Connie Barrera, director information assurance and CISO, Jackson Health System, Miami.
Barrera spends a lot of time walking the hospital floors and asking clinical users how the technology is working or not working for them."If it’s not working, they are going to do something else," she warned. "And usually what they’re doing is probably much less secure."
Dan Bowden, CISO, University of Utah Health Care, Salt Lake City
"People say, 'I can roll out two-step authentication, and that will prevent me from having a user-oriented compromise' – but while a user is using a device, they can do something to cause the device to become compromised, and then every time they use the device afterwards, that devices is now an exploited point on your network."
Chris Ewell, CISO, Seattle Children's Hospital
Children's has a "very active intelligence program. We don't rely just on our own monitoring. I work with a lot of third parties. I work with our government agencies, with our own healthcare agencies, other financial agencies to understand where the real threats are. You can't rely on your own systems. You have to collaborate with other partners. My entire policy, strategy, protocol, everything is designed around the protection of the data. We're not compliance-driven. We're risk-driven."
Jigar Kadakia, CISO, Partners HealthCare, Boston
"The toughest security problem is getting people to understand. It's the same issue we had five years ago; it's going to be the same issue five years from now. People are educated, but they just think they're not going to get phished, they're not going to get hacked. But they need to understand, they will get hacked; they will get phished."
Mitchell Parker, CISO, Temple Health, Philadelphia
"You can say you make systems secure and compliant. Or you can have operational checks and balances to make sure they actually stay compliant."
Meredith Philips, CISO, Henry Ford Health System, Detroit
Henry Ford recently established a core group within the IT team whose job is to focus solely on the health system's enterprise approach for identity access management. "Truthfully, that's the core of security," said Phillips. "What is it that we give access to based on their role they have here at Henry Ford?"
Heather Roszkowski, CISO, University of Vermont Medical Center, Burlington, Vermont
"I have a team of individuals, analysts and an engineer, to work on technical challenges, project work, policy work," she says. "I'm also working with other IT leaders. Across the organization, I work with HR, director of risk, the privacy officer, the compliance officer."
Anahi Santiago, CISO, Christiana Care Health System, Wilmington, Del.
"I believe that information security is a patient safety issue. A lot of organizations are just starting to think about it as not just a risk to a patient's information but a risk to a patient's life. Bad information in a medical record could actually kill someone. I see the role of the CISO as integral to the delivery of quality patient care."
Karl West, CISO, Intermountain Healthcare, Salt Lake City
"CIOs and CISOs need to take the data that comes out of risk assessments and translate that information into an activity report that tells you 'here are the activities we need to be doing for the next year to make sure we have appropriate controls.' In many ways those need to happen at a strategic level, and they go up above the glucometer or fitness tracking device and in the security architecture — and you need to have a framework for rating risk on a regular basis."
Kurt Hagerman, CISO of Armor