Mathieu Gorge

How to get leadership on board to implement cyber solutions

January 12, 2022
By Mathieu Gorge

Security is a journey, not a destination. These six words should resonate off the walls of every board room and leadership discussion. The meaning behind this is that security needs to be an evolving state of mind as technology expands and cyber criminals develop new tactics and procedures. The healthcare industry is no stranger to cyber-attacks, including ransomware and various other data breaches. Patient data is highly sensitive and a prime focus for cyber criminals across the world, and protecting this data needs to be a focus of all healthcare workers from nurses to project managers and executives.

Importance of cybersecurity
The buzz around cybersecurity has certainly grown over the last few years. With the increase of ransomware attacks coupled with the onset of the pandemic, cyber criminals have never been busier. Hospitals and other healthcare institutions have felt the brunt of these attacks over the last few months with an increasing number of cyber-attacks geared towards the healthcare industry. The importance of cybersecurity has become a prevalent topic amongst leadership because it’s come to the realization that educating employees at all levels has had a positive impact on reducing cyber-attacks and data breaches. In the cybersecurity industry, it’s a known idiom that the weakest link in the security chain is the human. This means that most attacks begin by harvesting a user’s credentials, getting them to click on a malicious link, or by some other means. In all these scenarios, it’s the end user, the human, the healthcare worker who is taken advantage of. Therefore, it is important to give employees the cybersecurity knowledge they need to protect themselves, for it may help them protect the organization and even the patients they care for.

Cost-effectively keeping up with change
Implementing cybersecurity solutions can be a costly process, which is one of the reasons why leadership teams avoid such discussions. The idea that “it won’t happen to us” seems to be enough to ward off any concerns of a cyber-attack, but this false sense of security can spell trouble for many organizations, especially those in the healthcare industry. Finding a cost-effective solution can ease the burden of this discussion, and implementing a solution that helps save money, ease compliance regulations, and enhance the organization’s overall security posture can have a positive effect on the future of the company.

Five pillars of security
Cybersecurity can often be seen as the elephant in the boardroom for many reasons, one of them being the difficulty of explaining cybersecurity risks and concerns to those who are not technical. However, the fact of the matter is that the C-suite and boardroom must play an active role in any organization's cyber accountability. By breaking down cybersecurity into 5 pillars people security, physical security, data security, infrastructure security (networks, cloud, applications, third parties, fourth parties, business associates), and crisis management – IT teams can help leadership teams from all sectors understand the need and necessity for security at all levels. Cyber accountability isn’t a concern strictly for IT teams. These 5 pillars set out to demystify the complex technical and legal landscape of global regulation.

Leadership buy-in
Getting the approval of a board or executive leadership team is a difficult process. There are more concerns than just cybersecurity when it comes to deciding whether to implement a solution. We’ve already discussed the cost (which can be addressed through cost-effective solutions) and the C-suite’s lack of IT knowledge (which the 5 pillars of security can demystify), but there is also the issue of regulation. In the last few years, we’ve seen governments at both the local and national level implement various standards and guidelines about how organizations must conduct business. With regards to the healthcare industry, there is GDPR in the EU, and HIPAA in the United States. These compliance frameworks are just the beginning. As technology evolves, so will the requirements for keeping data safe. Failure to comply can result in hefty fines, such as in Portugal, where a hospital was fined 400,000 euros for failure to comply with GDPR.

When it comes to making decisions about risk, cybersecurity, and whether the cost justifies the means, leadership teams must be aware of the heavy arm of the compliance side of the industry -- and the risks they face if they fail to comply. While compliance does not equate to security, it’s a great foundation to build upon.

Final remarks
The cyber world as we know it is changing, especially in the healthcare industry. There are IoT devices and both new and old software that healthcare workers and patients rely upon to ensure that everything is being done to offer the best type of service. But what happens if these technologies get compromised? Leadership teams across the globe need to proactively ensure that best cybersecurity standards are being followed and they need to be concerned with the notion that no matter who you are, you may become a target.

The wonderful thing about cybersecurity is that it doesn’t need to be difficult; there are automated tools and training modules that teach cybersecurity best practices and help ensure compliance. These tools are generally inexpensive compared to the fines issued by governing organizations like HIPAA and GDPR and much less expensive than trying to clean up a data breach. When it comes to cybersecurity, the answer is simple: treat cybersecurity like the journey it is, evolve with the changes, and ensure that you’re doing everything you can to protect the safety and security of your customers, patients, and employees.

About the author: Mathieu Gorge is the CEO and founder of VigiTrust.