- The healthcare C-suite continues to evolve, along with the increasingly complex cybersecurity threats. Healthcare CISOs must now have knowledge in many areas, and understand just how far data breach repercussions can go.
The Chief Information Security Officer (CISO) role has greatly increased over the past few years, according to Medical University of South Carolina (MUSC) CISO Matt Klein. It’s now more critical for CISOs to have well-rounded backgrounds, and experience in numerous areas, going beyond just privacy and security.
Recently joining MUSC, Klein had spent 10 years working for Anthem, Inc. In that role, Klein led Information Security strategic projects and teams. At Anthem, he explained that his roles were across functional areas including network security, vulnerability management, database security, application security, encryption, configuration management, shared services, and architecture and strategy.
“The CISO role has become quite dynamic when you think about the breadth of topics a CISO is asked to contribute to,” Klein explained in an email to HealthITSecurity.com. “Risk management, privacy, legal, compliance and technology – you name it, the CISO is bound to be involved at some level.”
Klein added that CISOs must be strong listeners to understand and contribute to the success of an objective or situation.
“[CISOs need to] be a great partner – meaning truly wanting to come out of a situation with a win-win experience,” Klein stated. “And they must be a willing sharer of knowledge to help others, no matter their place in the organization, to learn and grow as a professional.”
Healthcare cybersecurity issues are ever-evolving, and it is difficult to predict exactly what potential threats lay ahead in 2017 and beyond. However, Klein explained that most providers have to take a good look at foundation IT and information security best practices to address future threats.
“One concept I learned from a past leader goes something like, ‘If you want great Information Security, you need great IT.’ That translates to doing the basics the right way – consistent processes, well documented infrastructure, standardized and simplified technology services and continuous improvement across the board,” he said. “Far too often do we read about not doing the basics – in IT or Information Security - leading to a security incident.”
Covered entities also continue to implement new technologies, such as mobile devices for BYOD strategies or even connected medical devices. Providers must strive to find the delicate balance between innovation and security, Klein maintained.
“The key to the balance of innovation and security is having line of sight into the organizational strategy,” he stressed. “Most in our field tend to complain that Information Security is the last to know about a new project or capability that was purchased and that needs to change. If Information Security is informed early about a needed or wanted capability to deliver healthcare, the more guidance can be provided to secure those innovation solutions. Being seen by the organization as a great partner, and not as a barrier, helps here.”
Strong cybersecurity measures are essential, but it is also important to remember that cybersecurity measures could include anything from security awareness to network traffic decryption and inspection, Klein added.
“Overall, both covered entities and business associates should be layering balanced security controls that align to the functions outlined in the [NIST] Cybersecurity Framework – identify, protect, detect, respond, recover,” he said. “One area that is troublesome is Information Security talent availability. You can install best of breed technology tools, but if your organization doesn’t know how best to run them or better yet, synthesize the data that comes from the tools, the value of the tools is significantly diminished.
“Training and real world exercises are vital to ensuring you get the most value from the Information Security investments you choose to make.”
Trying to remain innovative while maintaining security, and ensuring that employee workflow is not impeded, can lead to ‘solutions fatigue’ for some CISOs, ICIT Co-founder and Senior Fellow James Scott explained in a 2016 interview.
Modern CISOs may feel pressure to find comprehensive solutions but there is also an overabundance of vendor solutions.
“It seems like they’re torn between the technological side of security and the day to day aspects of working with management for the business model,” said Scott. “There is also the financial component of having to spend money on layered security, and understanding how they demonstrate that with the ROI. There’s all these contributing factors while simultaneously there is the evolving threat landscape.”
With healthcare CISOs, their solutions overload is also often due to the vulnerability of the network. “Frankensteined” technologies, where certain devices that were not meant to be connected to a network are adjusted to do so, can also add to this problem, Scott stressed.
“They are dealing with sophisticated APTs, that are state-sponsored or mercenary,” he said. “But they are also dealing with the random ransomware email that uses extremely basic social engineering to get in, like through an email. Dealing with employee education is also important. They’re dealing with everything.”