Hospital boards have a responsibility to understand, at a high level, their organizations’ cybersecurity risks and vulnerabilities and plans for responding when something goes wrong. To assist boards with this issue, the American Hospital Association released a member guide on the board’s role in managing cybersecurity risk and response. To spark conversation on this issue, the guide includes questions for trustees to ask:

1. Does the hospital have a plan in place that covers all aspects of cybersecurity, not just those associated with personal health information? If so, generally, what is that plan?

2. Who in the executive leadership has responsibility for cybersecurity? Is the same person in charge of responding to cyber incidents?

3. When will the board be notified about cybersecurity intrusions or breaches, consistent with the escalation policy? Who will be notified?

4. Is there a particular board committee that is responsible for cybersecurity? How often will it be briefed on cybersecurity matters? How often will the full board be briefed?

5. Does the hospital’s current insurance cover cybersecurity incidents? If so, is the coverage sufficient? If not, is cybersecurity insurance warranted?

6. Has hospital leadership considered whether to implement the National Institute of Standards and Technology Cybersecurity Framework and what the benchmarks would mean for the hospital and its approach to risk management?

To download the resource, go to