How the health system CISO role is evolving: 3 CISOs on threats, strategy and what lies ahead

Chief information security officers play a crucial role on the hospital's IT team.

These individuals are responsible for both internal weaknesses that could lead to data breaches and guarding against outside threats of cyberattacks, making their role even more challenging. Here, three CISOs discuss how their roles have changed over the past two years and how their responsibilities will evolve in the future.

Vikrant Arora. CISO of Hospital for Special Surgery (New York City): My role has changed from being an 'advisor' responsible for a static program aligned with standard frameworks and architectures to that of a 'designer' developing a dynamic security program, mostly in the absence of frameworks (which are still being developed) and architectures that vary from application to application. One example is enabling based applications, which rely on computers and networks that are not physical devices such as servers and routers but microservices and serverless architectures or simply speaking lines of code.

Additionally, these applications are being designed to be accessed from anywhere and any device. Securing such applications not only requires new technologies but also a new mindset to think in terms of actual risks instead of simply slapping on existing security controls. I see this continuing in the next 12 months, which will lead to an evolutionary change in security team structures, processes and capabilities.

Thomas August. CISO of John Muir Health (Walnut Creek, Calif.): I see my role as an advisor to the business. I'm primarily engaged in identifying risks, developing a vision with regards to risk management strategy, constantly validating our understanding of the organization's risk appetite, building financial business cases to support the vision, inspiring others to actively support the vision, collaborating with vendors to make planned initiatives a reality, implementing the required technologies and workflows to support these initiatives, educating the workforce on risks/threats/threat-actors/risk-management-priorities, maintaining regulatory compliance as appropriate, and building operational excellence into cybersecurity workflows. I don't see these parts of my role changing any time soon.

Don Fosen. System Director of Technology and CISO of Edward Elmhurst Healthcare (Naperville, Ill.): Our IT security program and my focus have really moved to looking at things from a risk management perspective during this time and that focus is increasing. We are implementing a formal Risk Register, Enterprise Risk Management program, and the ServiceNow based governance, risk and compliance tool.

To participate in future Becker's Q&As, contact Laura Dyrda at

Join us for the Becker's 5th Annual Health IT + Revenue Cycle Conference, Oct. 9-12 in Chicago. Learn more and register here.

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars