As cyberattacks on hospitals and health systems continue to escalate, the role of chief information security officer must evolve to adequately protect patients' information and have a more prominent role in the business, according to a July 10 San Diego Union-Tribune report.
"Every CEO, at this point, is now in the business of cybersecurity," Lisa Easterly, CEO of the San Diego Cyber Center of Excellence, told the publication. "They need to be engaged and understand what the risk is on a real-time basis; the threat landscape is ever evolving and becoming more sophisticated."
Seven things to know:
1. The average cost of a secure data breach is more than $7 million in the healthcare industry, according to a recent IBM study. Hackers can affect a hospital's financials just as much as malpractice lawsuits, bad investments or changing economic conditions.
2. While CISOs are generally responsible for keeping track of cyber vulnerabilities and preparing incident response plans, their reach to the CEO appears to be somewhat rare in healthcare.
3. In San Diego, no CISOs at healthcare organizations are among the executive teams that report directly to CEOs; many report directly to the CIO or chief technology officer, according to a recent informal survey of local healthcare organizations, the publication reported.
4. Hospital IT departments generally are more focused on keeping equipment running and on digital transformation processes, said Michael Hamilton, co-founder of Seattle-based information security consulting firm CI Security.
"The CIO is concerned with keeping the lights on; if the stuff is working, don’t mess with it," he said. "Having to carve out that budget for security means that the digital transformation work is not going to get done and that’s the stuff that makes money for the business, and security can get sidelined."
5. Balancing IT budgets between digital transformation and cybersecurity protections can be a problem for many organizations, which some are solving by removing information security from IT to lessen the chances of competing interests, Ms. Easterly said.
6. Hospital executives must understand and demand resources to combat new cyber threats with the same resourcefulness they use to address all other aspects of business; CISOs are in the best position to communicate this advice and knowledge to executive leaders, but they often have trouble explaining their technical findings in a way that boardroom audiences will understand, Mr. Hamilton said.
7. An organization's initial thought to handle cybersecurity may be to name the best technical expert the CISO, but this can end up backfiring if that person isn't willing to strengthen their understanding of the business they're trying to protect.
"A big part of the problem is that people who have come up through this technical track need to go out and get a damn MBA," Mr. Hamilton said. "Yes, the CEO should probably learn something about cyber, but the CISO, even more so, needs to know more about business."