The pandemic is forcing change for cybersecurity and technology risk programs. The Board should be asking questions.

 

Pandemic-related threats facing hospitals are requiring risk oversight committees to evaluate a trade-off between new technology priorities and their associated risks.

Within hospitals, the pace of digital transformation being undertaken in response to the pandemic is both impressive and terrifying. Hospitals are forced to adopt technology at a pace never before seen in what is traditionally a risk-averse industry.

Lessons learned from a rapid rate of digital transformation within the healthcare vertical apply well beyond the industry. Company boards should consider the same lessons and questions for management that hospital risk committees are right now asking of hospital leadership.

The market has changed.

Product (in this case healthcare), typically delivered directly via face to face interaction, is going digital overnight. Telemedicine platforms have been stood up in a matter of hours in order to continue delivery of care. Cybersecurity executives are scrambling to make fast recommendations to their purchasing organizations without time for typical due diligence. Medical devices are being transferred between hospital systems and retro-fitted with connectivity modules to allow remote use, without being subject to normal compliance review. Cybersecurity risks that are introduced as a result of rapid telehealth and telemedicine deployments have not been evaluated and are not well understood.

Rapid adjustments to reflect market changes introduce material risks. Company boards across all verticals should pay attention. Fundamental questions the board can ask management include:

  • How has our market (end users, the customer base) changed?

  • How has our technology strategy pivoted to address this?

When the market changes, so too do our priorities and risk strategies.

The cybersecurity industry understands that rolling out remote access platforms requires extremely careful management and oversight. Inattention will lead to significant exposure and material risk for the organization. Some hospital risk committees are temporarily accepting these risks. Have company boards considered the same with new employee telecommute platforms? Questions the board might ask of management:

  • How are our priorities and risk tolerances changing given these market changes?

  • How do we measure and track new risks that are introduced as a result of our technology decisions?


Customer expectations are changing. 

Just because a company has signed off on a risk, it doesn’t mean that risk is understood by the company’s customer. In IOT and especially in a trust-centric environment like a hospital, there is a legacy school of thought that devices are inherently reliable and secure. In this scenario, when things go wrong for a customer the result is loss of trust and reputational damage at best.

Questions the board can ask to understand a shift in customer expectations include:

  • Do our customers have visibility into our risk culture?

  • Do our customers understand the risks associated with the technologies they are suddenly using? Are they being helped or trained in using these technologies securely?

  • Whose responsibility is the communication of new technology risks, how do we ensure continued trust us once these risks are understood? 

Business continuity planning (BCP) is having a renaissance.

Attention paid to BCP goes in cycles, and is always triggered during a crisis. There is a traditional governance pattern where BCP sits within a technology organizations, but existential threats to most organizations extend well beyond the CIO’s domain. Boards should be asking:

  • Are we properly considering the whole business in our BCP? 

  • Does the leader overseeing these efforts have insight and buy-in across the whole organization? 

As we are learning, pandemics present an opportunity for organizations to revisit technology strategies and risk from the top down. This is not a matter of hiring a Chief Information Security Officer, taking a course in cybersecurity, or signing on a new cyber risk insurance provider. This is proper evaluation and understanding of the existential threat posed to organizations related to technology risks, in consideration of the lessons learned from our most critical, vulnerable, and transformative vertical, healthcare.

Companies that help IT and cybersecurity leadership navigate these answers will emerge stronger, modernized, and better performing as a result.

Justine Bone