Executive Summary: Thirteen chief information officers (CIOs) and chief information security officers (CISOs) of leading health systems gathered in Chicago to share best practices and lessons learned regarding information-security programs. These healthcare executives also explored lessons from other industries on innovative cybersecurity strategies. This report captures their discussion and shared insights.
Summit Participants: Mary Alice Annecharico, SVP and CIO, Henry Ford Health System; David Bensema, M.D., CIO, Baptist Health; Fernando Blanco, VP and CISO; CHRISTUS Health; Erik Decker, CISO, University of Chicago Medicine; Michael Erickson, CISO, Baptist Health; Jim Hanson, Regional Information Officer, Avera; Meredith Harper, Chief Information Privacy and Security Officer, Henry Ford Health System; David Jahne, IT Security Senior Director, Banner Health; Lenny Levy, VP and CISO, Spectrum Health; Jonathan Manis, SVP and CIO, Sutter Health; Patrick O’Hare, SVP, Facilities and CIO, Spectrum Health; Jim Veline, SVP and CIO, Avera; Larry Yob, National Security Senior Director, Ascension Health
Organizer: Scottsdale Institute; Sponsor: Impact Advisors; Moderators: Impact Advisors— Rob Faix and Tim Zoph
2016 may be considered the Year of Information Security in light of numerous high-profile security events impacting healthcare and non-healthcare organizations alike. In October, leadership representing Information Technology and Information Security functions from Scottsdale Institute member health systems came together to share their perspectives, experiences and strategies for advancing the effectiveness of Information Security Programs. Joining these healthcare leaders were two guest speakers from the financial industry to provide an “outsider’s” perspective on the types of challenges and strategies they have encountered for addressing security threats, training and overall management of their security programs.
Moderator Tim Zoph opened the session with his observations on the threats faced by the healthcare industry and the accelerated pace with which new threat vectors are exploited. He balanced these comments with observations that many of the basic activities, such as properly maintaining systems, remain a challenge to the industry. The list below represents a summation of some of the key responses from participants when asked what keeps them up at night:
> Developing effective engagement strategies with Executives and Boards of Directors.
> Rate of emerging threats impacting the healthcare industry and our ability to keep up.
> Maintaining a good balance between process engineering and workflow impact to people when addressing risks.
> Biomed equipment management, updating and segregation.
> Total number of end points that continue to grow throughout the organization.
> Ability to attract and retain talented people and training staff to achieve the organizational goals.
> “Hactivitists”—People motivated by political reasons to cause an intrusion.
> Achieving a reasonable information-security budget.
> Increasingly sophisticated attacks and new markets created as a result of hackers’ ability to monetize data thefts.
> Volume of new applications being proposed and an organization’s ability to vet applications properly.
Gathering Threat Intelligence and Communicating Risk
No shortage of threat-intelligence sources exist in the market today. Meredith Harper, Chief Information Privacy & Security Officer at Henry Ford Health System, said her organization is a member of the National Health Information Sharing and Analysis Center (NH-ISAC). Most agreed there is value in subscribing to third-party sources and some noted use of NTT Security SERT, InfraGard and similar organizations for gathering threat intelligence. Simmons cautioned those organizations who pay for more than one intelligence service should carefully review and compare the content across vendors to ensure they are not receiving potentially duplicative information. He noted that he participates in monthly meetings in Chicago with about 80 CISOs who share information and respond to specific questions in various email chains. Most attendees confirmed they actively participate in information-security groups in their respective regions.
As the topic of information security continues to increase in importance, it is incumbent upon information-security professionals to manage executive expectations and adroitly engage senior leadership. Today, executive engagement ranges widely from “check-the-box discussions” to highly-engaged leaders who crave deeper understanding of security events or the state of the overall information-security programs. Not surprisingly, the visibility of information-security programs increased significantly in the wake of suspected breaches. Patrick O’Hare, SVP, Facilities & Chief Information Officer at Spectrum Health, said, “It’s not an issue of ‘if’ you’ll be breached, but ‘when’ and will you know that you have in fact been breached.” Key to success with executive leadership and boards of directors is to maintain the conversation as a business conversation, not a technical one. Successful CISOs need to have the ability to translate IT risk into business risk.
Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.