Skip to content Skip to navigation

AEHIS: Gathering Chief Information Security Officers Together at a Time of Rapid Change

September 19, 2016
by Mark Hagland
| Reprints

Two years ago this summer in July 2014, volunteer and staff leaders affiliated with the Ann Arbor, Michigan-based College of Healthcare Information Management Executives (CHIME), seeing the need for a nationwide organization to support chief information security officers (CISO) in healthcare, created AEHIS, the Association for Executives in Health Information Security. In fact, AEHIS was one of three associations created under the CHIME umbrella; the other two, created in October of 2014, were AEHIT, the Association for Executives in Healthcare Information Technology (for CTOs), and AEHIA, the Association for Executives in Healthcare Information Applications (for chief applications officers).

Among the key players in the creation and management of AEHIS has been George McCulloch. McCulloch, who served as deputy CIO at Vanderbilt University Health for 12 years, and who had also served on the board of directors of CHIME, helped to create AEHIS, as CHIME’s executive vice president for membership and professional development, and continues to help manage it. The Nashville-based McCulloch spoke recently with Healthcare Informatics Editor-in-Chief Mark Hagland regarding AEHIS and its forward evolution. Below are excerpts from that interview.

What are the purpose and focus for AEHIS?

AEHIS was created in order to create a community for healthcare information security leaders. There are a lot of resources out there for general security leaders [in other industries and trans-industry], but healthcare has its own challenges that are unique to us. And there was not a healthcare-specific group that we could find. Our mission is to provide services to those leaders in healthcare security, not only to help their organizations, but to help them personally. They are now front and center in a lot of activities. And like most leaders, they probably came up from a technical background, but are now reporting to the CIO, presenting to the board, etc. So to provide a community to help them, and secondarily, to help them develop leadership skills.

George McCulloch

How many members do you have at this moment, in AEHIS?

We have over 500 at this time.

Are they mostly working in hospital systems, and mostly working in large hospital systems?

No, actually, they’re working in every size of organization. The way things are arranged is that if you’re a CHIME member, you can join any or all of those three associations [AEHIS, AEHIT, AEHIA]. In small hospitals, CIOs are also the CISOs for their organizations. We’ve got very large hospitals represented in AEHIS, and very small ones as well.

Are there any healthcare IT security leaders from medical groups, as well?

We have a few, but it’s primarily inpatient groups.

As we all know, the data security threats to patient care organizations in the U.S. have recently been accelerating dramatically. I’m sure people are excited by what you have to offer at AEHIS.

We’re very pleased by what’s been developed. Among other things, we’ve been able to submit four or five comments on legislation at the federal level. And we’ve done some regulatory comments, some congressional comments. We just commented on an FDA proposal. Marc Probst [CIO at the Salt Lake City-based Intermountain Healthcare], our chair, did testimony on whom the CISO at HHS [the federal Department of Health and Human Services] should report to. So we’ve spent a lot of time on the legislative and regulatory side. And everybody’s concerned about ransomware. So it’s been a busy year and a half.

What are your members saying are their top few issues these days?

The biggest issue that they see is that the threats are everywhere, and it’s split between bad actors on the outside, but also education of end-users as well, because a lot of things happen because of things people shouldn’t be doing. The biggest challenge they have is in getting the resources that are needed to protect the organization. At a time when we’re looking at cost and quality, this is another cost of doing business that is not at all inexpensive. And finding qualified people is a part of that expense, and challenge. So they’re asking, how do I get the resources that my organization needs, and look at the IT risks, and fold those into other risks, and find appropriate funding for what I’m being asked to do?

How do you see the evolution of the CISO role, going forward? About 25 years ago, people were still trying to sort out what the core components of the CIO role.

I agree with you; it’s turning out to be similar to the evolution of the CIO role. I’m a recovering CIO myself. I was in the industry for 30 years, and it’s very similar. And our organization is made up of people who are the top person in security in their organizations. There’s a lot of technology involved to protect the organization. And they really need to create a program around security, and really go beyond the technical components. And just as the CIO has a number of critical relationships with the CMIO, CNIO, CMO, CNO, CEO, COO of their organization, the CISO has relationships with the privacy area, finance, operations, legal, and so on. Those are all critical relationships that they need.