As security has become a frequent topic in the executive suite, many leaders have accepted the need for an empowered CISO. While the role has been often undervalued in many organizations, the rise in breaches has forced leaders to reconsider the difference between a disconnected, limited CISO and an influential one – especially in healthcare.
In the past, many hospitals and other organizations have simply been slower to prioritize security than, say, the finance industry. That may seem odd, given what popular targets healthcare is for criminals; organizations usually have a rich motherlode of data to steal, including credit card numbers, names, social security numbers, birthdates and of course medical data. Yet security has traditionally been seen as an IT concern, rather than a major business priority with company-wide repercussions. So it’s not too surprising that many healthcare organizations are now experiencing a shortage of experienced and effective security leaders.
Don’t get me wrong – it’s good news that many CEOs and CIOs have connected the complexity of compliance and security to the need for a strong CISO. Anyone who works in healthcare IT knows how demanding these areas can be, with needs that extend way beyond protecting patient privacy.
While companies in other industries typically just need to manage their data security internally, healthcare is far more interconnected. Data is often shared between hospitals, labs, insurance companies and government agencies, which means organizations must safeguard a number of entry points. The growing technical capabilities of patient devices and medical equipment offer even more potential vulnerabilities.
Add in the need to meet an ever-expanding number of HIPAA, PCI, FTC and other compliance requirements and it’s clear that healthcare IT departments require experienced and dedicated security leaders. But that brings us back to the problem stated above: skilled healthcare CISOs with expertise in these areas are hard to find.
This shouldn’t be much of a surprise. Given that security was assigned such a low priority level for years in healthcare, there simply aren’t many executives who cut their teeth in the field. The retail and finance industries have been developing security leaders for years now, but healthcare security executives tend to be brought in from other industries, or have a background in organizations that didn’t train security practitioners.
Let’s talk about what the ideal healthcare CISO looks like. We’ve mentioned before that HIPAA compliance can affect departments including marketing, human resources, records and asset management; the right CISO will institute a compliance program that reaches into every corner of the organization. They’ll also understand how to satisfy PCI compliance – many healthcare organizations handle payment card data – and meet other agency regulations, such as the FTC’s healthcare marketing rules.
A strong healthcare CISOs will also need some diplomatic skills. Healthcare is collaborative; organizations share data back and forth, which means that a security leader may be called on to convince “data partners” (such as private practices) to upgrade their own controls before connecting to the network. The CISO will also need to work with other internal C-suite leaders and departments, as a strong security program can change the company’s leadership, operations, culture and core business model. A certain political deftness will benefit every leader, and the CISO is no exception.
The ideal candidate will have deep security expertise that goes beyond digital measures like encryption and firewalls; the mantra of “people, processes and technology” is critical to keep in mind here. Processes regarding paper files and employee practices, or lost laptops and smart phones, are in play too. They should understand IT, security, compliance management and the healthcare industry, and have the ability to shape an internal security culture that practices safety and compliance on every level.
So what’s the best way to find – or cultivate – that kind of superstar healthcare CISO? One obvious move is to start developing the security leaders of the future today. That includes instilling technical, leadership and communication skills, and an in-depth grasp of the intersection between healthcare, technology and crime. To empower CISOs today, organizations can listen to current security leaders, assign them more influence and embed their recommendations into their core strategies.
In the end, criminals are here to stay and the compliance landscape will probably continue to grow more complicated. It takes a strong leader to fight the good fight when it comes to the security landscape – and only by installing the right kind of CISO can organizations achieve the compliance and advanced security required for healthcare IT.