Healthcare organizations are grappling with information security breaches, and the chances of suffering one are growing every day. Last year alone, the healthcare industry suffered 333 data breaches, up from 16 in 2005, according to statistics from the Identity Theft Resource Center.
The picture appears to be getting bleaker in 2015 with health data hacks making headlines again and again. These include the massive Anthem breach in which an estimated 80 million records may have been exposed. An American Action Forum report estimates dealing with security breaches will cost healthcare organizations more than $37 billion in the first six months of this year alone.
By Scott Westcott, Contributing Writer
More healthcare organizations are recognizing the value of appointing a Chief Information Security Officer (CISO) to develop information security strategy and oversee efforts aimed at preventing breaches.
Healthcare organizations are grappling with information security breaches, and the chances of suffering one are growing every day. Last year alone, the healthcare industry suffered 333 data breaches, up from 16 in 2005, according to statistics from the Identity Theft Resource Center.
The picture appears to be getting bleaker in 2015 with health data hacks making headlines again and again. These include the massive Anthem breach in which an estimated 80 million records may have been exposed. An American Action Forum report estimates dealing with security breaches will cost healthcare organizations more than $37 billion in the first six months of this year alone.
Healthcare organizations are fighting back, deploying a range of technologies and strategies to secure networks and protect patient and employee information. And growing in importance in this battle is the need for a leader to oversee security and develop a vision to prevent future breaches.
To that end, more and more organizations are establishing and filling the role of Chief Information Security Officer (CISO), a senior level executive within an organization who is responsible for establishing and maintaining the enterprise strategy and program to ensure information and technology are protected. Recently Mac McMillan, chairman, CEO, & cofounder, CynergisTek, Inc., and Heather Roszkowski, CISO, The University of Vermont Medical Center, offered their expertise in a session at the HIMSS 16th Annual Conference entitled Selecting the Right CISO and Building the Security Office. They recently shared their insights and additional perspectives on the issue with Health IT Outcomes.
Q: What is driving the increase in the number of CISOs in healthcare, and how important is it to have one?
Roszkowski: One of the big drivers is that the CIO’s plate is full with all the issues they have to deal with. With new systems and new technology, everything has become so complex and complicated it gets to the point you can only dedicate one-tenth of your brain to security — you really need a dedicated person who is focused on security. I think the trend has been building over the last five years, but recent threats have been the kicker pushing it over the edge.
McMillan: Four or five years ago you were seeing a small increase in organizations creating this role. In the last two years, rapid increases in computing power, sheer numbers of additional applications, and the growing number of mobile devices added increased threats. At the same time, the networks have become so much more complicated and complex that you really need someone on the resource side who is dedicated to the security role. It’s become much easier to get buy-in for developing these roles. And beyond that buy-in, boards and executive teams understand the importance of elevating these positions to a high enough level that the person in the role will be at the table to exert influence and can be aware of what is going on throughout the company.
Q: What tools and support does an effective CISO need, and what skills and experience should an organization hiring one look for?
Roszkowski: As far as tools and support, it depends on the organization and where it is in terms of security. The tools and resources necessary are really going to be driven by the specific needs, so the key is to get the CISO in there to build a gap analysis so they can then identify the tools needed and bring on a team that fits the organization to help close those gaps. So when you are initially creating the role, you want someone who can do that assessment and then follow through on what needs to be accomplished. When I came on board here at UVMMC about three-and-a-half years ago, I started alone. We have since added a couple analysts and engineers. We are consistently growing every year based on seeing what the needs are and focusing on how to address them.
McMillan: It will vary by organization, by size and complexity, by the particular security model they adopt, or whether they aim to handle it themselves or hire resources from outside the organization. We are seeing more and more organizations in the hybrid category in which some things are handled in-house, but they partner with outside sources for more specialized services and expertise. The key is to have a senior-level person that understands what needs to be done and then can make the right decisions in regards to what resources and staffing are necessary to create the most secure system. Ideally, that person will also understand the business and have skills at building consensus at the senior level. No matter how much you know about security, no one person can secure an organization alone. They will need to get collaboration and buy-in.
Q: Do internal threats present more of a threat than external ones?
Roszkowski: It’s hard to quantify which is more of a threat. It really depends on the situation. One of the approaches we take is to focus on the idea that every threat has a different level of risk. At any given time, the most significant threat may be internal or external. From a strategic standpoint, we have really focused on securing the perimeter of our network and working our way in from there. I want to make sure there are protections in place for everything coming in and everything going out. So we are protecting against external threats but also looking for high-risk internal threats.
McMillan: Until recently, I would have said internal threats posed the bigger risk. Today, I say “all of the above.” I don’t believe the inside threat has abated or gone away. What has changed is that the external threat has exponentially increased. For the most part, internal threats are small and can be contained, but external threats have become much worse in terms of the huge amount of information that can be exposed and/or compromised. That presents a tremendous business risk. So what I am hearing these days is that people are taking a very balanced approach to both internal and external risks.
