CEO's perspective: Cybersecurity is a strategic imperative
In one session at the HIMSS Healthcare Security Forum Digital Summit on Monday, Bryan Kirby, vice president of IT and cybersecurity recruiting firm Kirby Partners, noted that too many healthcare providers still see the domain of the chief information security officer as the "Department of No." (As in: No, that time-saving tool or device is not cleared for use, due to privacy or compliance concerns.)
When they're not seen as scolds, CISOs are more generally seen as smart and technically-minded leaders within the IT department, of course. But many still have "limited if any exposure to the board room or the C-suite," said Kirby, who cited one survey that found that "74% of C-level executives do not believe CISOs deserve a seat at the leadership table."
If many CISOs and their team are "siloed and are disconnected from the business," an even more startling finding, this one from Gartner, was that "only 31 percent of survey respondents and business units are actively involved in developing security policies that will affect their businesses," he said.
At the HIMSS Healthcare Security Forum Digital Summit on Monday, opening keynote speaker Dr. Janice Nevin, CEO of Wilmington, Delaware-based ChristianaCare, offered the perspective of a C-suite leader who gets it – who understands the intrinsic and foundational value of healthcare cybersecurity.
"We have a bold vision for healthcare," said Nevin. "Everything that can be digital will be digital, and all care that can be done in the home or in the community will be done in the home or in the community."
But with that expansive view, of course, comes an added level of responsibility. Nevin and ChristianaCare's CISO, Anahi Santiago, both appreciate "the complexity and urgency of ensuring that the data and technology are protected," she said. "The risk extends outside the walls of our health system, also into our patients homes and personal devices."
Most everyone knows by now that healthcare is the most targeted industry in the United States for cyber threats.
So for healthcare systems, "the first step is ensuring information security is prioritized across the organization – and it needs to come from the top," said Nevin.
As Bryan Kirby had alluded to with his "Department of No" remark, many health system staff might view infosec leaders as impediments, rather than strategic enablers.
Nevin acknowledged that "in healthcare, especially, the elements of a robust information security framework can sometimes create friction – can make it harder for someone to do something they want to do because there are IT hurdles, restrictions or processes that have to be navigated in order to ensure it's safe.
"Information security requirements can sometimes be perceived as stopping important work from getting done," she added. "And in these instances, there may be a temptation to create an exception or a workaround to do the first thing or the easy thing that can create risk."
That's why it's "vitally important that the information security team has support from leadership at the highest level of the organization – so, when push comes to shove, we can ensure that the safety of the organization and our patients is prioritized and that we are prepared in case of an attack."
Nevin said that starts with "having honest, authentic dialogue about the realities of the threat landscape among the entire senior leadership team."
Across the C-suite and the board, she said, "we need to be able to talk about these threats without succumbing to fear, uncertainty and doubt. And we need to talk about them in ways that our business leaders and clinical leaders relate to and understand. That means connecting the realities of the information security landscape with our business strategy and with our mission to protect our patients and do no harm."
So, across the enterprise, ChristianaCare has "taken strong measures to ensure information security is integrated into our organization's governance," said Nevin.
For example, it has two CISOs from the banking industry sitting on its board's technology and cybersecurity subcommittee, she said. "Their perspective and expertise is invaluable in helping to guide our strategy."
Above all, of course, robust funding for security readiness is essential.
"At Christiana Care, we've made strong investments in our information security infrastructure," said Nevin. "When the pandemic hit, we were better prepared than many healthcare organizations to respond to the rapidly changing technology needs that the pandemic created. We'd already deployed tools and technology to enable an environment in which our caregivers could access our resources anywhere, from any device at any time.
"Because we were prepared, we were able to meet the needs of the moment without putting exceptions or workarounds in place that would have required us to assume greater risk," she said, pointing to the fact that the health system already had standing contracts with Zoom and with Cerner for telehealth multi-factor authentication.
In addition, it already had infrastructure in place: "secure remote access solutions and a cloud access security broker" that enabled it to be rules-based, but nimble, in providing access to the tools needed for COVID-19 response.
"These investments were in place because we've embedded information security deeply into our strategy and governance," said Nevin. "But perhaps the most important aspect of our information security framework at Christiana Care is the understanding that it's not just an IT issue, it's a patient safety issue, and it's everyone's responsibility.
"Patients put their trust in us to protect the integrity and confidentiality of their health data at ChristianaCare," she said. "We believe that ultimately it's the patient, the individual, who owns that data. It's theirs, not ours. And we have a solemn responsibility to protect it."