Cyber risk management in the healthcare industry is still perceived to be driven by the IT department only, rather than overall enterprise risk management. According to healthcare respondents in the study Holding Healthcare to Ransom by Marsh & McLennan Companies Global Cyber Risk, 83 percent indicated that responsibility for cyber risk sits mainly with IT professionals and they are the primary owners and decision-makers for managing cyber risks, as compared to the 70 percent cross-industry average.
While the healthcare industry understands the key role of risk management teams better than other industries, it is still crucial to distribute the management of cyber risk to a responsibility across the organization. The next stage of focus for these companies is to transition cyber risk from being “technology-focused” to “risk-driven,” and making it a top-down company-wide responsibility that cuts across department horizontals.
For instance, risk teams and senior management must work with IT to define cyber risk-related metrics within an organization’s risk appetite. Roles such as HR and public relations also have an integral part to play in processes and communications of cyber risk management.
In the healthcare industry, cyber risk is not receiving sufficient visibility at the board level – less than half, 41 percent, of surveyed healthcare organizations include cyber risk-related issues in regular reporting. There is also an apparent lack in gap analysis and event drills conducted across all industries.
Healthcare organizations should develop a business model that encourages shared dialogue in a common language among the board, executive management, IT and operations to catalyze a cross-functional approach to cyber risk governance and reporting.
Holding Healthcare to Ransom - Healthcare Industry’s Fight Against Cyberattacks Healthcare Target of Increased Cyberattacks Healthcare & Cyber Risk – Quantifying Exposure Read the full report >>