Q: Who will a CISO be expected to interact with within an organization, and what would those interactions look like?
Roszkowski: To do the job well, a CISO has to be adept at interacting with people at a wide range of levels throughout the organization. On any given week, I am working with the director of risk management, the chief privacy officer, human resources, marketing and communications, physical security, and internal audit. I interact with the training staff regarding training programs and new employee orientation. So there is really no part of the organization that this role doesn’t touch. It is essential to be able to communicate effectively with other department heads, leaders, and employees. It is actually getting easier to get that buy-in because people are seeing so much about security breaches in the news.
Q: Does every organization need a CISO, regardless of size?
Roszkowski: The way I look at it, as the organization grows, the risk grows. What we are beginning to see is that as hospitals and health systems get larger, they have to treat information security as they do other major aspects of the business, such as logistics. I think a larger health system absolutely needs someone in a CISO role. In smaller organizations, they may simply not have the budget or resources for a dedicated CISO, but there does need to be someone knowledgeable about information security. Even if it is at a small clinic, someone on staff should be letting people know why they should not be writing passwords down and leaving them out where anyone can see them.
McMillan: I think any health system large enough to have a real network should have a dedicated person in the CISO role. At a smaller organization you may have someone who has multiple roles, one of which is focusing on information security. With midrange and smaller organizations, the hybrid approach is proving to be successful where some activities are handled in-house and those that aren’t core to the mission are outsourced. So it may be a security partner doing monitoring and auditing. From a strategic standpoint, you are seeing more organizations bring in external partners with certain specialties and expertise.
Q: What results should an organization expect once a CISO has been hired?
Roszkowski: It really depends on where an organization is in its security program. I was fortunate enough to come to UVMMC right after an assessment had been conducted. So I had a pretty clear picture of the situation and could establish some clear goals for what I planned to achieve over a course of one, two, or three years. Yet when establishing expectations, it is important to evaluate where the culture is in terms of awareness and what the appetite is for information security. There are certain technologies I could have put in place in 90 days, but from a strategic standpoint it made more sense to concentrate on the culture and develop a plan for where we want to be in one, two, or three years and then execute on that.
McMillan: As far as expectations, it depends in large part on the maturity of the program when the person comes into the role. A CISO coming into an organization that has a mature information security program faces an entirely different set of challenges and expectations than someone who is filling a newly established CISO role. One broad measure I think does a pretty good job of showing whether the information security program is doing a good job is you hearing security being talked about. So, are you hearing people discuss security more often? Is the staff asking more and better questions related to security? Are security issues being discussed as a routine part of developing and improving workflows? When these things start to happen, you begin to realize that CISO is beginning to have a real effect on the organization and achieving better awareness.
Q: How have technologies such as cloud and tablets/smartphones complicated security?
McMillan: The cloud and smartphones have definitely made information security more complex, but it doesn’t stop there. In healthcare, wearable technologies have made the environment even more complicated, complex, and risky. You have to keep in mind that a lot of these new wearable technologies were not developed with security in mind. Rather, they were designed to be convenient and easy to use, which exponentially expands the risk and the need for assessments. Anyone with wearable technology could be an avenue to harm the network. We have to stop thinking in terms of this technology or that technology and develop a holistic approach to securing data wherever it’s located and whatever it’s on.
Roszkowski: New technology has drastically increased the complexity of the job and will continue to do so. You went from users working on a desktop, to then maybe a laptop and a cell phone. Today, most users not only have those devices, but they also have a Fitbit, a smartphone, a tablet, and a watch that features wearable technology that is constantly synching. It has gotten so complicated, and as Mac mentioned, many of these devices were not developed with security in mind, are not encrypted, or do not have strong passwords. They are exponentially increasing the risks. At the same time a lot of these technologies have the potential to improve patient care, so you don’t want to be always arguing against something that may be helpful to patients. You really need to strike a balance between security and the benefits of these new technologies.
Q: What best practices would you share with organizations looking to add a CISO?
Roszkowski: Well, first of all, if they have decided to add this position, that is a very positive first step. One thing to keep in mind is that they are asking for someone to bring their experience and expertise so they, as an organization, are going to be asked to change and need to be willing to change. It’s about finding the right person, someone who has the credentials, but is also flexible and can adapt quickly. As a veteran I will put in a shameless plug for veterans who typically have a fantastic amount of training for and knowledge about these roles.
McMillan: At a basic level, make sure you find someone who knows their craft, understands the challenges, and has a strategic mindset to assess your unique situation. Look for a strong communicator who can work across disciplines within the organization. If possible, finding someone who knows the industry can definitely be an advantage. They already know many of the technological challenges, the nuances of the industry, and the mission of care and how it is delivered. That knowledge and understanding can translate to reasonable protective measures around privacy and security, while still allowing the most effective delivery of care to patients. In the end, you need someone with demonstrated leadership skills. CISOs need to be leaders and change agent.