Healthcare organizations are experiencing a renewed onslaught of cyber attacks since the advent of the coronavirus pandemic. Hospitals and health systems were already targets of cyber attacks before the pandemic emerged. Now, the rapid shift to remote work and telehealth has opened up new vulnerabilities for cyber attackers to exploit.

The changing nature of the cyber risk landscape means that healthcare organizations’ commitment to Enterprise Cyber Risk Management (ECRM) is more important than ever. It can be tempting to dismiss ECRM as the responsibility of the organization’s IT department. But the truth is, each member of the organization – from the board, to clinical staff, to hospital volunteers – has a role to play in keeping the organization safe from cyber risk.

It is in the best interests of every healthcare organization to adopt a comprehensive approach to building a cyber risk-aware culture. Regardless of how talented an organization’s IT team is, or how up to date their technology tools are, if the organization has not cultivated a cyber risk-aware culture, it will be especially vulnerable to cyber attacks.

The five factors listed here are key to building a cyber risk-aware culture that will support an organization’s ECRM program and help protect the organization from potentially catastrophic cyber incidents.

An effective ECRM program begins with the board. The board is responsible for establishing appropriate governance, which facilitates effective ECRM. Board members should not be expected to provide technical cybersecurity expertise. But they should have a clear understanding of basic cyber risk management concepts and practices. The board is responsible for:

• Communicating the importance of cyber risk management (i.e., why cyber risk management is a priority).
• Setting the overall direction for the organization’s ECRM program (i.e., determining, at a high level, what the organization’s overall approach to ECRM will be. This includes determining which cybersecurity framework to use).
• Providing oversight for the ECRM program (i.e., monitoring the maturity and success of the organization’s ECRM program).

In other words, the board points the way and provides oversight; C-suite executives and their teams are responsible for execution and implementation.

Steps to Take Now: The board must have a basic understanding of cyber risk management terms, concepts, and best practices to provide effective communication, direction, and oversight for the organization’s ECRM efforts. It is incumbent upon the board, as a body, and the members, as individuals, to become informed about these topics. One way to kick-start the process is to begin including cyber risk management as a regular agenda item at board meetings. Information and discussion about the organization’s specific cyber risks, the status of the organization’s ECRM program, and education about cyber risk management, should be part of every board meeting. Do not wait until a cyber incident has occurred to start having these conversations at the board level.

The second component in building a cyber risk-aware culture is people. As with any other important organizational initiative, an effective ECRM program requires the right people in the right places. When thinking of cyber risk management talent, the first area that comes to mind is the IT department. It is important to have cyber risk management talent in the IT department. But in terms of building a cyber risk-aware culture, many other people in the organization have critical roles to play:

• The board communicates the value and benefits of the organization’s ECRM program, sets direction, and provides oversight.
• C-suite executives and their teams execute on the board’s direction to ensure cyber risk awareness and cyber risk management practices are implemented across the organization.
• Human Resources ensures the right cyber risk management talent is in place and provides regular cyber risk awareness training to all stakeholders.
• Clinical staff, front-line staff, and volunteers participate in cyber risk awareness training so as not to be caught up in spear phishing (fraudulent email) or other attacks.
• The importance of a cyber risk-aware culture applies not only to internal stakeholders, but also to the organization’s business associates. All third-party partners who have a data-sharing relationship with the organization (third-party software vendors, etc.), should demonstrate a rigorous commitment to cyber risk management.

Steps to Take Now: Assess whether or not the organization has employed the right talent, at the right levels of the organization, to facilitate a cyber risk-aware culture and support the ECRM program. It can be challenging for healthcare organizations to employ internal talent with the depth of expertise needed. Therefore, some healthcare organizations engage outside expertise in cyber risk management to launch or mature their ECRM programs and to facilitate the development of a cyber risk-aware culture.

