Three years ago, most healthcare boards of directors knew more about online video games than online security. Now they’re paying very close attention to cybersecurity, especially the boards of for-profit health systems.

This article was originally published on Healthcare IT News.


What used to be viewed as an operational issue is now a trustee responsibility because of the likelihood of lawsuits following a data breach.

Boards across the U.S. want to avoid the headaches recently experienced by Target and Wyndham in the wake of well-publicized breaches.

There were four shareholder derivative lawsuits filed against 13 of Target’s directors and officers following its big breach in November 2013. They’re being sued for breach of fiduciary duty and waste of corporate assets, among other things. These cases have been consolidated and are still pending.

Wyndham dodged a bullet last year when a similar shareholder derivative suit was dismissed, but that decision has been appealed.

Fortunately, there’s an excellent resource from the Institute of Internal Auditors Research Foundation titled “Cybersecurity: What The Board of Directors Needs To Ask.”

There are six questions they feel are particularly important:

  • Does our organization use a security framework?
  • What are our top 5 risks (ranging from the proliferation of BYOD and smart devices to the outsourcing of critical business processes to third parties)
  • How are we educating our employees about their roles related to cybersecurity?
  • Are both external and internal threats considered when planning/monitoring our cybersecurity program?
  • How is security governance managed within our organization?
  • In the event of a serious breach, has management developed a robust response protocol?

While it’s likely that we’ll see more CIOs and CISOs serving on healthcare boards in the future, the IIA report encourages all board members to get actively involved in cybersecurity initiatives. The report’s concluding words are, “Cybersecurity is no longer an agenda item for IT; it is an agenda item for the board as well.”

Another great resource for hospital boards is the American Hospital Association’s “Cybersecurity and Hospitals: What Hospital Trustees Need To Know About Cybersecurity Risk and Response.”

If trustees would simply read and use these two reports, healthcare organizations across America would be on the proactive path to protecting the security and privacy of their information assets. Do you trust your trustees to take the necessary action?

This article was originally published on Healthcare IT News.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.