CEOs of hospitals and health systems and their senior leadership have to be prepared to answer the following questions that Boards of Directors are now asking:
Do we have an effective cyber security strategy and, if so, who is responsible for executing and managing it? Do we have a plan to protect our organization from WannaCry? Do we have a cyber security plan or protocol that includes a NIST framework? If your answer is “no”, investing in a Chief Security Information Officer (CISO) is your best strategy.
At the recent Healthcare Security Forum in Boston, sponsored by HIMSS, keynote speaker Tom Ridge, U.S. Secretary of Homeland Security, underlined the urgency of the issue:
• Hospitals are a target-rich environment for hackers. In fact, according to the FBI, hospitals and healthcare systems are the number one target of cyber criminals.
• Patient information and personal identification can be monetized by hackers and is much more valuable than credit card information and other forms of data.
Ridge recommended that healthcare organizations ask themselves the following questions: Are you aware of the risks? Do you have an enterprise strategy? Are you thinking about the risk across the enterprise including devices, HR, Procurement, and other areas? How are you training employees? Do you monitor 24/7? Do you have the right technology in to help manage the risks? Do you have cyber insurance? Is your Board of Directors aware and educated about these threats and potential costs to your organization?
Another question that Ridge posed was: Do you have a CISO?
A Patient Safety Issue
The Boston event came shortly after the news of the major data breach at Equifax, where 143 million consumers’ sensitive personal information was exposed. The other security experts at the Healthcare Security Forum shared a common theme: it’s not if you will have a data breach attempt, it’s when and how will your organization proactively prepare and mitigate for these common threats?
In healthcare, the stakes are higher than in other industries. It is truly a matter of life and death when, among other critical devices, a hospital’s ventilators, monitors and pumps can be commandeered and ransomed. Anahi Santiago, CISO at Christiana Care Health System has noted, “The role of the CISO in healthcare is very unique.” She adds: “I believe that information security is a patient safety issue. And I think a lot of organizations are just starting to think about it as not just a risk to a patient’s information but a risk to a patient’s life. Bad information in a medical record could actually kill someone. I see the role of the CISO as integral to the delivery of quality patient care.”
The Department of Health and Human Services issued nearly $23 million in fines for HIPAA violations in 2016, with seven settlements in excess of $1.5 million. HIPAA audits and fines are a reality for hospitals to consider seriously. At a minimum, organizations must ask themselves: are we prepared to pay the fines and risk losing patients over a data breach? Worst case, are we prepared to risk our patients’ safety? If the answer is no, then investing in a CISO to navigate the complex world of data breaches and cyber security is essential.
Hospitals that have invested in a CISO are better prepared to protect patient data and are able to execute plans to give patients a level of satisfaction that their hospital is prepared and has a plan in place. Santiago of Christiana Care Health System noted that having a CISO working on protecting your organization and being the singular point of contact can help hospitals plan better, educate the entire staff and remediate risks.
When asked why healthcare organizations should invest in a CISO, Sean Murphy, Vice President, Chief Information Security Officer at Premera Blue Cross in Seattle, said, “After a data breach you will be told by expensive consultants and not-so-happy regulators: Hire a CISO or elevate current personnel to a more senior level. Rest assured, you will do it. Do it now. You may just avoid a breach altogether. After a breach, you definitely will spend too much just to get the same advice in the form of a mandate.”
Qualities of Good CISOs
What characteristics and qualifications are needed for a strong CISO? Certain skills and qualities are essential:
• A strong track record in building and leading a robust information security program
• The ability to build and lead a highly responsive, service-oriented team that consistently meets its goals
• The capacity to interact effectively at all levels of the organization and with multiple stakeholders including physicians and Board members
• The ability to deliver consistent education and training to employees to create awareness and to help mitigate internal threats
• The ability to navigate the wide array of complex software solutions and tools to help protect the organization, and manage the budgeting process for those tools is essential
• Knowledge of how to leverage the NIST standards and other applicable protocols and innovative ways to be proactive to cyber security data breaches and threats
• The ability to be a “visible leader” within one’s organization to promote awareness
Certain skills are constant among the very best CISOs, said Michael E. Kanarellis, IT Assurance Senior Manager at Wolf & Company, P.C. “The ability to properly interpret regulations requirements while understanding technical security controls needed to improve their organizations overall security posture is an absolute must,” he said. “Every corporation is under attack in every vertical every day. Someone within the organization needs to be accountable for the implementation of internal and external security controls designed to safeguard the companies Personally Identifiable Information.”
In terms of education, CISOs typically have a bachelor’s degree in Information Systems, Computer Science, Health Information Management, or a related field. Also, a master’s degree in a related field is typically preferred. In addition, security certifications including CISSP, CIS and/or CHPS provide added value and credibility.
Richard Staynings, the Principal and Cybersecurity Healthcare Leader at Cisco, also spoke at the Security Healthcare Forum in Boston. “There are way too many security tools on the hospital networks today,” he pointed out. There are approximately 45 to 65 vendors to manage and most hospitals are only using 20% of the functionality of these tools but paying for them 100%. “Having a strong CISO and team can help the organization navigate the right solutions for cyber security threats and maximize their capabilities while saving on costs,” he said.
Today’s CISO needs leadership support and commitment from the CEO of the Hospital and the Board of Directors along with a budget to hire and train the best team to protect the assets of the organization. The investment in a seasoned CISO will provide the needed security protection that is being recognized as essential in healthcare across the country. It is an imperative to protect patients and mitigate the risks of having a data breach whether internal or external that can cause irreparable damage. The cost to patients and the risks associated with potential fines and negative publicity keep CEOs up at night. An experienced CISO is the solution.
About the Authors
Based in Massachusetts, Malissa O’Rourke Miot is a consultant in Witt/Kieffer’s Information Technology (IT) practice. Hillary Ross, J.D., is the managing director and leader of the firm’s IT practice; she is based in Oak Brook, Illinois.