ORLANDO – The role of the healthcare chief information security officer has changed substantially in recent years. Speaking Monday at the HIMSS22 Healthcare Cybersecurity Forum, Erik Decker, CISO at Intermountain Healthcare, explained how.
“We have moved beyond data,” he said. “It’s not just about privacy and confidentiality anymore,” he said. “What about resiliency? Cybersecurity is patient safety. Downtime means delay of care, and delay of care means patient safety. That is our charge.”
Vugar Zeynalov, CISO at the Cleveland Clinic noted the difference with which the C-suite views security pros in recent years, now that ransomware is rampant and cyber threats a daily way of life.
“Many years ago, I was presenting a cyber update to the executive team and the CEO listened, then he crossed his arms, turned to the table and said, ‘Did anyone understand what the hell he was talking about?'” he said with a laugh.
“Fast forward, last year, the CEO of the Cleveland Clinic went public saying that he believed that apart from a natural disaster of epic proportions, cybersecurity is the number one risk to the clinic – because it’s probably the only thing that can disable delivery of care for weeks, if not months.”
The goal of the panel was to discuss “What is the CISO state of mind in 2022?” Are all those people coming back to the office? What do hackers have in store for us this coming year? Will ransomware continue to keep CISOs up at night?
Zeynalov joked that he sleeps like a baby: Every two hours he wakes up crying.
But seriously, the CISOs expressed a level of confidence that they can handle the intrinsic and widespread security challenges of a fast-changing healthcare environment.
Anahi Santiago, CISO at Delaware-based ChristianaCare said her health system is driven by a “strong belief that through technology we can really transform healthcare. And so we’re really focused on really pushing out how we deliver care through virtual means and at the home.”
As a CISO, she said, “that’s a really exciting place to be, because we’re doing things that really haven’t been done traditionally across the industry, and trying to figure out how to pave the way from a security perspective, and figure out how we can still fulfill our mission of protecting data and protecting technology when it is no longer running on our network and when it’s running in somebody else’s house.”
That said, it “doesn’t absolve us of having to do the same things that we do when things are on our network,” said Santiago.
“And so having to figure out how to secure devices that are running on somebody else’s network, and how to still consume the telemetry from a security perspective, that we need to in order to protect those devices and how to do the things that we’re probably struggling with on our own network around patch management and vulnerability management, and incident response when it’s no longer connected to our network, are things that are top of mind for me, things that we’re having to solve for on the fly.”
At Intermountain, the challenges have to do with growth and scale.
“There’s been a lot of acquisitions, a lot of spinoff companies or new ventures, new types of engagement that way,” said Decker.
“When we think about the cyber program and having one cyber program that scales across all of Intermountain, currently dominantly in three states, we’re closing a big merger on April 1. We’ll be a six-state region at that point. How do you have one cyber program that fits across a six-state region?”
“If you can enumerate the entirety of your cyber program into a service catalog so that you can think about the full denominator, the full list of things that you do. Then it’s a matter of as part of that playbook for the integration point after you do the closing with not all the due diligence ahead of time, it’s a matter of scaling those services into those areas.
“One of the other things that we’re doing is we’ve established a team,” he added. “I actually have a service management team dedicated to cybersecurity, and they are heavily focused on all of this, as well as establishing liaisons with the regions.
“We have to realize that we are the business,” said Decker. “That’s the CISO’s job. We are supposed to be business leaders of the organization. And that means that we are responsible for making sure the business is successful.”