“Selling Security” to the Board: C-Level Leaders Share Their Perspectives on Cybersecurity Strategies | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

“Selling Security” to the Board: C-Level Leaders Share Their Perspectives on Cybersecurity Strategies

March 6, 2016
by Heather Landi
| Reprints
Paul Connelly, vice president and CISO of Hospital Corporation of America, and Dave Levin, M.D., previously CMIO at the Cleveland Clinic Health System, discussed the need for collaboration on information security strategies.
Click To View Gallery

As the recent ransomware attack at Hollywood Presbyterian Medical Center illustrates, healthcare organizations are increasingly at risk for cyber attacks due to the value of protected health information (PHI). Cybsersecurity was top of mind with health IT leaders at the 2016 HIMSS Conference and Exhibition in Las Vegas this week with an entire preconference session centered around the topic of how hospitals can improve their security posture to avoid information security compromises and breaches.

Hospitals, payers and business associates are increasingly leveraging the internet, medical and mobile devices in order to improve care, lower costs and retain competitive advantage. With this shift to digital comes increased risk to protected health information (PHI).

Paul Connelly, vice president and chief information security officer (CISO) of Hospital Corporation of America and Dave Levin, M.D., chief medical officer at Sansoro Health and previously chief medical information officer (CMIO) for the Cleveland Clinic Health System, gave a joint presentation discussing the C-level perspective on information security and strategies to “sell security” to the board.

During the presentation, Connelly and Levin both emphasized the need for collaboration between CISOs and CMIOs to improve information security and to align the security strategy and tactics to meet clinical and business goals. Essentially, the CISO can be the CMIO’s best friend and vice versa, they both said.

“The days of healthcare organizations blindly buying new technologies without the CMIO’s and the CISO’s blessing needs to be in the past. And the good news about the recent bad news is that it has helped raise awareness,” Connelly said.

They also discussed the unique clinical and business goals of CMIOs and CISOs within healthcare organizations.

“The view of the CMIO is to find a way to maximize the value of clinical IT at a time when medical systems and data are in the crosshairs,” Levin said.

“The CISO view is to look at this from the perspective of how to keep systems safe to protect your patients when there are organizations with many non-secure legacy systems and threats and the access and dissemination of data is growing exponentially,” Connelly said.

Despite these somewhat opposing goals, there is common ground, Levin said, with an overriding goal to protect patients and their health information.

Levin addressed the role of clinical IT with the ongoing movement in healthcare toward value-based care, which focuses on increased quality, improved safety and decreased cost. Healthcare organizations are now beginning to align the business case and the economic case, Levin said.

With the move from volume to value, the delivery of clinical services is now based on what Levin described as the three “Ps.”

“Personalized, where we zoom in, and that requires real-time information and highly customized care for each individual; Population, where we zoom out, and we need systems designed to care for large groups of similar patients; and Pervasive, which is zoom everywhere, and there’s where everything is connected,” Levin said.

From a CISO’s perspective, the healthcare transformation taking place now creates the challenge of keeping pace with the clinical and business pursuit of the best and newest health IT tools and uses of data. “Yet we have systems showing up on the loading dock purchased with no security vetting, architecture or implementation plan or maintenance/lifecycle provisions,” Connelly said.

“Today’s big data thefts may be remembered as the good old days as the system and data destruction and attacks on people via cyber for extortion and terrorism could become reality,” he said.

Connelly said health IT leaders need to change the paradigm and get security “baked in” to the lifecycle of health IT products and systems.

When it comes to medical device security within HCA, Connelly said he works together with the CMIO community to identify the systems and classify the tiers of priority. “They play a key role in introducing new technologies and they have the relationships with vendors so that provides some leverage to work with them to improve the systems.” He added, “It’s a two-way street and the CISO also can be an important ally to the CMIO and we can get involved early to do vetting and help identify the security vulnerabilities and what it takes to correct and identify new approaches.”

Connelly and Levin both highlighted reasons why CISOs and CMIOs should collaborate on health IT and information security.

 “Secure solutions carry more weight with management today,” Connelly said. “You have a better chance of approval of initiatives when the CISO is on board. By including me in the initiative, you can “bake” the security into the clinical initiative and the net result is that we are going to save money.”

And, he said, collaborating on messaging to end-users of the clinical IT tools creates the “right processes and drives adoption.” “A secure clinical initiative protects your patients, it provides for privacy, integrity and availability of the data and systems you need to provide care.”

Conversely, Levin said CMIOs can help CISOs “see around the corner,” and he added that “being involved in new initiatives and innovations from the beginning makes security work better. And, as CMIO, I can help the CISO improve their understanding of how healthcare works and how security is involved in the front line.”

And, he added, “I think, together as a team, our mutual credibility is higher when we are seen as collaborating and demonstrating a balance between appropriate security and appropriate data. It looks a lot less credible when we surprise each other and have diametrically opposed messages.”

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.