Authored by Jason Griffin, VP & CISO | Information Security Practice Lead at Orchestrate Healthcare
In a Healthcare Informatics article released last week, author Rajiv Leventhal examines the ever-intensifying threat environment within healthcare and how CISOs are becoming a critical component of the C-suite leadership.
Statistics show cyber-based threats continue to rise monthly. As Leventhal states, “the Protenus “Breach Barometer” report (a snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net) reveals that the trend of cyber attacks in healthcare is certainly not slowing down; in March, the number of breached records was 2.5 times the number of records breached in January and February combined.”
It’s clear that cyber-threats are not going to easily be quelled, and certainly cannot be disregarded for patient and organization safety.
However, healthcare providers in general have been less than expedient to respond to this growing concern, most often due to budget constraints. A February 2017 HIMSS Analytics and Symantec study found that even though cybersecurity budgets are increasing, 65 percent of surveyed healthcare organizations are still spending less than 6 percent of funds on security.
When you consider the over-whelming costs associated with data-breaches (especially involving protected health information or PHI) why would healthcare organizations not rush to add a CISO to their leadership suite? An experienced CISO is key in providing strategic directions across the breadth of the organization and develop a culture of information security.
Answer is, an industry-wide gap in terms of skilled candidates. According to Nick Giannas, a security consultant interviewed in Leventhal’s article, “The demand for qualified CISOs far exceeds the supply of top talent for these positions.” The guest consultant then goes on to suggest healthcare may need to “look beyond healthcare to find top talent in other industries who can make a difference.”
Virtual CISO (vCISO) Meets the Needs of Healthcare
We politely disagree with Mr. Giannas’ proposition. Our virtual or vCISO offering provides a flexible, affordable, and timely approach. Organizations can opt to retain a healthcare-experienced vCISO for as much time is needed; either while looking for a permanent CISO, or to act as their CISO, ensuring security programs are on track.
A further benefit to the VCISO? Organizations may realize savings of up to 80% over the cost of a full–time employee, with the added value that several information security experts will be available to your organization when needed.
Why look outside of healthcare for a CISO when we’ve removed the barrier of lack of appropriate cybersecurity personnel.
Our Virtual CISO (vCISO) offering provides on–demand access to security consultants who can:
- facilitate a health check of your information security program
- implement a risk management strategy/model for all IT decisions
- develop sustainable programs that consider budget, culture and risk tolerance
- elevate your IT teams’ level of security expertise based on their extensive industry experience
- lead your IT teams’ and serve on IT committees (i.e. steering and/or governance committees)
As the 2016 HIMSS Cybersecurity Study concludes, “healthcare providers may greatly benefit from… a “whole of organization” approach to cybersecurity.” If your organization could benefit from our robust Information Security team, or if our Virtual CISO is needed to make an immediate and impactful difference in your healthcare environment, we encourage you to give us a call at (877) 303-3377.
It’s not a question of IF the “bad thing” happens, it’s WHEN… Is your organization prepared to handle a breach?
Jason Griffin is the VP South & CISO at Orchestrate Healthcare. He leads our Information Security Practice with a distinguished 23 years in healthcare. His areas of expertise within Information Security include strategy and implementation, compliance, IT governance, IT service delivery, and process redesign.