Information technology leaders at patient care organizations are facing an evolving cybersecurity threat landscape, with accelerating threats in the wake of recent, massive attacks on organizations worldwide. The need for stronger cybersecurity is now on most healthcare organizations’ radars, more so than even just a few years ago.
As healthcare organization leaders across the country look to ramp up their cybersecurity strategies and implementations, chief information security officers (CISOs) are becoming part of the bigger picture. As Healthcare Informatics Managing Editor Rajiv Leventhal reported back in April, CISOs within healthcare organizations—not too long ago a position with a limited role—have now become a part of the broader senior leadership team, experts say. A HIMSS Analytics and Symantec study released in February found that even though cybersecurity budgets are increasing, 65 percent of surveyed healthcare organizations are still spending less than 6 percent of funds on security. What’s more, those survey findings indicate that the majority of healthcare organizations still have five or fewer employees allocated to IT security, although two-thirds of participating organizations do have a chief information security officer (CISO), which most often report to the CIO.
Mac McMillan, chairman, CEO and co-founder of CynergisTek, an Austin, Texas-based information security and privacy consulting firm focused on the healthcare IT industry, spoke with Healthcare Informatics Associate Editor Heather Landi about the evolving role of the healthcare CISO and the skills and expertise that every CISO should have to be effective, and why that goes beyond just technical expertise in security. Below are excerpts from that interview, edited for length.
How do you see the CISO role in healthcare organizations evolving?
The CISO is an interesting role because, to do it effectively and be successfully, you have to be one part technologist, one part business leader and one part psychologist, in a sense. What I mean by that is that the CISO has to understand the technology and the threats well enough to understand what the organization needs to do to protect its system, operations and its information. But, they also have to be able to translate that into business jargon; they have to be able to speak the language of the business. They should be a business leader because the organizations are not going to spend money on security if they don’t see how it fits into the strategic plan of the business and don’t see how it contributes to the business being successful. You’ve got to be able to go in and say ‘Look, there’s a reason why we need to invest in security and we need to invest in this technology or invest in these people or invest in this service or this process and it’s because it’s going to be make our business more resilient, it’s going to make our business more capable and it’s going to ensure that our business can continue to operate and avoid those risks that are affect our ability to deliver our primary mission in terms of care and earn revenue.’ And at the same time, when I say part psychologist, they should be able to learn how to navigate a senior staff and other business leaders who have their own priorities and their own objectives that they are trying to accomplish and figure out how best to interact and work with those people. You need to be able to motivate these senior leaders as well as the workforce, in general, to just be more aware and more open to the idea of doing things differently as it relates to being more safe or secure in their practices and systems. It’s not just a technologist’s role anymore. It’s not just the smart IT engineer who knows something about security, that’s not going to cut it; you need somebody who is a business leader.
Are you seeing changes in the reporting structure with the CISO reporting outside of IT?
We see that in some organizations; we haven’t seen it in a wholesale fashion. I wonder where we have to get to before that happens. Quite frankly, I’m not a huge proponent one way or the other, as long as the CISO is visible and has a reporting chain up through whatever the IT governance process is for security through the audit committee or the board; as long as there is visibility and that person’s voice is not muffled, and they get support, then it can work no matter where they are. But in most organizations, many of the CISOs I talk to around the country say they are still challenged by the fact that they do report within IT, and they do have to compete with the rest of the IT budget. They say that they don’t have a budget of their own, per se, which is something I think organizations should do—they should break their security budget out and understand what their security spend is and understand what that means to the organization.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.