What should CEOs and boards understand:
- Protection of key information assets is critical
- How confident is the Board that the hospital’s most important information is being properly managed and is safe from cyber threats?
- Are you clear that the Board members are likely to be key targets?
- Does the Board have a full and accurate picture of:
- The impact on the Hospitals reputation, if the existence of sensitive internal or patient information held by the Hospital were to be lost or stolen?
- The impact on operational services if our online services were disrupted for a short or sustained period?
Exploring who might compromise information and why
- Does the Board receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting hospital information and IT, their methods and their motivations?
- Do the Board encourage the technical staff to enter into information-sharing exchanges with other organisations in the sector and across the economy to benchmark, learn from others and help identify emerging threats?
Pro-active management of the cyber risk at Board level is critical
- The cyber security risk impacts public confidence, reputation, culture, staff, information, process control, brand, technology, and finance. Is the Board confident that:
- They have identified the key information assets and thoroughly assessed their vulnerability to attack?
- Responsibility for the cyber risk has been allocated appropriately?
- Is it on the risk register?
- Does the Board have a written information security policy in place, which is championed by the Board and supported through regular staff training?
- Is the Board confident the entire workforce understands and follows it?