A by-product of healthcare reform and the shift to a ubiquitous digital environment is the increased risk of cybersecurity threats and attacks. These security issues are real, evolving and can happen to any organization, as has been shown time and again over the past several years. Security breaches have become so common that most experts agree that, for healthcare organizations, it’s not a matter of if a breach will happen, but when. Some say the threat will get worse before it gets better in healthcare.
For now the “bad guys” do have the upper hand. Forbes writer Dan Munro called cybersecurity the top story in healthcare last year. Fortunately, healthcare organizations are responding and protecting themselves. The American Hospital Association (AHA) has posted an excellent Cybersecurity Resource Page that describes some of these activities.
CISO: A leadership imperative
One important way healthcare organizations are confronting cyber threats is by hiring a chief information security officer (CISO). While designating and hiring a CISO does not guarantee a secure digital environment, it is a key step. A healthcare CISO is responsible for developing, leading and maintaining the enterprise vision, strategy and program for information security to ensure information assets are protected.
A strong CISO can provide the leadership and guidance to collaborate with senior management and boards in prioritizing the resources needed for data security. He or she knows how to educate and obtain buy-in from key stakeholders, supporting the reality that information security is critical to business operations and a necessary investment as oppose to an expense.
A chief information security officer can implement practical methods for remediating the risk of cybersecurity attacks to allow an organization to pursue its business objectives while also protecting sensitive data and patient rights.
For such a big issue, one would think that provider organizations are devoting ample resources to deal with this growing threat. Unfortunately, that does not seem to be the case, based on our recent discussions with IT leaders. Many hospitals and health systems are not making the necessary investments to support a robust security program or are unsure as to how to move forward. As it directly relates to the CISO position, some organizations are getting hung up on the title, reporting relationship, compensation, and where the role may fit in the organizational structure.
Provider organizations that are making the investment in information security and now attempting to fill CISO positions are finding that the pool of talent is limited and the market is competitive. The demand is significantly higher than the supply of qualified candidates. This is a perfect example of how healthcare organizations will need to look into other sectors and genuinely consider non-traditional candidates. Hiring leaders from other sectors, such as financial services, allows organizations to target individuals who have a more seasoned background in the development of comprehensive security programs and the experience in responding to a variety of cyber attacks.
The ideal CISO
The Chief Information Security Officer is a polished and knowledgeable IT security executive who can effectively lead the strategy and operations for the information security program of an enterprise.
The ideal background for a CISO in healthcare includes:
- Deep knowledge and experience in information security, risk management, and regulatory compliance
- Significant and progressive experience in information security management, including planning and policy development
- Experience in healthcare and/or other regulated industries
- Excellent communication and relationship-building skills
- A keen understanding of business and risk assessment
- Experience working with the executive suite
- Relevant security certifications such as CISSP (Certified Information Systems Security Professional)
Technology has allowed for greater quality and efficiency in healthcare, yet with risks. We expect to see the role and prominence of the healthcare CISO continue to increase and evolve in the coming years, and will be tracking it closely.
[Editor’s note: This article was originally published on Witt/Kieffer’s Witt & Wisdom blog. Permission to reprint has been granted.]