critical infrastructure service, and we call on Congress to provide regulatory guidance requiring healthcare company boards of directors to be accountable for cybersecurity oversight.

For decades, healthcare organizations have been under sustained cyberattacks from fraudsters, organized crime groups, nation-state actors, and other nefarious threat actors. These threats are designed to redirect and steal funds through Business Email Compromise (BEC)[1], disable critical computing systems through ransomware,[2] and steal patient and critical research information from medical facilities and pharmaceutical companies.[3] Threat actors thrive in times of crisis and uncertainty; and they have escalated their attacks on healthcare and other industries since the public health emergency began. Ransomware has been a particularly effective tactic, as healthcare organizations cannot discontinue providing patient care or conducting vaccine research in the middle of the pandemic.

For cyber threat actors, there is every motivation to continue; these attacks are highly successful and profitable[4] and the probability of law enforcement identifying, arresting, and extraditing these criminals is remote. While law enforcement and prosecutors have had some success, these wins are unlikely to disincentivize criminal groups, much less nation-state actors.[5]

Healthcare organizations are focused on meeting the needs of patients and are often lean on budget for technical staffing; we do not “blame” these organizations for their difficulty in defending against relentless, determined, and plentiful attackers. The healthcare sector’s many critical functions, such as on-site and remote patient care, pharmaceutical and vaccine research, and medical equipment innovation, require highly secure computing systems and connectivity; but without better funding and prioritization, core business functions will remain center stage and cybersecurity will continue to go underfunded and deprioritized.

Their security challenges can only be addressed through stronger advocacy, focus, and budgetary prioritization from the highest levels of the organization. It is for this reason that board involvement is so critical.

While surveys conducted by various industry groups indicate that many boards consider cybersecurity risk an “existential threat,”[6] the reality is that many could be doing much more to meet their fiduciary duty to provide the appropriate governance and oversight in this critical area. They are positioned to be a powerful part of the solution.

The current board of director governance and oversight model is not effective enough, and not ready to meet healthcare’s increased 2020 threat landscape. Gaps we see regularly include lack of in-depth, board-level knowledge of cyber risk and governance, “check-the-box” compliance that fails to meet reasonable security, cyber metrics that do not provide a true understanding of an organization’s risk profile, too little focus on mapping spending to risk prioritization, and lack of independent validation of a cyber program effectiveness and maturity.

Regulatory obligations aimed at healthcare boards of directors—and in reality, any organization that has a board of directors—should be introduced and implemented to require these influential leaders to acquire a greater understanding of their organizations’ cybersecurity risks, strategies, and effectiveness in protecting corporate assets from cyber threats.

Several U.S. senators introduced a bill, the Cybersecurity Disclosure Act of 2019,[7] which would require organizations to “disclose in its mandatory annual report or annual proxy statement whether any member of its governing body has expertise or experience in cybersecurity; and if no member has such expertise or experience, describe what other company cybersecurity aspects were taken into account by the persons responsible for identifying and evaluating nominees for the governing body.”

We urge Congress to move on this legislation and to add a provision requiring boards without a cyber knowledgeable member to either obtain such a board member or engage independent cyber advisors to provide them with an impartial assessment of risks and improvement strategies. Further, the law should require boards to measure risk (using the NIST Cybersecurity Framework) and to work with the risk management leadership of the organization to create a dashboard to determine progress to better address the highest-priority risks. Congress should also require healthcare organizations to become members of the Health Information Sharing and Analysis Center (H-ISAC) to make sure they have information on the latest threats to healthcare. COVID-19 has already created far too much pain; Congress should do what it can to help ensure that cyber risk does not make things worse.