Process is another key to building a cyber risk-aware culture. An organization cannot effectively execute ECRM unless it has formal, well-documented policies, procedures, and practices related to risk management in place. The policies, procedures, and practices should be followed consistently and updated as the organization changes. As many organizations have learned in hindsight, cyber risk management policies and procedures cannot be effective unless they are communicated, understood, and practiced throughout the enterprise.

Hospitals and health systems do not need to create cyber risk management processes from scratch. The National Institute of Standards and Technology (NIST) has developed several freely available resources that can help healthcare organizations frame, establish, implement, and mature their ECRM programs. Among the resources available are the NIST Cybersecurity Framework and NIST Special Publications detailing industry-standard best practices for cyber risk management (see NIST SP 800-39 Managing Information Security Risk and NIST SP 800-30 Guide for Conducting Risk Assessments for further information).

The NIST approach to process can be summarized in four steps: (1) Frame your approach to ECRM; (2) Assess your risks; (3) Respond to risks; and (4) Monitor your risks. As mentioned above, the first step, “Frame your approach to ECRM,” is part of the board’s governance responsibility. C-suite executives and their teams are responsible for executing on Steps 2, 3 and 4. At the same time, the board needs to be kept apprised, at a high level, about the status and maturity of the organization’s risk assessment, risk response and risk monitoring capabilities.

Steps to Take Now: Educate the board about different ways to frame the organization’s approach to ECRM so the board can fulfill their governing and oversight responsibilities with respect to process.

Technology plays a critical role in developing a cyber risk-aware culture. Most people understand the role of technology tools in defending an organization against cyber attacks. Fewer people understand the important role technology plays in helping to identify an organization’s potential cyber risks and in documenting the measures being taken to address those risks.

Before a healthcare organization can begin to address its cyber risks, it must identify those risks by conducting a risk analysis. Conducting a risk analysis is essential to healthcare organizations for several reasons. First, an organization cannot develop an effective ECRM program without first identifying its specific cyber risks. Second, conducting an enterprisewide, comprehensive risk analysis is a requirement for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Finally, an organization cannot successfully build a cyber risk-aware culture if it does not understand what its specific risks are.

Conducting an enterprisewide cyber risk analysis, as required by HIPAA, is a complex undertaking. It is not possible to complete, document, and maintain an enterprisewide risk analysis without using a technology and automation solution. In addition to facilitating risk analysis, the appropriate Enterprise Cyber Risk Management Software (ECRMS) can also help by aggregating detailed, technical-level data and reporting it out in a way that facilitates board oversight of ECRM.

Steps to Take Now: Assess whether the organization has the appropriate, strategic ECRM technology tools in place. The board does not need to be engaged with specific tactical tools that repel attacks and detect intrusions. The board does, however, have a vested interest in strategic ECRM software that facilitates regulatory compliance and board oversight.

Engagement is the final component in building a cyber risk-aware culture. It takes just one person, clicking on a fraudulent email, to put the entire organization at risk. The upshot is that the most well-designed ECRM program will not protect an organization if the entire organization is not engaged in the fight to protect the enterprise from cyber risk.

The board and C-suite may be providing appropriate governance, with respect to leadership and oversight. But if the organization’s other executives, managers, and workforce members are not engaged, the ECRM program will fail.

The importance of ensuring organizational engagement in ECRM is easy to understand but can be hard to put into practice. However, there are ways to build engagement into the culture. For example, organizations can require departments to develop department-specific ECRM plans within the context of the organization’s overall ECRM program. Furthermore, organizations can include specific ECRM performance goals among the annual objectives required by all line-of-business, process, and functional leaders. One example might be: what percentage of each leader’s direct reports have completed cyber risk awareness training? This could be included as an annual requirement for all employees.

Steps to Take Now: Assess whether engagement with cyber risk-awareness and ECRM is built into the organization’s culture. Identify ways in which engagement with cyber risk-awareness can be supported throughout the enterprise.

ECRM is never just about the IT department. An effective ECRM program involves the mobilization of resources across the enterprise, including governance, people, process, technology, and engagement. Each of these five components has a key role to play in building a cyber risk-aware culture.