As cyber breaches increase, it has become important for the healthcare industry to have stronger cybersecurity strategies. but healthcare industry leaders have more urgent priorities and sometimes the CISOs is unable to convey this critically to the management
Healthcare data is valuable, and cybersecurity incidents mean significant costs for companies. The number of patient records impacted by cyber-attacks has drastically increased from 5.5 million in 2017 to 15 million in 2018. It is essential that the value of cybersecurity should be clear to life sciences and healthcare leadership.
According to a report by the Deloitte Centre for Health Solutions, communicating this risk to leaders in a healthcare company can be challenging as they have many others things to deal with. These include cost pressures, digital transformation strategies, and fierce competition on consumer engagement.
When communicating about cyber risk, CISOs have to consider that only communicating risks will not be enough. stakeholders who are tasked with governance issues and executives in leadership roles that are tasked with operations might not have a clear understanding of the interplay between business and cybersecurity.
Some effective strategies for communicating cybersecurity issues to the board and senior leaders are:
Creating a dialogue to engage leadership: CISOs and CIOs are expected to provide senior executives with the information that helps make the best governance decisions around. More than providing a briefing on cybersecurity, leaders want to have a dialogue. Experts suggest providing a good report can help in a better understanding of the organization’s state of cybersecurity. A good report, experts believe, includes threats and vulnerabilities and the near-term proactive steps to mitigate those threats; the impact they can cause to business functions; Longer-term strategies, investments, objectives, and associated returns on investment (ROI.)
Using storytelling methods: Some experts recommend creating a “story inventory” and use it to illustrate relevant situations. Connecting specific events with specific business functions help organization leaders make better decisions around addressing risks and managing processes.
Cyber risk management strategy cannot be delegated to the IT team only and should be a component of business strategy. Experts suggest CISOs use cyber-risk simulations and some cyber exercises that immerse participants in a simulated and interactive cyber-attack scenario. According to the Deloitte 2019 Future of Cyber survey report, 32% of C-level executives say that their companies conduct cyber war gaming exercises to prepare the employees for real-world incidents.
Putting a business lens on technical challenges: Experts recommend that CISOs should speak the language of business risks while taking to the board or the CEO, and use strategies for showcasing cyberrisks into a business context. CIOs and CISOs must quantify their cyber threats in financial terms so that companies can adopt approaches to estimate both the direct and intangible costs associated with cyber risk. There is always a question on the investment in cybersecurity; this has to be quantified to brand reputation value, compromise in patient safety or trust, and the potential legal costs. Cybersecurity is likely to remain an integral function for health care organizations. The organizations will need to continually update their capabilities as threats evolve in scope and sophistication.
Recruiting better communicators than technicians: Experts have observed that hiring people with business and communication skills and then training them on the technical side has become quite a popular strategy. Some CISOs believe that technical elements of cybersecurity are more natural to teach than effective communicate with leadership.
with the right technology, the future, CISOs might incorporate predictive analytics into their metrics, which can guide discussions with leadership. In the health care system that is increasingly driven by digital technologies, CISOs want leaders to understand that cyber-threat management is a fundamental part of the business and not just a strategic imperative.
For CISOs and CIOs, a primary goal underpinning the communication strategy is to help board members move to a “cyber everywhere” approach and making them understand that cybersecurity is not limited to the information technology bucket and that it helps reduce risk across the enterprise.