Trends in Healthcare & Governance

HTNYS’ monthly Trends updates provide trustees with information about emerging developments in governance and healthcare. Published by HTNYS on the second Wednesday of each month, Trends’ timely statistics and insights help trustees fulfill their roles and responsibilities while adapting to the changing environment.

Make cybersecurity a priority
January 2021

Healthcare is unique among economic sectors in its breadth and depth of valuable data and information, making it a lucrative target for cyber thieves. Hospital executives and boards need to be proactive and pay even more attention to cybersecurity threats than those in other sectors of the economy.

Did you know?

  • More than 93% of healthcare organizations in the U.S. have experienced a data breach since the third quarter of 2016 and 57% have had more than five data breaches during the same timeframe.
  • While 91% of hospital administrators consider the security of data a top focus, 62% feel inadequately trained or unprepared to mitigate cyber risks that may impact their hospital.
  • According to the HIPAA Journal, healthcare email fraud attacks have increased 473% in the last two years.
  • There were 38 million healthcare sector records exposed in 2019, versus 7 million healthcare sector records exposed in 2018.
  • In 2019, the healthcare industry incurred an average cost of $6.35 million per breach. It is estimated that the cost of data breaches will rise from $3 trillion each year to over $5 trillion by 2024.

Governing boards have a critical role to play in terms of understanding and curtailing cybersecurity risks.

Boards should:

  • Understand that cyber risk is first and foremost a patient safety and care delivery risk issue.
  • Know that healthcare is a prime target for cyber adversaries; the threat is ongoing and constantly changing.
  • Keep cybersecurity front and center; receive regular updates on risk and risk mitigation. Treat it as an enterprise risk issue.
  • Understand that cyber risk can never be eliminated; it can only be mitigated. Proper planning can make cyberattacks less probable and less severe if they do occur.
  • Uncover the vulnerabilities within the organization and take steps to mitigate that risk.

Five questions board members should ask to ensure cybersecurity is being addressed internally:

  • Do we have at least one person on staff dedicated full time to information security?
  • Is the reporting structure of information security officers sufficiently prominent within the organization to provide sufficient status, authority and independence for effective functioning?
  • Does the board have a risk committee and is that committee briefed regularly on evolving cybersecurity risks?
  • Do we have an incident response plan that includes contingencies for various cyber scenarios, such as ransomware, and how secure are our backups?
  • Does the board receive regular briefings and updates on the strategic cyber risk profile, and on how risks are being mitigated?

Looking for cybersecurity resources?

HHS recently launched a new website, “Aligning Health Care Industry Security Approaches.” The new 405(d) program website is presented as a useful place for organizations looking for additional “resources, products and tools that help raise awareness and provide vetted cybersecurity practices.”

Note: Information on this topic was obtained from AHA Trustee Services (for AHA members only) and HHS’ Aligning Health Care Industry Security Approaches.

2021 Trends

2020 Trends

2019 Trends

2018 Trends