Cybersecurity incidents in healthcare are on the rise. There have been more incidents in 2018 than in 2017. As a result, organizations are continuing to strengthen their security programs.
I am currently working with two clients who are focusing on security. One is a large regional organization that is hiring their first Chief Information Security Officer (CISO). They asked StarBridge Advisors to provide an interim CISO to help build the security program while they recruit. The other is a university health system that is consolidating their security program under the university CISO and hiring an associate CISO to focus on the health system. Both organizations recognize the importance of the CISO role and the need to continually strengthen their security profile.
While it may be surprising to see organizations hiring their first CISO in 2018, what matters is that they recognize the need and are making the investment.
When I served as CIO at Michigan Medicine for the hospitals and health centers, we crossed that bridge in 2015. The IT leader responsible for infrastructure had been responsible for security as well – not uncommon in healthcare organizations. I recognized that the security function needed a dedicated focus, so we hired a full-time CISO.
I engaged a third-party security expert to conduct an assessment using the NIST framework. As a CIO, I learned a great deal through that process. With the help of our consultant, I was able to educate the executive team as well. One component of the final assessment report was about creating a security culture.
Security cannot just be the job of the CISO. It is everyone’s job. These are the signs that an organization has developed a security culture:
- Security is discussed at the senior executive level, with critical decisions about organizational security activities made by the CEO and other senior leaders;
- Senior executives receive regular reports on the security posture of the organization, and incorporate them into overall organizational risk management;
- The organization has a CISO, positioned to influence organizational activities, and who operates independent of conflicts of interest;
- Security staffing levels are adequate to address the existing and future security issues;
- Security is a defined budgetary item, with security spending sufficient to address identified risks;
- Security is incorporated into overall organizational activities, including system acquisition, and data sharing with business partners;
- The organization’s research arm views security as critical to research activities, even if the research involves information considered public; and
- Workforce members are aware of their roles and responsibilities with respect to IT security and are held accountable to meeting them.
Can your organization check off all the boxes on this list? If not, you’ve got work to do.