Three measures a board can act on. None of them require a security background to read.
Healthcare boards do not need a vulnerability dashboard. They need three things they can act on: inventory accuracy against the HIPAA standard, legacy medical-device exposure against the HSCC guidance, and integration readiness for the next acquired site. We produce all three from the same source.
1. Inventory accuracy.
Devices identified by CybrIQ versus devices on the §164.308 inventory of record. The delta is the risk-analysis gap. Reported as a count and a trend. The board can ask a single question: is the gap closing?
2. Legacy medical-device exposure.
Devices identified as past vendor support end-of-life, mapped to the HSCC HIC-MaLTS compensating-control categories. Reported as a count by device family. The board can ask a single question: which families are not yet covered by a compensating control?
3. M&A integration readiness.
Days from close to defensible inventory for each acquired site. Reported as a rolling average. The board can ask a single question: is the integration timeline shrinking with each acquisition?
What does not belong on the board slide.
Threat-actor profiles. Vulnerability-count dashboards. Pie charts of phishing-test results. Generic industry benchmarks. The board's job is governance over the program, not operational supervision of it. The three measures above are the ones a board can govern with.