As more healthcare organizations realize the need for a CISO in addition to a CIO, the CISO is becoming healthcare organizations’ most valuable player against data breaches.
These Chief Information Security Officer positions are hard to fill, and when a business does find them, they’re hard to keep, said a USA Today article on the role. They role is called “critical,” a hybrid CFO and CIO, who can approach a board confidently, ask for money for better security, outline the need for it and convince a board to finance it.
Though CISOs still aren’t required at every healthcare organization, you can expect to see more roles for CISOs pop over the next several years. In the meantime, preview what the data landscape and front lines of the information security fight will look like if more healthcare CISOs take a stance like in the nine quotes below on data security.
On the growth of CISO positions
"I've definitely seen CISO positions growing. Some hospitals discover the need – as this hospital did three years ago. There wasn't a dedicated security position prior to me coming on board. It's definitely growing more and more. People see it can't be done as a secondary role." – Heather Roszkowski, CISO at University of Vermont Medical Center
"The role of the CISO in healthcare is very unique. I believe that information security is a patient safety issue. And I think a lot of organizations are just starting to think about it as not just a risk to a patient's information but a risk to a patient's life. Bad information in a medical record could actually kill someone. I see the role of the CISO as integral to the delivery of quality patient care." – Anahi Santiago, CISO at Christiana Care Health System
On how to achieve data security
"We have a very active intelligence program. We don't rely just on our own monitoring. I work with a lot of third parties. I work with our government agencies, with our own healthcare agencies, other financial agencies to understand where the real threats are. You can't rely on your own systems. You have to collaborate with other partners." – Cris Elwell, CISO at Seattle Children’s Hospital
"You can say you make systems secure and compliant. Or you can have operational checks and balances to make sure they actually stay compliant." – Mitchell Parker, CISO at Temple Health
On having a dedicated security team in smaller healthcare organizations
"It doesn't mean that you have to have a dedicated team of 50 people. You can have a dedicated team of four people in a smaller institution and really be able to carry out the same work we're carrying out. I think the mistake they typically make is not really making this investment and designating these individuals to have responsibilities for this." – Meredith Phillips, CISO at Henry Ford Health System
On security empowerment
"You can have the most stellar security team, and if they're the security team from yesterday -- the ones in that dark room behind the locked doors that were really unapproachable, never really seen and never interacted with people -- that's a problem. We need to get out there and talk to our users." Connie Barerra, CISO at Jackson Health System
On encryption and passwords
"Five years ago, that's what we were all talking about: why can't we get our laptops encrypted? Now, leadership in healthcare is saying, why wouldn't you encrypt your laptop or cell phone? That's what we're starting to see now with passwords. … Once you get the foot in the door, where people see the value, they start selling it for you." – Dan Bowden, CISO at University of Utah Health Care
On securing mobile and cloud-based tools
"If you're a security person and you're saying no to these things, you have already lost. If you think you do not have personal devices in your environment, you are wrong. If you think that you're internal information is not going out on cloud services, you are wrong. We've got to embrace this stuff. It's 2015." – Barry Caplin, CISO at Fairview Health Services
On the future of security
"[Security] has always been a people issue," he told Healthcare IT News. "The toughest security problem is getting people to understand. It's the same issue we had five years ago; it's going to be the same issue five years from now." – Jigar Kadakia, CISO at Partners HealthCare