Fire CEOs who don't see cyberattacks as a business risk

Many chief executive officers don't embrace the threat of a cyberattack as a business risk, and healthcare organizations should fire those high-level executives immediately, Mansur Hasib writes in an opinion piece for Enterprise Tech.

Many CEOs seem far more focused on ensuring they have cybersecurity insurance instead of turning their attention to the protection of patient information, the former chief information officer says. Hasib points to leadership and governance breakdowns, poor organization and lack of due diligence as problems plaguing companies hit by security breaches.

One example is Anthem, Hasib says. The cyberattack compromised the data of 80 million Americans, but CEO Joseph Swedish, the company's executive vice president and the chief administrative officer, all have kept their jobs. This shows a lack of accountability, he says, though removing them is not the only fix to the problem--organizations must repair the leadership chart as well.

A major flaw in leadership at many companies is that their CEOs run IT and cybersecurity through a chief financial officer or other executive, Hasib also writes.

"Until appropriate CEOs are hired, the correct CIOs or CISOs at the right empowerment and qualification level will not get hired. And the problem will perpetuate," he says.

Members of the healthcare C-suite must understand the privacy and security risks their organizations face and properly communicate those risks to their workforce, law professor Daniel Solove said during March's National HIPAA Summit. "The C-suite must care, the workforce must be aware. This is a very simple recipe, and if you follow this recipe, it will be tremendous improvement on protecting privacy and data security," Solove said.

However, some companies look at privacy and security from a business-oriented point of view--including at Aetna, where Chief Information Security Officer Jim Routh told the WSJ that he looks at how the payer's ecosystem has changed every day and then creates a daily risk score, which he delivers to company executives.

To learn more:
- read the article

Related Articles
Anthem hack compromises info for 80 million customers
Technology not a fix-all for cybersecurity
For data security, 'C-suite must care, workforce must be aware'
Sue Schade: 4 traits of hospitals with a 'security culture'
Budget, non-compliant employees top hospital IT leaders' security concerns