Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the healthcare industry.
A few years ago, several high-profile information security break-ins at banks and other consumer-facing outlets made the public all too aware of the cybersecurity dangers at financial institutions.
These days, it is healthcare organizations in the crosshairs.
When Protiviti and North Carolina State University’s ERM Initiative conducted a survey of directors and executives worldwide to identify the top risks that are on their minds, technology, privacy and cybersecurity figured as three of the top six concerns. When we zoomed in on the responses of our healthcare survey participants, disruptive technology, privacy concerns and cybersecurity figured as the third, fourth and fifth top risk, respectively. Perhaps more important, these risks saw the biggest upward change from last year.
There are several driving factors for these ratings:
With the continuing digitization of healthcare records and just about everything else, a lot of valuable information is online, ready to be hacked into. Not only do health records contain some of the same financial data as financial records, including Social Security and credit card numbers, but they also contain additional personal and highly sensitive information that can be used to forge IDs, obtain prescription medication, or even sign up for health benefits.
This has made health records much more lucrative than financial data. Patients can’t simply change their personal information like they can a credit card number. Once stolen, the information can be sold and resold, or used to inflict personal damage. If the hack is into a medical device, such as a pacemaker or an insulin pump, the personal damage can be fatal. This last issue is so serious that the FDA has issued a draft guidance specifically for medical device manufacturers. As you can imagine, healthcare providers that use those devices are seriously concerned.
In the last six months, these topics have been on every agenda of every board in which I participate.
This is not a theoretical concern. Organizations need to consider all the possibilities and potential responses, including:
- How would the company respond to a cyber incident? What is the incident response plan and policy?
- What will the company do if a cyber attack brings down the computer network? How will staff handle patients without access to their electronic records?
- How will the organization handle the adverse publicity?
Given all this, I am not surprised that the concerns about risks surrounding technology and cybersecurity shot up this year, while traditional healthcare worry staples like regulation and healthcare reform costs dropped.
One silver lining is that with risk awareness comes action. And healthcare organizations really don’t have a choice when it comes to technological innovation and digitization. Patients demand it. Other healthcare providers are doing it. Electronic healthcare records are nearly universal, and patients demand access to information and their doctors from anywhere – on their phones, at work, while travelling. If a provider fails to innovate to meet these demands, the patients will go to the provider who does.
Healthcare institutions have another big incentive to continue innovating. The successful healthcare organization of tomorrow is not the one that treats disease but the one that manages the health of its patients. To figure out how to do that, healthcare organizations need to harness data – continuous information about their patients’ health that will help prevent many of the expensive and urgent procedures that keep costs up today. With the increased amount of data comes an increased need to protect the privacy and security of the sensitive information. Advanced technological solutions, data security and data analytics are simply part of becoming a successful healthcare organization.
I am interested in your take on our findings. Access the healthcare-specific findings of our Top Risks survey here.