IT security education: A must for hospital board members

Correction: A previous version of this article incorrectly identified HealthITSecurity.com. 

Education is important in order for hospital board members to make the best decisions about cybersecurity, according to Gerard Nussbaum, director of technology at consulting firm Kurt Salmon.

Nussbaum, who recently spoke to HealthITSecurity.com, said that while board members should not be expected to make day-to-day IT security decisions, their actions on a broad scale must be supported by "regular and consistent updates" of an organization's cybersecurity status.

"Cybersecurity ... even though it seems to be a new topic, is not that different from the board's need to assure that there are appropriate fiscal controls," Nussbaum said. "Some boards are fortunate to have people who actually have a greater understanding of this; however, even if a board doesn't have people who are experts in the computer field or in the security field, it still should be able to discharge its duties."

Cybersecurity, of course, continues to be a particular pain point for hospitals and health systems in the wake of several high-profile incidents. Late last month, Columbia, Maryland-based MedStar Health, which operates 10 hospitals in Maryland and the District of Columbia, was attacked, allegedly, by ransomware, rendering many of its online systems useless. MedStar has not confirmed the nature of the attack.

What's more, Hollywood Presbyterian Medical Center, in February, paid hackers roughly $17,000 (40 bitcoins) after a ransomware attack left its networks disabled, a move the organization decided was "in the best interest of restoring normal operations." In January, Mount Pleasant Texas-based Titus Regional Medical Center's electronic health record system was left inaccessible by a similar attack, FierceEMR previously reported.

Hospital board members, Nussbaum said, must understand that their roles are to make sure "management is doing its job" as opposed to trying to do that job for the management team.

To learn more:
- here's the HealthITSecurity.com article