As hospitals face a vast array of cybersecurity threats, an effective working relationship between the chief information security officer and CIO becomes even more important.
"The role of the CISOs is not to be righteous. It is to make sure the assurance perspective, data, and trends are factored into those final decisions and considered regardless of the eventual outcome," Jack Kufahl, CISO of Ann Arbor-based Michigan Medicine, told Becker's. "If you can find a CIO and CISO team that can be productive and joyful in their work together with those expectations, it is a pretty good deal."
For CISOs, the weight of protecting an organization's data and deterring cyberattacks can come at a high cost. A report from cybersecurity company Cynet found that 94 percent of CISOs suffer from work-related stress, with 65 percent saying that the stress compromises their ability to protect their organization from cyber threats.
According to a 2022 survey from Heidrick & Struggles, CISOs ranked burnout and stress as the top two personal risks of the job. In healthcare, the severe cost of a data breach of a patient's personal health information can add to the toll.
To help bear the load of maintaining cybersecurity vigilance, many CISOs prefer CIOs who are active in cybersecurity operations.
"What I look for in a CIO is someone that truly understands why cybersecurity is important, feels that cybersecurity is part of their job description and the responsibility, and it's not just the CISOs responsibility to keep the organization secure," said Teresa Tonthat, vice president and associate CIO of Houston-based Texas Children's Hospital.
"I have always been lucky to have very security-conscious CIOs in my career," said Steven Ramirez, CISO of Reno, Nev.-based Renown Health. "I find the most important elements to a successful partnership are building trust, being adaptive, collaboration and communication. I generally look for what strategic initiatives my CIO has and tailor my strategy, communication and approach to meet their style."
While partnering on cybersecurity initiatives, CIOs and CISOs also need to work through differences in organizational IT strategy.
"CISOs and CIOs are two different seasonings for the soup, and you want to make sure that they blend well together even though they are distinct flavors on their own," Mr. Kufahl said. "Primarily, the relationship between the two should be one of private debate but public alignment. The ongoing discussions around balancing the protections of the company versus the priorities of information technology for the business should be full-throated and exhaustive, but at the conclusion of those discussions, the final decisions should be mutually supported."
For hospitals, having a CISO and CIO team that complements each other is critical as sophisticated global threat actors target the American healthcare system and attacks result in increased damages. Spring Valley, Ill.-based St. Margaret's Health recently became the first healthcare facility to close because of a cyberattack.
With this increased threat environment, CISOs said the responsibility of protecting patient data goes beyond them and the CIO to the whole healthcare organization.
"Every individual at the hospital has a part of staying cyber-smart and helping maintain operational resilience around their knowledge and understanding of cybersecurity vigilance and cybersecurity hygiene," said Ms. Tonthat.