Authored by Jason Griffin, VP & CISO | Information Security Practice Lead at Orchestrate Healthcare
Healthcare CIO Role Shift Foreshadows CISO Evolution
The evolution of systems and exponential growth of electronic data has forced healthcare IT leaders to reevaluate their roles and responsibilities in their respective organizations, and in the industry. In the early 2000’s, the healthcare CIO role required a major shift from being a steward of technology to more of an informed business leader, represented on the senior executive levels of provider organizations. This shift is described in the text of The New CIO Leader published in 2005. These same principles are proving true for the “New CISO Leader”.
Information security strategy is quickly becoming a component of every organization’s business strategy and discussed at the highest levels of the organization. Healthcare CISOs are increasingly developing strategies that will have rippling effects on business/clinical workflows and researchers. To gain and maintain the credibility needed to affect such changes requires the CISO to become a vocal and visible business leader. There will be a required transition from the technical steward of:
- monitoring tools
- intrusion detection, and
- endpoint management
to the executive leader demonstrating how security controls, policies, and procedures will protect the organization as the strategies are implemented.
Effective CISO Leadership
I was recently told by a CIO of a billion-dollar organization that they had no need to hire a CISO. After all, he himself, a new CIO with very little information security knowledge, was the final voice of security and he did not need someone else to take the “blame”. This thinking typically does not change until a breach occurs, and that postponement is a high stakes game of poker as any seasoned CISO will tell you, it’s not “if” it’s “when” that breech will occur. Effective CISO leaders will be judged by the way they respond to these security incidents. Attaching blame will not be top-of-mind when patients are turned away from the emergency department, or surgeries are rescheduled, if the organization is confident they have a prepared team resolving the issue.
Information security management in healthcare is a never-ending cycle of planning, monitoring, governance, and risk management. CISOs must embrace the following:
- be a thought leader in your organization not a manager,
- embrace governance and drive it through every level of the organization,
- develop a high performing security program (including partnership agreements where appropriate) that is measurable,
- identify regular communication channels that provide the right communications at the right levels of the organization, and
- develop incident planning techniques that are well documented and rehearsed; your performance will be judged by your response and leadership during an incident.
Ultimately, it is about developing a security-conscious culture and being the emboldened executive and leader at the helm driving this change.
Jason Griffin is the VP South & CISO at Orchestrate Healthcare. He leads our Information Security Practice with a distinguished 23 years in healthcare. His areas of expertise within Information Security include strategy and implementation, compliance, IT governance, IT service delivery, and process redesign.