Life of a CIO is hard.
A CIO’s job is to oversee a company’s entire information technology (IT) ecosystem, including everything from hardware and software to network security and data storage, often with few resources.
Life of a Healthcare CIO is more challenging.
In addition to managing technology, healthcare CIOs must also have a deep understanding of the complexities of medical devices and applications as well as special needs of the healthcare industry. We need to remain current with changing healthcare laws and regulations and understand the nuances of patient privacy and security requirements.
Life of a Federal Healthcare CIO is just bananas.
In addition to the above, one of the most significant considerations for federal healthcare CIOs is regulatory compliance, statutes, and mandates, along with HIPAA and other healthcare privacy requirements. This entails identifying, interpreting, and complying with specific cybersecurity and data compliance regulations.
This is what I what you to understand.
I want your product and services. Almost everything we use in our facilities to take care of almost 10 million beneficiaries is Commercial-Off-the-Shelf (COTS) products. However, I must ensure it meets the Risk Management Framework (RMF) for on-premises desktop applications or the Federal Risk and Authorization Management Program, also known as FEDRAMP, for cloud solutions.
The Risk Management Framework is a holistic approach to managing security and privacy risks associated with information systems for the federal government. It is based on a continuous cycle of identifying, assessing, and responding to the risks across the technology lifecycle. It is essentially the NIST framework. Once an organization is certified, they are issued an Authority-to-Operate (ATO) from the Approving Official of that federal agency. For military medicine, the Defense Health Agency (DHA), that responsibility lies with the DHA CIO.
As a CIO of the largest Medical Center within the DoD, I must provide an extensive package to the DHA CIO with a comprehensive overview of your application. When I submit that packet, I am recommending that we carefully execute our due diligence on this system so that we know we can trust it; that the risk using this solution is low while the benefit is tremendous. The data I am protecting is considered national security, and so, I take this responsibility with vigor.
Now for the Cloud
FEDRAMP is a standardized process the federal government uses to assess and authorize cloud computing products and services. Industry partners can use the process to receive authorization to provide cloud services to government agencies. So, if I partner with you in the DHA, other federal government departments can also use your service once you are certified. FEDRAMP is a bit tedious as you need an authorized Third-Party Assessment Organization (3PAO) assessment to evaluate your cloud system’s security features and capabilities, regardless if it is hosted in Azure or Google Cloud.
The FEDRAMP process can be daunting, but it is essential for any company looking to work with the federal government. With careful planning, attention to detail, and a solid commitment to security best practices, anyone can obtain this certification and offer their services to the federal government in a secure, compliant environment. Additionally, the certification will demonstrate your commitment to security in the commercial sector.
In conclusion, my life as a federal healthcare CIO focuses on supporting secure, quality healthcare through technology whilst keeping up with the latest regulations and best practices. Because of this, to be effective, I need to collaborate with organizations with a deep understanding of my technology landscape and regulatory environment, combined with a sincere interest in excellent security hygiene. We are in this together.
This piece was written by Chani Cordero, CIO at Brooke Army Medical Center. To view the original post, please click here.