Improving regulatory compliance isn't the main priority for Cris Ewell, CISO of Seattle Children's Hospital.
"I'm going to improve our maturity of information security controls and then, out of that improvement of those controls will come much better regulatory compliance," Mr. Ewell told Healthcare Info Security. "I don't go after certain compliance levels."
Mr. Ewell's comments contradict the findings of Healthcare Information Security Today's survey, in which respondents indicated improving regulatory compliance was their top priority for the year.
Instead, Mr. Ewell said mature security controls precede regulatory compliance.
"I will have information security controls in a process governance structure, and out of that strategy will come regulatory compliance," Mr. Ewell said.
Additionally, Mr. Ewell said breach detection should be higher on the priority list than regulatory compliance. He mentioned how many healthcare organizations don't notice their systems have been compromised for at least a few days, and sometimes a few months. "The quicker we have the ability to monitor and detect that unauthorized access, the quicker we can stop that and figure out different controls we can put in place to help that," he said.
More articles on security:
Payer disputes hospital data breach settlement, saying hospital failed to meet privacy requirements outlined in cyber policy
FDA alerts of software security vulnerabilities in Hospira infusion pumps
Media coverage of data breaches drives 69% of companies to take another look at security: 5 things to know