Top healthcare CISOs hard to come by
There's a little bit of good news in the healthcare IT arena: CEOs and CIOs are quickly moving to make hiring chief information security officers a top priority.
The position, which has to somehow get a handle on privacy, compliance and traditional security issues, is in high demand as industry and government requirements increase for data sharing between patients and doctors, from hospital to hospital, with government agencies, labs and insurance companies. Add mobile devices to the mix, and the security/privacy/compliance headaches for CIOs are about to get more painful.
That's why it's just a little bit of good news. It's also coupled with some bad news for CIOs and HR execs, the folk who have to make these hires. Healthcare CISOs are hard to come by – and expensive.
Much of the reason for that is healthcare's relative lack of security interest for many years, which means today the industry lacks homegrown healthcare security IT execs who have enough of the germane capability: IT management, security management and healthcare industry experience.
[See also: Where will HIT security be in 3 years?.]
Attitudes about security change
Bert Reese, the CIO of the 125-year-old 12-hospital $5.6 billion Sentara healthcare enterprise, said his vision of what a CISO should do has morphed sharply since December 2013 when he hired his current CISO, Kathy Jobes.
"My thinking has changed since the arrival of Kathy. Before, I thought it as more of the traditional role. I didn't know what I didn't know," Reese said. He now sees it as changing the whole security culture, impacting every element of the enterprise.
For many healthcare operations, he said, applications have had terrific functionality but security was rarely a priority, at least with major application developers.
"The (application) security function never matured,” Reese said. “Today, we literally run 1,000 different applications to support the enterprise. Choreographing them into a truly secure architecture is, to say the least, entertaining."
Making matters yet more challenging for CISOs, he added, is that large healthcare enterprises are often seen as soft targets for cyber thieves, foreign espionage agents and saboteurs.
"We see about a million hits a day from China alone, trying to break into our network," Reese said, speculating that the attackers want to access standard corporate applications – such as ERP – so they can figure out the coding and then use it to attack more lucrative – but more secure-targets such as financial, retail, aerospace or manufacturing corporations.
[See also: How Kaiser does privacy and security.]
Hire from within, or tap other industries?
To get the talent needed, some argue that healthcare CIOs must abandon insisting on healthcare experience, opting instead to hire an experienced CISO from another industry and then training that executive in healthcare issues. It's the price that healthcare execs must pay, said healthcare IT recruiter Judy Kirby, for having ignored security for too long.
"It's not something that in the past was very important to us. When your data wasn't online, the risks were minimal," said Kirby, who has run Kirby Partners since 1994. "Healthcare has lagged behind financial institutions and now they have to play catch-up. Because we didn't need them in the past, we didn't grow them. We don't have internal ones that could easily promote.
You now then have to go outside of healthcare and then teach them healthcare."
But another veteran healthcare IT recruiter, Rich Miller, Senior VP for B.E. Smith, Inc., argues that CIOs are better served by staying within healthcare IT, but training the hired executive in security.
Miller's argument is that a talented healthcare IT executive – one who has demonstrated the persuasive and communication skills – is the much better place to start. "A proven healthcare information leader can quickly become a proven information technology security leader," Miller said. "Any IT leader could ascend into this role, as long as it's a proven leader with great leadership potential. I'm a strong advocate of looking within to identify the future CISOs."
One of Miller's concerns is that recruiting talent execs from other industries – and certainly from healthcare competitors – is too expensive.
"The CISOs that are good are well-taken-care-of and not interested in making a move," he said.
One key issue in recruiting a CISO may explain why seemingly contradictory advice is not necessarily contradictory. The definition, duties and responsibilities of CISOs vary, so a lot depends on what you need/want this executive to do. For some businesses outside of healthcare, a CISO is truly a security officer, overseeing a team of cryptographers, programmers and other security specialists whose sole job is to protect the company against brute-force attacks and from internal threats.