Posted: 21 May. 2019 6 min. read

For health and life sciences companies, cybersecurity is not just an IT issue

By Amry Junaideen, Risk & Financial Advisory Life Sciences and Health Care leader, Deloitte & Touche LLP

In My Take earlier this month, I explained that cybersecurity and risk should be part of the conversation when life sciences and health care leaders discuss their long-term business strategies. But communicating the value of investments in cybersecurity to senior leaders and board members can be challenging because cyber is often perceived as being highly technical. Moreover, some leaders might see cybersecurity as an IT issue rather than a critical component of business strategy. While we are seeing a shift in the mindset among many board members and executives, there is considerable room for further evolution.

Cyber criminals tend to see tremendous value in the patient data collected and stored by health and life sciences organizations. Electronic health records (EHRs), for example, could contain a wealth of exploitable information—everything from demographic information to work history to financial information. This information can be worth substantially more on the black market than bank records and other types of data.1 While there is tremendous value in patient data (and in other types of sensitive information, such as drug-development pipelines), there are often fewer safeguards to protect it when compared to other industries. This has made health and life sciences companies prime targets for cyberattacks. At the same time, pressure to reduce health care and health coverage costs could make it difficult to get leadership’s attention when it comes to cybersecurity. Moreover, the proliferation of connected medical devices, wearables, and data-gathering health apps could create a bigger opening for threats.

In 2018, health care led all industries in the volume of cybersecurity breaches—accounting for about 25 percent of more than 750 reported incidents, according to a report released last month.2 That year, about 15 million patient records were impacted—nearly triple the number reported just one year earlier.3

Seven strategies for creating a culture of cybersecurity

So what works and what doesn’t work when it comes to communicating key priorities around cybersecurity? The Deloitte Center for Health Solutions recently posed that question to chief information security officers (CISOs), chief information officers (CIOs), and C-suite executives from biopharma, medical device manufacturers, health plans, and health systems who are involved in making decisions around cybersecurity. Our interviewees agreed that having a cyber-literate board and cyber-savvy leaders is important. From our conversations, we distilled seven themes that could help prepare boards and senior leaders to make the decisions needed to counter growing cyberthreats.

