Value of Strong Cybersecurity Programs and Guidance on Informed Consent Requirements

Companies with Strong Cybersecurity Programs Get Higher Returns for Shareholders

Investing in cybersecurity measures aids in preventing data breaches, and evading regulatory penalties. According to a recent report by Diligent Institute and Bitsight, organizations with strong cybersecurity programs generally exhibit improved financial performance and generate higher profits for their investors.

Diligent Institute and Bitsight conducted an analysis of data from 4,149 medium to large-sized companies in various sectors in Australia, France, Canada, Germany, Japan, the United States, and the United Kingdom. Committee-level cybersecurity monitoring was examined to know the effect on cybersecurity risk ratings. Each company’s cyber monitoring structure was linked to its security performance information, resulting in a security performance classification of basic, intermediate, or advanced given for each company.

The study showed that organizations with advanced security ratings developed about 4 times the amount of value for their investors as organizations with basic security ratings. For three and five years, organizations with an advanced security rating got 372% and 91% Total Shareholders’ Return (TSR), respectively. These values are higher than in organizations having a basic security rating. For three and five years, organizations with an advanced security rating have 71% and 67% average TSR, respectively, while companies with basic security rating have 37% and 14% TSR, respectively.

The report revealed that healthcare and other highly controlled industries value the need for cybersecurity and realize that cybersecurity is just not an IT concern, instead, it is a business risk that could impact the organization’s short-term functionality and long-term wellness. Healthcare performs better than other industries when it comes to cybersecurity performance and got the greatest average security rating of most sectors included in the research.

Besides the connection between cybersecurity efficiency and shareholder profitability, the researchers discovered that board structure is connected to security ratings. Organizations with audit or specialized risk committees performed better than those without such committees. The average security rating of organizations with specialized risk or audit committees is 710, while the average rating of organizations without these committees is 650.

Having a cybersecurity specialist in the board committee assigned to monitor cybersecurity risks makes an important difference to the security performance of an organization; nevertheless, just having a cybersecurity specialist on the board doesn’t mean an organization’s security rating will be better. Organizations with cybersecurity specialists on the board had a 580 average security score, compared to organizations that had cybersecurity specialists on either audit or specialized risk committees got a 700 average score. The researchers remarked that it is uncommon for boards to have cybersecurity specialists, with just 5% of the analyzed businesses having cybersecurity specialists on their boards. Organizations seeking to employ cybersecurity specialists for the board must first make sure that the board is properly organized so that competence can be correctly integrated into the oversight mechanisms.

HHS Publishes Guidance on Informed Consent Requirements to Teaching Hospitals and Medical Schools

The Department of Health and Human Services (HHS) has provided the country’s teaching hospitals and medical universities guidance to explain the requirements to get informed permission from patients prior to subjecting them to sensitive assessments, particularly on patients with anesthesia.

CMS administrator Chiquita Brooks-LaSure, Office for Civil Rights Director Melanie Fontes Rainer, and HHS Secretary Xavier Becerra discussed in the letter the media reports and scientific and medical literature that point out that as a component of the medical students’ training, patients undergo sensitive and intimate tests like breast, pelvic, rectal or prostate examinations after being given anesthesia when appropriate informed consent hasn’t been acquired from the patients.

The letter emphasizes that it is important for hospitals and medical schools to get and record informed permission before examination. Informed consent is necessary in all instances. Patients can decline to have sensitive exams performed for use in teaching and can decline to allow earlier unagreed exams while with anesthesia. The CMS has given new guidance that makes clear the needs of the Hospital Conditions of Participation about the CMS’s modification of its hospital interpretive guidance regarding informed consent.

OCR has additionally emphasized that under the HIPAA Privacy Rule, patients can limit who can get access to their PHI, for example in situations where they are unconscious while undergoing a medical treatment. OCR has presented a Q&A that clarifies this HIPAA Privacy Rule right regarding exams while undergoing anesthesia, and succeeding exams when the covered entity has consented to limit sharing of PHI.


Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X