In my last blog, I mentioned that the CIOs who participated in our recent CHIME focus group are mindful of the need for intense cyber security due to the latest news of patient ID or medical data breaches. This has led to hiring demand for health IT security professionals. Have you hired a Chief Information Security Officer (CISO) yet? If not, you may want to focus on hiring such an individual for your organization. Let’s examine some of the titles, roles, salaries and key responsibilities.
This area of IT Security has rapidly grown in the last five years, and in many cases has become its own department outside of IT. The IT security leader can be a singleton or have 40 FTEs, depending on the size of the health system. Academic medical centers, large multi-hospital health systems, and research-intense teaching hospitals seem to employ a larger group of IT security professionals and have multiple layers of authority. In our database of health IT security professionals, 33 percent of the organizations have a title of Chief Information Security Officer or Information Security Officer. In about 23 percent of organizations, the title is Director of Information Security. These are mainly in smaller hospitals or health systems with multiple layers of IT security staff.
Titles and roles
Many organizations have multiple IT security leadership positions. One large for-profit health system has a Chief Security Architect and 14 Directors of Information Security. A large academic medical center in the Midwest has a CISO and a Director of Information Security. A four-hospital system in the Chicago suburbs has a CISO and a Director of IT Security. A large multi-state and multi-hospital system in the West has an AVP, CISO and a Director of IT Security. A large IDN in California has a Chief Data Security Officer, an Information Security Officer and two Regional Information Security Officers. An academic medical center in the South has a CISO and a Data Security Officer. A cancer and research center has a CISO and a Data Security Officer and a 40-person IT security staff. An academic medical center in the Northeast has a CISO, a VP of Information Security and a Senior Security Administrator. In some smaller health systems, the CIO has also taken on the role of Security Officer.
The CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager) are usually required for the IT Security Officer or CISO positions.
Here are some sample CISO salaries from different parts of the country:
- Northwest, multi-hospital Chief Data Security Officer – $220,000
- Mid-Atlantic multi-hospital CISO – $175,000
- West, single hospital IT Security Officer – $200,000
- West, multi-hospital CISO – $311,000
- South, three-hospital CISO – $182,000
Key responsibilities for a CISO
Here are some key responsibilities for the Chief Information Security Officer position, which will vary with size and complexity of the organization.
- Lead information security governance, develop and maintain enterprise security policies
- Incorporate information security in all facets of IT
- Oversee information security risk management activities
- Influence user behavior to meet the organization’s information security needs
- Work closely with the CIO and other executives on security strategy and vision
- Determine action plans for risk assessment and gap analysis
- Ensure compliance with HIPAA, JCAHO, PCI and other regulatory requirements
- Collaborate with Privacy, Compliance, Legal and Internal Audit to ensure patient quality and safety
- Develop emergency measures to handle security breaches