  1. Create a dialogue to engage leadership and build trust: Our interviewees told us that they want to provide senior leaders and board members with the information they need to make operational and strategic decisions. They agreed that it takes time to help leaders understand how cybersecurity impacts specific business functions. Our interviewees said their role is to provide leaders with a deeper understanding of the core elements of cybersecurity. They also need to build the credibility and trust so board and senior leaders feel comfortable making decisions based on recommendations from the security team.
  2. Use the power of storytelling: Storytelling can be more powerful than PowerPoint when addressing leadership. Industry experts, as well as many of our participants, suggest building a “story inventory” to help illustrate relevant situations to board members and senior leaders.4 One interviewee from a life sciences organization said he and his team typically prepare for board meetings by building stories around a few recent cyber incidents that occurred in the organization. Connecting specific incidents with specific business functions can help organization leaders make better decisions around addressing risks and managing processes.
  3. Use simulations to illustrate that a “cyber everywhere” mentality is the new norm: As health care and life sciences organizations expand their digital footprint and store more data in the cloud, cyber risk expands to every department and could impact all patients and customers. Cyber risk management can no longer be assigned to the IT members. Our interviewees agreed that cyber-risk simulations can help an organization stress-test its readiness, identify capability gaps, and determine where additional training or preparation might be needed. Wargaming is an increasingly important strategy to create plausible scenarios and develop collective buy-in.
  4. Explain how the cyber team collaborates with organizations inside and outside of the industry: Many of our interviewees said leadership is often interested in how their security team collaborates with teams at other life sciences and health care companies. While health and life sciences companies compete with each other, they don’t compete on cyber security. Collaboration among CISOs and their equivalents is a big factor in many cybersecurity strategies. This can occur through a combination of official and informal channels—such as the Health Information Sharing and Analysis Center (H-ISAC), consortia, meetings, and just having other CISOs on speed dial. Cross-industry collaboration is another important strategy. Businesses and governments can collaborate to leverage lessons learned and leading practices. Some industries are working together to develop strict standards for cybersecurity. A few of the CISOs we interviewed said they look to Silicon Valley and other creative hubs to stimulate thinking on cybersecurity innovation.
  5. Use metrics to quantify risk: Putting cybersecurity into financial terms can help executives make more informed decisions. While there is no standardized way to quantify risk, our interviewees agreed that a metrics-driven approach can help connect the dots back to the mission of the organization, and back to specific business functions. They noted that their role is to help make leadership comfortable with the reality that everything cannot be protected equally. Organizations should have clear agreement and an understanding about which data are most critical to the enterprise, where data resides, how it is collected and shared, and the potential impact if it is compromised.
  6. Be prepared to answer and defend questions related to cybersecurity investments: Company leaders often ask CISOs how much the organization should invest in cybersecurity. But no amount of money can make the risk disappear, as one interviewee noted. While the long-term costs associated with data breaches can be difficult to quantify, brand, reputation, patient safety, and consumer trust can all be affected. Interviewees noted that while funding usually isn’t a problem, there are some concerns that leadership and board members could become numb to the constant headlines and discussions of threats. Many organizations have had cyber incidents, but those events might have had minimal financial implications. Some of the CISOs and CIOs said it is important that they effectively explain how the threat landscape is evolving. The metrics they report on and the context they provide should strike the right balance between the threat landscape and what they can do to manage the risk.
  7. Regularly assess talent models and their potential impact on the organization: Attracting and retaining skilled talent was a top-of-mind concern for many of our interviewees. While growing talent is often part of the job for CIOs and CISOs, many of our interviewees said traditional recruiting and retention models were failing them. Some organizations are paying less attention to formal education in favor of on-the-job training. One popular strategy is to recruit people who have business and communication skills and train them on the technical skills and knowledge. Indeed, the technical elements of cybersecurity are sometimes easier to teach than the skills needed to effectively communicate with leadership.

While organizations should take measures to prevent breaches, the reality is not all cyberattacks will be prevented. Part of a cybersecurity plan should be to minimize the damage from potential breaches by having documented and tested resilience and crisis-management strategies. The role of CISOs and CIOs has expanded beyond the walls of the IT department, and these professionals could play an invaluable part when it comes to helping board members and leadership understand potential threats and respond to them appropriately.

Endnotes
1. Security trends in the healthcare industry, IBM X-Force Research (https://www.ibm.com/downloads/cas/PLWZ76MM)
2. Data Security Incident Response Report
3. Erin Dietsche, 11 cybersecurity tips from the first federal chief information security officer, Med City News, February 13, 2019
4. Frederick Schnoll, Better security through storytelling, CSO Online, January 30, 2017

 

Return to the Health Forward home page to discover more insights from our leaders.

Get in touch

Amry Junaideen

Amry Junaideen

Managing Principal

Amry is the managing principal of Life Sciences & Health Care for the Risk & Financial Advisory business. Amry has over 26 years of diversified global experience in the private and public sector having served large multi-national and public sector clients on many risk management and information technology related initiatives. Amry has extensive international experience including in-country leadership roles in Australia and India. Amry has had numerous client and practice leadership roles, having worked on Pfizer, Amgen, Beyer Pharmaceutical, Genzyme Corporation, Astra Zeneca, the Centers for Medicare & Medicaid Services, and the Australian Regional Public Health System. He was also the National and Global Security & Privacy leader for life sciences. Amry’s specialties include risk management, systems integration, internal controls transformation, and talent management. Amry has a bachelor of science degree in accounting and also is a certified information systems security professional, certified in risk and information systems control, a certified information systems auditor, and a certified practicing accountant (Australia).