Healthcare Cybersecurity: Lessons for America's Corporate Boards

When this article by the Population Health Blog was published in the prestigious policy journal Health Affairs almost a decade ago, little did it know that it had too little skepticism over what the policy experts were saying about the electronic health record. Since its publication, not only have the interminable cost and quality shortcomings persisted, but hospitals' and clinics' health information technology (IT) has also become a ripe target for hackers.

Who knew?

Which is why the PHB understands the bitter disappointment of directors serving on U.S. boards of directors. IT was supposed to usher in unprecedented levels of innovation, efficiency and consumerism. Little did they know that IT vulnerabilities could also torpedo their company's brands (like this), spawn sovereign criminal gangs, compromise consumers' personal privacy, hollow out their middle class customer-base, lead to a silicon-based robber baron class and propagate Baumol's cost disease.

According to this April 6 Wall Street Journal article, boards are responding to cybersecurity threats by appointing technology committees, making IT a regular part of their meeting agenda, regularly huddling with their company's information officers, monitoring dedicated threat assessment dashboards and recruiting new board members with a background in IT.

The National Association for Corporate Directors (NACD) would agree. This recent report suggests that boards also need to understand the value of their company's information by asking where their data "crown jewels" are and who would want them. They also need to periodically conduct "deep dives" on the topic of e-security, ask their company's executives about response/disaster plans, scrutinize the "tone at the top," assess employee awareness and oversee appropriate hacker stress testing. Last but not least, boards don't necessarily need "expert" members but, rather, members with IT "literacy."

The PHB's physician colleagues have that literacy and feel their pain. Check out this recent article in the New England Journal that describes the travails of health IT. According to the author, 94% of health care institutions have not only been the victims of cyberattacks, but they also have the dubious distinction of sustaining the greatest dollar cost per record-breach. While HIPAA's numerous privacy and security mandates should have given the health care industry a multi-year head start on IT security, hospitals and clinics are still struggling not only with the usual IT challenges, but with the vulnerability of their internet-of(-medical-device)-things and a growing body of antiquated or vague federal and state regulations.

The PHB's take? 

If the healthcare industry is any guide, corporate boards need to know that:

1. Finding the right balance between employee workflows, information "fluidity" and data security is still very much a work in progress.  When it comes to that sweet spot between increasing efficiency and keeping hackers at bay, compromises will be inevitable.

2. Given the experience with HIPAA, intrusive, unwieldy and (sometimes) obsolete laws and regulations are destined to grow. Get used to it, monitor it and manage as best you can.

Image from Wikipedia