Six numbers on one slide. Fifteen minutes quarterly. Real oversight.
NIST CSF 2.0 → GOVERN → GV.OV: Oversight + GV.RM: Risk Management Strategy
This post is part of a series on building a real cybersecurity program for telehealth practices. It builds on the foundational concepts in The Compliance Trap and Why HIPAA Compliance Isn’t Enough: A NIST CSF 2.0 Guide for Telehealth, and connects to the vendor oversight principles in Vendor Risk Beyond the BAA.
The board received a 47-slide cybersecurity presentation with heat maps, risk matrices, and acronyms nobody understood. They nodded politely and moved to the next agenda item. Six months later, when the breach happened, nobody on the board could explain what those slides had told them — or what they should have done differently.
This is the state of cybersecurity governance in most small healthcare practices. The information exists. The reports are generated. The presentations are delivered. And none of it translates into decisions, accountability, or improved security posture. The board checks the “cybersecurity briefing” box and moves on — because nothing in that briefing gave them something they could actually act on.
There is a better way. It doesn’t require a dedicated security team, an expensive GRC platform, or a consultant who bills by the acronym. It requires six numbers, one slide, and fifteen minutes of honest conversation every quarter.
What Boards Typically See
47 slides. Heat maps color-coded by “inherent risk” and “residual risk.” A risk register with 200+ line items. Acronyms: EDR, SIEM, SOAR, XDR, MDR, IAM, PAM. Three different scoring methodologies. A maturity model with five levels and no explanation of what level the practice is actually at. A “strategic roadmap” that is really a budget request disguised as a timeline.
Result: Polite nodding. Zero questions. No decisions made. No accountability assigned. The board moves to the next agenda item feeling vaguely reassured — or vaguely anxious — but unable to articulate either.
What Boards Actually Need
One slide. Six numbers. Each metric tied to a question leadership can understand: Are our accounts protected? How fast do we fix known problems? Have we practiced what to do when things go wrong? For each number: where we are, where we should be, and whether we’re getting better or worse.
Result: Real questions. Specific action items. Named accountability. The board leaves knowing what to worry about and what to do about it.
The difference between security theater and real governance isn’t budget, technology, or headcount. It’s whether leadership can answer one question after the briefing: “What should we do differently?” If the answer is nothing — or nobody knows — you have theater, not governance.
These six metrics are not exhaustive. A large health system with a dedicated security operations center will track dozens more. But for a small telehealth practice — 5 to 50 providers, limited IT staff, no full-time CISO — these six cover the governance surface that matters most. They are measurable, explainable, and actionable.
What it measures: Percentage of user accounts with multi-factor authentication enabled across all systems that access or store PHI.
Target: 100%.
Why it matters: MFA is the single most effective control against credential theft. A single account without MFA is a door left unlocked. Attackers don’t break in — they log in — and MFA is what stops them.
Board question: “Are all our accounts protected, or are some still using just passwords?”
What it measures: Average number of days to apply critical security patches after they are released.
Target: Less than 14 days for critical vulnerabilities. Less than 30 days for high-severity vulnerabilities.
Why it matters: Unpatched systems are the number one entry point for attackers. Every day a critical patch goes unapplied is a day your systems are vulnerable to a known, published exploit that attackers are actively scanning for.
Board question: “How quickly do we fix known vulnerabilities?”
What it measures: Number of vendors assessed vs. total number of vendors with access to PHI.
Target: 100% of PHI-handling vendors assessed annually.
Why it matters: Sixty percent of healthcare breaches originate from third-party vendors. If you haven’t assessed a vendor’s security posture, you are trusting them by default — and default trust is how breaches happen.
Board question: “Do we actually know if our vendors are secure?”
What it measures: Date of the last incident response tabletop exercise.
Target: Quarterly exercises covering different scenarios (ransomware, data exfiltration, vendor breach, insider threat).
Why it matters: An incident response plan that has never been practiced is a plan that will fail under pressure. Tabletop exercises expose gaps in communication, decision-making, and coordination before a real incident forces you to discover them the hard way.
Board question: “If ransomware hit tomorrow, have we practiced what to do?”
What it measures: Date of the last successful backup restore test and the time required to complete the restore.
Target: Quarterly restore tests. Recovery Time Objective (RTO) of less than 4 hours.
Why it matters: Backups that have never been tested are not backups — they are assumptions. A practice that discovers its backups are corrupted or incomplete during a ransomware attack has no recovery path. Testing quarterly ensures you know your backups work before you need them.
Board question: “If we lose everything, can we actually get it back?”
What it measures: Average time to disable a departing employee’s access across all systems.
Target: Less than 24 hours from the employee’s last day.
Why it matters: Former employees with active credentials are a significant insider threat vector. Every day an account remains active after departure is a day that account could be used — by the former employee, or by anyone who obtains their credentials — to access patient data, clinical systems, or internal resources.
Board question: “When someone leaves, how fast do we cut their access?”
The dashboard below is designed to be a single slide. Print it, project it, or email it — but present it in person (or over video) so there is space for questions. The format is intentionally simple: six rows, five columns, no jargon.
For each metric, show:
Keep it to 15 minutes quarterly. Present the slide, walk through each metric in plain language, flag the ones that need attention, and invite questions. The goal is conversation, not presentation. If leadership is asking questions and assigning action items, you are doing governance. If they are nodding silently, you are doing theater.
Assign action items. Every metric that is below target should have a named owner, a specific action, and a deadline. Review progress at the next quarterly meeting. This is how oversight becomes accountability.
This is the single-slide dashboard. Copy it. Fill it in with your practice’s actual numbers. Present it to your board every quarter.
| Metric | Current | Target | Trend | Clinical Impact |
|---|---|---|---|---|
| MFA Coverage | 87% | 100% | ↑ Improving | 13% of accounts vulnerable to credential theft |
| Patch Latency (Critical) | 22 days | <14 days | → Stable | Known vulnerabilities remain exploitable for 3 weeks |
| Vendor Risk Assessed | 4 of 9 | 9 of 9 | ↑ Improving | 5 vendors with PHI access haven’t been evaluated |
| Last Tabletop Exercise | 6 months ago | Quarterly | ↓ Overdue | Response capability untested against current threats |
| Last Backup Restore Test | 3 months ago | Quarterly | ✓ On Track | Restore verified — 3.5 hour recovery time |
| Avg. Deprovisioning Time | 4.2 days | <24 hours | ↓ Needs Work | Former staff access persists for days after departure |
Copy this template. Fill it in quarterly. Present it to your board. That’s governance.
No 47-slide deck. No heat maps. No acronyms. Six numbers that tell your leadership exactly where you stand, where you need to be, and what to do about the gap. If every small telehealth practice adopted this dashboard tomorrow, the state of healthcare cybersecurity governance would improve more than any compliance mandate has ever achieved.
Does your board or practice leadership receive regular cybersecurity reports?
Can your leadership explain your current cybersecurity posture in plain language?
Are there defined, measurable targets for your security metrics?
Is someone named and accountable for each metric?
When was the last time a board discussion led to a specific security improvement?
If you answered “no” to more than one of these, you have reporting without governance. The dashboard above is how you close that gap.
Security theater protects nobody. Real governance starts with six numbers and the willingness to act on them.
A focused review of your practice’s cybersecurity governance posture: board reporting effectiveness, metric selection, accountability structures, and a customized oversight dashboard ready for your next quarterly meeting.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Security Governance | Healthcare Oversight