When asking about security, hospital board members need to get specific

When hospital board members ask their security staff "Are we secure?" is almost the same as someone asking "Are you healthy?"--a question that may be difficult to answer with a simple yes or no, NYC Health + Hospitals’s Vikrant Arora writes at HealthcareInfoSecurity.com.

Arora, who serves as assistant vice president and chief information security and risk officer, says that while there are many ways to address the security question, many of them might not help board members make informed decisions.

While board-level involvement is considered vital to security preparedness, few directors are fully educated enough to make day-to-day decisions about it. In fact, only 11 percent of board members in any industry said they had "high-level" understanding of security risks, according to a survey by the National Association of Corporate Directors.

Board members need to ask more specific questions, Arora says, such as:

  • Do we have an information security framework in place? It might be the NIST Cybersecurity Framework, which Arora’s organization uses, but others include COBIT and ISO 27K.
  • How mature are our efforts and how do you measure that maturity? In this discussion, the CISO can also talk about business-aligned security measures, rather than just technology.
  • What are we doing to address the latest big-name threat in the news? This question acknowledges the reality that any organization can be attacked and can lead to a focus on the organization’s response plans.

Questions such as these will help board members understand the organization’s preparedness and better be able to compare it to that of others in the industry, Arora says.

To learn more:
- here's the article