- With cybersecurity threats seemingly evolving each day, healthcare providers can no longer afford to have incomplete approaches to data security. Having a comprehensive and well-trained healthcare information security team will be a key aspect to that.
Leadership is especially crucial, and the healthcare CIO and CISO positions need to have a strong grasp on the latest potential threats and the necessary measures to keep patient data secure. Witt/Kieffer’s Nick Giannas told HealthITSecurity.com about the differences in each position, and how organizations should approach building an information security team.
Giannas is a consultant at Witt/Kieffer and has been with the firm for over a decade. The majority of that time he has spent as part of the IT practice, he said.
“I have focused on IT leadership recruitment, so CIOs, CTOs, CISOs, and other senior IT positions.” Giannas explained.
CIOs are responsible for the strategic direction of all of IT, Giannas stated. The CISO is focused on developing and leading the information security strategy and program.
“We’re seeing with the searches that we’ve done, the CISO is reporting to the CIO. But if you go into other industries, you might see a different reporting structure,” Giannas said.
The healthcare reporting structure might change over time, he added. This is due in large part to how information security is evolving and how the threats are evolving. Even though the CISO reports to the CIO, they need to be visible at all levels of the organization from the board on down.
Finding the right talent for the right job
Giannas said that while he does not recruit at staff levels lower than CIOs and CISOs, he believes it would be important for a CISO to look at candidates inside the healthcare industry as well as outside. To build a security team, having individuals with a diverse set of skills and talent would be greatly beneficial.
“I think there is a lot of talent outside of healthcare that can be tapped,” he stated. “And stronger talent, to be candid, because there are other industries that have more mature information security environments.”
The healthcare industry is often cited as being behind other sectors in terms of its information security and cybersecurity strategies.
Giannas added that healthcare workers might be stronger on the IT side, but might not be as deep on the pure information security expertise.
“A lot of information security staff, just based on the senior role, have people in place that may have significant experience in healthcare and IT, but are not as experienced or as deep in knowledge on information security,” he said.
The necessary pieces to an information security team
The information security team makeup will really depend on each healthcare organization’s structure, Giannas explained. However, there are certain areas that entities should focus on.
These include general security operations, identity and activity management, risk management, and security architecture. Vulnerability management, incident response, education and outreach, as well as reporting are also key areas to consider when building an information security team, Giannas said.
It’s about building a culture of information security, he added. Building that awareness is critical for any healthcare organization.
“Some organizations really get it from a senior leadership perspective and a board perspective,” Giannas continued. “But some other organizations are still struggling with building that culture of information security. It’s not only just building the team to support the information security officer. It’s also building that awareness and education around it across the organization.”
Making the investment in information security
Making the necessary investment into building an information security team can sometimes be difficult for organizations, Giannas noted. There’s a very high demand and a supply that hasn’t kept up.
However, this is why it’s important to look at it as an investment, rather than just a business cost. Information security issues are not just IT problems, he said.
“Everybody within an organization needs to be aware of information security, needs to be trained, and knowledgeable regarding policies and governance as well as the risks that are out there,” stated Giannas.
For example, he said that phishing attacks are often successful because it just takes one employee to click on a malicious email or link. Many security incidents are often preventable.
Healthcare organizations are looking for individuals with a broad knowledge and current experience in the ever-changing information security environment, he said. Being knowledgeable on issues at a national level, as well as more localized, will also be important.
“There’s so much we can learn from each other that if you’re just focused on your organization, you’re limiting the knowledge and understanding of what is out there,” noted Giannas. “It’s important for CISOs to represent their organization on information security internally as well as externally and be active at the regional and national level.”
The CISO role has changed over time, and is now about managing the entire threat landscape, ICIT Co-founder and Senior Fellow James Scott told HealthITSecurity.com in July 2016.
Healthcare CISOs have almost had to sell security to their organization, and it can be a challenge to explain to other C-level positions why so much more money is necessary to keep information protected.
“CISOs need to be able to say, ‘Well, 10 years ago we only needed this much money to protect the company from attacks and breaches, but now we need three times that amount and here’s why.’ They have to go in and sell the need to the board while simultaneously trying to protect their organization with virtually archaic technologies,” Scott said.
CISOs need to ensure that they are approaching the situation by working toward finding solutions and try to keep themselves from becoming too overwhelmed, he added. It’s also important to understand that the threat landscape itself has hyper-evolved.
“Back in the day, it was more along the lines of network security from DDoS attacks. It was a different nature of maliciousness,” he explained. “Now, as far as the role, it’s managing third parties that have indirect network access. It’s managing the whole threat landscape.”