Thirteen chief information officers (CIOs) and chief information security officers (CISOs) of leading health systems convened in Chicago to discuss key challenges, best practice standards and collaborative opportunities in cybersecurity. These healthcare executives focused on cybersecurity maturity levels, governance practices, reporting systems, threat monitoring/threat analytics tactics and the importance of tying cybersecurity metrics to business impacts. This report captures their discussion and shared insights.
CISO Fall Summit Participants: Fernando Blanco, vice president and CISO, Christus Health; Jeff Bontsas, vice president and CISO, Ascension Information Services; Erik Decker, chief security and privacy officer, University of Chicago Medicine; Jim Hanson, Information Security Officer, Avera Health; Bryan Kissinger, Ph.D., vice president and CISO, Banner Health; Thien Lam, vice president and CISO, BayCare Health System; Ken Lawonn, senior vice president and CIO, Sharp HealthCare; Leonard Levy, vice president and CISO, Spectrum Health; Christie Polley, system director, IS information security, Eastern Maine Healthcare Systems; Brad Sanford, CISO, Emory University; Randy Thompson, M.D., CMIO and interim CIO, Billings Clinic; Jim Veline, senior vice president and CIO, Avera Health; Brenda Williams, vice president technology services, Mosaic Life Care
Organizer: Scottsdale Institute; Sponsor: Deloitte
Moderators: Deloitte—Bruce Daly, principal, Deloitte & Touche Llp; Raj Mehta, partner, Deloitte & Touche Llp
With numerous high-profile security events and data breaches splashed on the papers of national newspapers, there is a growing appreciation in healthcare and non-healthcare organizations alike that cybersecurity impacts business as a whole. Today, cybersecurity is increasingly regarded not as a technical issue pigeonholed in IT departments, but as a corporate and business issue. The cybersecurity function is rapidly evolving, eliciting greater visibility across healthcare systems and drawing increased attention from boards and leadership charged with risk management.
In October, leadership representing information technology (IT) and information security (IS) functions from Scottsdale Institute member health systems came together to share their perspectives, experiences and strategies for tying cybersecurity metrics into business impacts and business risk and for monitoring and managing ever-changing risks and threats.
The Imperative of Linking Cybersecurity Risks to Business Impacts
There is a growing appreciation across boardroom tables that cybersecurity is a business risk, not just a technical risk. Yet, the process of reporting metrics has not fully caught up. To drive the understanding home that cybersecurity addresses key corporate and business issues, alignment of cybersecurity reporting to business impacts is key. “How many of you are regularly using business risk to report?” asked discussion moderator Raj Mehta of Deloitte, kicking off a spirited conversation focused on improved communication of metrics, risks and impacts to management and boards. “If there is a cybersecurity risk to the organization, it is fundamentally a business risk. On this, we all agree. But is it being reported up and out that way?” Mehta challenged.
Participants around the Summit table voiced challenges, shared tips and broadly agreed that CISOs and cybersecurity teams have work to do internally to better align cybersecurity metrics, measures—and even budget requests—with business risks and business impacts. Many have already started that process.
What We Consider Catastrophic may be Very Different from what the Business Cares About
It is crucial to understand what critical or catastrophic impact means to your business leaders, emphasized Erik Decker, chief security and privacy officer at University of Chicago Medicine. “What we in IT think of as catastrophic can be very different from what the business cares about,” said Decker, citing his experience in collecting feedback from his senior leadership on the business impacts most important to them.
“Early on in my program, we convened our C-suite to make objective statements around the stratification of risks that were most concerning to them and that had the most consequential impacts to the business. We talked through many different scenarios of cybersecurity risk and threat outcomes that could happen, and together we categorized and stratified these on a 1-5 scale of catastrophic to nominal. Items on the table ranged from a simple phish, to hacking that could lead to data loss, as well as cyber actions that could cause death. There is now a clear sense internally of what the most concerning business impacts are, and we can now measure and stratify risks/threats against those stratified impacts.”
Core business impacts ranked by University of Chicago, and agreed upon by participants around the table, included:
- Patient safety issues/harm to patient
- Ransomware that can bring down digital operations and systems
- Breach of private data
- Mishandling of sensitive information
- Risks/unknowns brought by M&A activity
There were hearty nods of agreement centered on the categories of business impacts, with the understanding that different boards may rank the importance of each type of impact differently.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.