- As healthcare IT continues to evolve, the C-suite is also expanding and becoming more intricate. Individuals in leadership positions need to keep data privacy and security issues top priorities, especially as healthcare remains a target for cyber criminals.
Witt/Kieffer’s Chris Wierz told HealthITSecurity.com that healthcare organization leaders cannot afford to ignore potential cybersecurity issues, and that preparing for potential data breaches must remain a key focus area.
Wierz is the co-practice leader for Witt/Kieffer’s IT practice. Witt/Kiefer focuses on healthcare and higher education hiring in the C-suite, Wierz explained.
Originally a nurse by profession, Wierz said that she has been in IT for over 35 years and was always in the healthcare space.
Referencing a CHIME panel she was on in 2016, Wierz explained that there are four main potential minefields that CIOs may encounter.
The first area of concern is security and privacy, followed by disasters and downtime, troubled projects, and leadership changes.
“I basically started off the conversation by saying, that generally there isn't an event that will derail your whole career, but there are definitely minefields out there that can get you fired. It's more a matter of how do you respond to a security breach? How do you respond to a minefield?"
Wierz added that Witt/Kiefer tries to help CIOs understand how their organization will respond to them being in charge.
“In the case of security and privacy, it's become such a huge issue in terms of being on the top of everybody's priority list and probably the most visible and potentially the most costly area,” she said. “That’s one of the reasons why we put it first.”
Healthcare security issues are increasing, and there are ways to handle it but there are many different ways to manage it, Wierz said. It is also not a matter of it an organization suffers a data breach, it is a matter of when and how that incident is managed.
“We've seen people get fired for security issues where something has happened and they're the point person, or the tip of the spear that gets the fall for that,” she explained. “But it really depends on the level of failure and the response to that incident.”
The success can be seen in terms of how well people have responded, how transparent they were through the process, and how they communicated the issue in the organization and to the people who were impacted, Wierz stressed.
A data breach can also be used as a reason for an individual to be fired, but that may not have been the original reason, she maintained.
“Maybe the organization wanted a leadership change and they probably weren't honest enough to be transparent to say, ‘Let's have a conversation about we don't think this is working,’” she said. “Then there's a security incident, and then based on that, they say, ‘Okay, you're going.’”
Overall though, healthcare privacy and security issues are increasingly hot topics in the healthcare sector.
“Privacy and security have become such a huge topic and the awareness at the board level has increased,” Wierz noted. “It is at the board of trustees level in terms of awareness around security and the board is acting. They’re asking, ‘What's happening? What are we doing? How secure are we? What can we do?’ The role has become even bigger and more and more important.”
Searching for the right CISO to balance security, workflow
Furthermore, security has become much more of a separate issue to the point that when organizations search for a CISO, those that are most aggressive are looking at it not just from an IT perspective, she explained.
Entities are searching for CISOs who will have capabilities to make change that isn’t managed strictly within an IT scope. These individuals will need to have more visibility across the board.
“We're seeing organizations looking for the credentials behind the individual, such as their experience in setting up security assessments and security planning,” Wierz said. “But they’re also looking for experience in handling security issues so that people can say, ‘How did you handle it? Did you go off the deep end or did you handle it in a professional way with the right transparency and communication? Did you learn from that?’”
These individuals will also need to know how to maneuver through the politics of the security, she added. That way, they don't lock everything down so that employees cannot do their jobs. CISOs need to communicate and strategize with those end users so that there is the right level of security, along with the understanding that the end user knows why that's in place, Wierz maintained.
“At the same time that the security is protecting the organization, but it is also allowing that end user to do his or her job,” she said.
It’s a fine line between security and operational workflow that CIOs and CISOs need to balance. An overzealous individual might just lock everything down, which is not going to work because employees will just find a way to work around it. From there, even more problems may be created, she explained.
Data privacy and security training is also essential, and everyone from in the C-suite to regular employees need to understand how to keep information secure.
“Educating users around the intent of what [a tool] is supposed to do and around understanding why they’re doing it, how they’re doing it, what they’re doing is critical,” Wierz stated. “They need to know there is opportunity for input and discussion. That whole transparency starts at the training but doesn't stop.”
Strong management paired with ongoing training will help ensure that staff members at all levels stay educated on data privacy issues. That ongoing training is the “tip of the iceberg” in terms of how to prepare users for understanding the security issues, said Wierz.
“There's a real need to make sure that more CISOs are cultivated, and that there is mentoring going on for more CISOs in the healthcare state,” she stressed. “It is in such demand right now, and that demand certainly outweighs the supply out there for the right CISO.”
The C-suite makeup in healthcare has changed over time, he said, due in part to increasing privacy and security concerns. Even though the CISO reports to the CIO, they need to be visible at all levels of the organization from the board on down.
Healthcare organizations need to build a culture of information security, Giannas said. Building that awareness is critical for any healthcare organization.
“Some organizations really get it from a senior leadership perspective and a board perspective,” Giannas explained. “But some other organizations are still struggling with building that culture of information security. It’s not only just building the team to support the information security officer. It’s also building that awareness and education around it across the organization.”