Meet the virtual CISO, the security expert plugging hospital staffing holes
In an industry where three out of four organizations are without a designated security person, healthcare leadership is getting creative with its staffing.
While on the surface hiring a virtual chief information security officer who is primarily off-site seems risky, there are many benefits. Not the least of which: something is better than nothing.
“A lot of organizations can’t get the funding for a full-time security person or they just can’t find a qualified person in their location,” said CynergisTek President and Chief Strategy Officer Mac McMillan. “Some hospitals are physically located where it’s very difficult to attract the talent to come there.”
Hiring is not only part of it that’s problematic, either. “It’s the retention aspect. For the CISO, it’s not just getting a body, it’s getting someone with enough experience,” said Kurt Hagerman, CISO of security firm Armor.
When CynergisTek first started to offer a virtual CISO role, in fact, it was because hospitals kept asking for the service. A lot of the push came from health systems in remote areas, locations where it’s difficult to recruit for the position or near Silicon Valley, where it’s tough to hang onto talent.
The company created its service to meet the need. Security firms like Pivot Point Security, Adelia Risk, Synoptek and others are also providing the service to fill in these gaps.
The offerings vary by need and the relationship. For example, McMillan said that there are times when the virtual CISO is in a strategic role, while other organizations use the CISO on-site part-time. Some situations call for more of a mentoring or advisory role.
Others have people in the security role part time because they need someone with more experience who can work with leadership and sit-in during meetings or look at results of analytics with executives.
“The virtual CISO can put a security program in place to educate and train the workforce to make sure these priorities are in place,” Hagerman said.
The virtual CISO in action
Methodist Hospital of Southern California CIO Gary Russell struggled to find a CISO willing to work on just a part-time basis.
“We’re a standalone hospital, not part of a system or a large organization, so keeping costs under control and limiting expenditures are crucial,” Russell said. “The CISO position tends to be expensive.”
Russell said they ended up going with a virtual CISO from CynergisTek to provide a high level of expertise and more depth for the organization, while keeping down the costs.
The virtual CISO reports to Russell and works remotely. A weekly call with Russell reviews any issues going on at Methodist. The CISO also keeps all policies and procedures for the hospital up-to-date.
Methodist has security staff on site, but the CISO is charged with handling the big picture. For example, Russell said the hospital has 70 or 80 different security policies the CISO reviews and updates every two years to make sure it’s consistent with safety standards.
There’s a solid integration between the CISO and the organization, which means the CISO can draw from CynergisTek’s pool of security professionals if there’s a problem too large to handle on their own.
Another major asset is CynergisTek is in charge of auditing the hospital. Through an audit, if there’s an issue or concern, the CISO will instate necessary policies and procedures to address it.
To Russell, the virtual CISO has been invaluable for meeting HIPAA requirements. For the last few years, in fact, Methodist has met requirements at 100 percent. Last year, the hospital tacked on the first evaluation with NIST standards that were met at 80 percent.
Russell expects at the next audit coming up in July, the hospital will fare even better, due to the documentation issues addressed in its project plan.
“While other organizations have a lot of technology people that work with apps and platforms, they don’t have the necessary policy development skills,” said Russell. “It’s where a lot of other organizations fall down. They have a lot of security components in place, but fail to bring the pieces together or provide documentation so they don’t get credit for those items.”