A CISO's Biggest Challenge

The biggest challenge Gaylon Stockman, CISO of Lifespan in Providence, R.I., currently faces is not the complex technical requirements of data protection or incorporating changing laws and regulations into the health system's information security procedures.

It's finding a balance between protecting data and ensuring physicians have access to the information they need.

"Healthcare has typically been more wide open," says Mr. Stockman, and physicians and other caregivers are increasingly accessing patient data to make diagnoses and develop treatment plans. At the same time, stricter HIPAA requirements and new security threats introduced by mobile devices and other technologies are necessitating more controlled access to providers' data troves. The trick, says Mr. Stockman, is finding a middle ground and getting physicians and other stakeholders on board with data security. "Patient care comes first and foremost, and you have to let clinicians do their job," he says, "but you still have to be protecting patient information."

Mr. Stockman became Lifespan's CISO in March. Previously, he served as CISO of UnityPoint Health in West Des Moines, Iowa, and as network security officer at Huntsville (Ala.) Hospital. While the goal of his job has always been data protection, the front lines of the information security fight have moved.

"Years ago, people hacked into modems. Now, there's mobile devices," he says. "So I take the knowledge I have and put controls in place to mitigate those and future risks… that historical knowledge is good, but the threat landscape is constantly changing and it's a new day, every day."

Not many healthcare CISOs have seen this transition. When Mr. Stockman became the CISO of Huntsville Hospital in 2006, a small fraction of providers had an executive solely focused on information security. He credits the swelling CISO ranks over the past couple of years to the HIPAA omnibus rule and higher fines for data breaches. "The fines are forcing organizations to focus on information security and protecting their data," he says.

Once in the position, however, CISOs should look beyond strict HIPAA compliance into creating data security protocols that both respond to new security challenges, like mobile technology, and meet the data needs of physicians and others in the organization. "It's so important physicians are in line and in synch with what you're doing," he says, "and you're in synch with their needs."

An effective CISO will also have the backing and support of the other leaders in the organization. "You have to have executive sponsorship, board sponsorship, to be successful," says Mr. Stockman. "Not to say you couldn't be without it, but it would be much more difficult."

More Articles on Information Security:

How Data Leaks Are Compromising Hospitals’ Medical Devices
Top 8 Reasons for Adopting Cloud Services
Lessons in Information Security From an Iraq Deployment

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months