Even as cybersecurity efforts at U.S. health systems become increasingly visible — as those organizations become increasingly vulnerable, of course, to increasingly blatant cybercriminals — information security is still often considered a secondary concern when compared with the primary task of providing health care.
But that’s not the right mindset, as two chief information officers will explain at HIMSS23 in Chicago next month.
In their panel discussion, “Cybersecurity as a must for achieving your organization’s strategic goals”, Bill Hudson, CIO at Integris Health and Sonney Sapra, CIO at Samaritan Health Services, would make the case that, even as cybersecurity budgets are growing, too many IT leaders fail to see the extent to which infosec maturity is key to achieving strategic goals.
“Excluding cybersecurity from discussions for planning and executing transformational initiatives increases operational risk from missed opportunities to support key operational factors.” such as performance, assurance, compliance, and resiliency,” they said in describing the session, which aimed to uncover strategic reasons the importance of security is often overlooked and explain how to integrate it. into strategic plans, from the board down.
We recently spoke with Hudson about approaching cybersecurity as a must-have enterprise-wide fundamental.
Q. So will this be a talk about the broader strategic value of cybersecurity, told from the CIO’s point of view, rather than that of the CISO? What are some keys to understanding that command?
ONE. There are a lot of technical things you can do around security. There are a lot of operational issues around security. But I think a lot of times we don’t spend as much time as a bridge to the rest of the organization, to help them understand the “why” of it.
A lot of our security teams tend to be quite technical. And there’s nothing wrong with that. But I think helping an organization understand the importance of cybersecurity and compliance, and understanding the rationale for the process, really gives the organization a break, helps incentivize practices and standards to ensure that they We are always safe and secure.
“If you think about security in the first place, it makes a big difference in how you can support it.”
Bill Hudson, Health Integris
Q. You note that, especially since the post-pandemic period, health systems are deploying more and more digital tools. How important is it to build security from the ground up as you deploy these different technologies?
ONE. You need to have a design right from the start. I think we’ve been operating quickly over the last few years. And as the risk grows, I think we’ll always have to keep putting things in place. But as much as possible, from a design point of view, make sure that whatever you do and build by design includes not only the security team, but the infrastructure team, the operations team, how a company works. instrument will become used, how will it be accessed. If you think about security in the first place, it makes a big difference in how you can support it.
There are a lot of tools we’ve introduced into the environment over the last few years that increase the risk. Some of them are web-based tools or cloud-based tools that help on-site. But the nature of a cloud-based tool presents certain risks.
So having that foundation, making sure you design security from the ground up and understand what operational needs you need to meet, will essentially help you build it in such a way that when you do, at at some point, you have to add some extra stuff to the environment, you can do it in a safe framework.
H. You suggest that treating cybersecurity as a well-thought-out issue increases strategic risk from “missed opportunities” to support “performance, assurance, compliance, and resiliency” return”. Can you explain a little more?
ONE. In the past, I think we looked at this in many ways as something the security team had to focus on. But more and more, due to the work that revolves around compliance and federal regulations, the work that we have to do to ensure that we comply with our payer agreements, the federal government the rules have been changed. This is not something a group can do but something that must be approached as an organization as a whole.
As I sit in our compliance meetings, there are representatives from human resources, as well as the legal and compliance team, in our security conversations. Even a few years ago, you wouldn’t have someone from HR, you wouldn’t have someone from strategy in that mix. The nature of how security is created in operations requires another group of people at the table. It became more of a team sport.
Q. How do you work with your CISO? I know it’s different in different organizations. Sometimes they report to the CIO, sometimes they are colleagues. What is the structure of Integris Health and how often do you compare notes together?
ONE. CISO reports me in this case. This is someone I have worked with for many years and she has a very solid knowledge base. My role is to help ensure that she and her team understand the strategic and operational direction of the organization.
Apparently she informed me of the risks we needed to be concerned about. We will be speaking to the audit committee here next week on cybersecurity as an educational activity for the board, as well as an update on our cybersecurity plan, because it is something the board is certainly interested in.
But it’s really a partnership. Regardless of whether she reports to me or not, the real issue is making sure I can help her have her voice and connect with the rest of the organization and be aware of the direction we’re taking. doing so she can plan for it.
That includes strategic alliances and acquisitions, which are partnerships, and her role is to a) make sure we’re safe, but also make sure I’m actually planning and adapt to budget and staff constraints, and ensure that we proceed to be able to adapt to current threats.
So it is very much a partnership. This is something that we must do together to make sure it is done in the best possible way.
H. It’s clear that Integris is forward-thinking when it comes to garnering enterprise-wide support – but not every health system is like that. What are some keys, as IT leaders, to engaging other stakeholders in the larger goal of cybersecurity?
ONE. There have been several national CISA warnings issued in the past weeks around threats to healthcare. But I don’t want to sound sensational, like the sky is falling. It is likely that the organization becomes familiar with it.
I think it’s important to have a conversation, in active language and human language, and say things like, “We’re going to have a bad day at some point. I won’t. can never spend enough money to earn make sure we are 100% protected from risk.Our job is to minimize that risk as much as possible and this is how we will do it. and discuss partnerships.”
When we talk about things that are emerging as a risk, it’s like, “Hey, we want you to be a little more careful this week. We want you to be aware, we want you, in a life. group chat, share this with your teams. These are the things we care about.”
When you have that conversation in a very calm way – here are the risks, here’s how we’ll minimize them, here’s how I’ll work with you, and how I’ll keep you informed of what’s going on. happens on – it changes the tone.
Hudson and Sapra will offer more perspectives in their panel discussion, “Cybersecurity as a must for achieving your organization’s strategic goals.” It is scheduled for Tuesday, April 18, from 1:30-2:30 pm at the South Building, 4th Floor, in room S406 B.
