Moving into 2018, the Chief Financial Officer (CFO) is emerging as a prominent figure in addressing cybersecurity. Once relegated to a technical or operational issue handled by IT, a cross-departmental, enterprise-wide approach to cybersecurity is now necessary. CFOs will need to become active partners with leadership representing Information Technology, Security, Privacy, and Compliance in identifying and combating cybersecurity risks, particularly in healthcare where PHI is at risk.
Top 4 cybersecurity activities for healthcare CFOs:
1. Promote a privacy and cybersecurity culture that:
- Creates a cybersecurity strategy and governance for national and international regulations’ compliance affecting revenue (e.g.: GDPR, MACRA, MU, HIPAA, SOX, PCI, FERPA, etc.).
- Engages management to align cybersecurity strategy with business strategy and obtain buy-in from Executive Leadership and the Board of Directors on necessary cybersecurity investments.
- Promotes a collaborative approach for the organization’s cybersecurity program:
- IT: Owns the tools, such as the firewalls, antivirus software, password controls and mobile device management.
- Legal: A consultative partner; approves and pushes out data protection policies and reports on compliance for any legal or regulatory obligations.
- Human Resources: A change management partner; communicates to the organization in partnership with IT, Legal and Finance; approves data protection policies working with Legal and IT.
- Finance: Provides the funding and resources for data protection; consults on and approves data protection policies.
2. Be aware of cybersecurity program activities, including:
- Merits of the preferred cybersecurity framework (e.g. NIST, HITRUST Alliance, etc.).
- Executive summary results of an IT security risk analysis and proposed remediation plan for identified gaps.
- Support activities associated with maintaining a comprehensive asset inventory and monitoring of cybersecurity internal controls.
- Solid understanding of roles and responsibilities associated with the organization’s incident response plan, disaster recovery plan and business continuity plan.
3. Actively participate in executive-level cybersecurity compliance meetings:
- Assess cybersecurity due diligence and management of vendors, including third parties.
- Participate in and review cybersecurity audits.
- Monitor regulatory compliance.
4. Ensure satisfactory levels of responsibility and accountability for cybersecurity:
- Assign (or support the assignment of) responsibility and accountability for the cybersecurity program, including expectations.
- Ensure confidentiality, integrity, and availability of PHI within all Business Associate Agreements, financial contracts and other legal documents.
- Develop, implement, and update the cybersecurity budget, including costs for potential breaches and cyber insurance.
Cybersecurity is more than just installing software. Organizations have to be proactive and look for system vulnerabilities before intrusion happens. By taking the actions described here, CFOs will begin to understand their cybersecurity ecosystem. These steps are part of an evolving risk management approach. With the rise of cyberattacks and data breaches that are costly and regulated, cybersecurity has risen in strategic importance for the CFO!