“Folks have been scamming other folks since there’s been folks.”
During a recent interview, Dennis Leber, interim CISO at UConn Health, suggested that in the world of healthcare cybersecurity, theft and deceit are nothing new. The difference is that now, “we do it with computers and social engineering.” And the ‘scams’ are crippling hospitals and practices by interfering with patient care and significantly damaging the bottom line. In some cases, cyberattacks have led to patient deaths.
Fortunately, leaders have started doing something that was once thought impossible: sharing best practices. Not just in private conversations, but in more public formats such as industry events, as well as webinars and interviews. And the discussions aren’t focused solely on frameworks and vulnerability scans; it’s also about the partnerships that need to be created and nurtured, their strategies for recruiting and retaining talent, and the continued evolution of IT security leadership roles.
Below, we’ve compiled some insights from our CISO Interview series that shed light on the myriad challenges leaders face, and how they’re working to overcome them.
Tell a story
Anyone who is a CISO knows that what makes a person effective in this role is relationships, because you have to be able to tell a story. You have to be able to share and break that information down and tell the story of risk and tell the story of how collectively we can make changes to reduce or mitigate risk. They’ve got to feel they are part of the journey, not being talked to and told what to do, but a part of the story and a part of the solution. And that is what has served me in my role is relationship-building and storytelling.
Melissa Rappl, CISO, Children’s Hospital & Medical Center
Bodyguards, not guardians
“We think of ourselves as the bodyguards of the company, not the guardians. We’re not here to preach, “Hey, you should do this.” We’re here to protect. And speed is of the essence in everything we do. If you have a security function which is executing fast, and providing a response fast, then people are willing to be patient. But if you have a security function that becomes almost like a bottleneck or a bureaucracy where things go in and you don’t know when the output will be delivered, that becomes an issue.
Rishi Tripathi, CISO, Mount Sinai Health System
Everyone is security
It’s investing in not only process and technology, but people. I think that’s a really important variable. One of the concepts that I’m always trying to get across is that everybody in our organization is a member of the security team. It’s not just me and my departments. Everybody has a role and responsibility. One of the most effective ways that we’ve combatted phishing, as an example, phishing attacks, is that we have given and empowered our users with a button to report suspicious emails. Because of their vigilance and because of the awareness that we’ve created, we have thwarted many attacks from being successful.
Kathy Hughes, CISO, Northwell Health
Speak the CEO’s language
When you go to the CEO, “it has to be about strategic goals, and alignment of those goal to the direction of the organization, and you have to be able to translate that both ways. You have to learn a couple languages. So, it’s not necessarily that you want to inform, coach, mentor, or train the CEO on the language that you use, but you want to use their language more, and be able to relate that back to your team.
–Dennis Leber, Interim CISO, UConn Health
Productivity over location
I think you do get some better bonding when you have one-on-one time with the person, but it’s not a requirement for most jobs. Make sure you’re good with your team, make sure you have that camaraderie, make sure you understand what’s going on in each other’s lives… From my perspective, I think remote works. It doesn’t matter where you live if you’ve got the talent profile and you’ve got the motivation to do it.
Jason Elrod, CISO, MultiCare Health System
A balancing act
Executive leadership has to understand the importance of cybersecurity and the patient care perspective and find the middle ground. Sometimes it’s not about one or the other, it’s about balancing both. And so, I think the most important thing is for executive leaders to understand that… It’s also important, from my perspective, to understand the business and what’s needed and to balance that as much as possible.
Soma Bhaduri, CISO, NYC Health + Hospitals
Communicate with business
I wanted to make sure that whoever we brought in had tremendous cybersecurity experience, a very proactive risk management mindset, and was a business leader as well, not just a technology leader. It was important that they could speak appropriately to our business stakeholders and partners, communicate the importance of cybersecurity, and make sure that cybersecurity is not seen as an impediment to the business.
Kristin Myers, EVP/CIO, Mount Sinai Health System