Sheryl Rose, chief information security officer and senior vice president at Englewood, Colo.-based Catholic Health Initiatives, discusses the evolution of the CISO role and how hospital systems can implement the best practices for data protection.
Question: What tasks require most of your time as CISO?
Sheryl Rose: The role of the CISO has evolved over the years. It's important to have a solid technical background but as recent years have shown, having a strategic, balanced approach to security is extremely important. It is critical to understand your organization's threat landscape. The potential security threats that may impact an organization are continually changing. You must have strong processes for identifying, remediating and communicating risks to your organization. In some cases, you will have to think about compensating controls in mitigating the risks as not all risks can be addressed.
I spend a lot of time focusing on the projects that will enhance our security posture. This means working with the teams to have a solid focus on people, process and technology. Cyber threats in healthcare are real and spending your time focusing on how to prevent as well as detect [them] is critical. While I spend a large portion of my time working through our risk management processes and the associated projects, it is also extremely important to focus on strategy. Everyone's responsibility is security, and to get support is necessary to balance the business with the security needs.
Understanding the impact of security to healthcare providers as well as patient care is significant if you want to get engagement at all levels. I spend a lot of time taking very technical security controls and metrics and turning them into meaningful business analytics that can be discussed and balanced with business need, cost, risk appetite, etc. I also spend a lot of time ensuring that our leadership team has a deep understanding of our risks and support for security initiatives. As you know, some security initiatives may pose certain restrictions from an operations perspective; balancing security controls and users' experience is a delicate balance.
Q: How do you train clinicians and front-line staff to protect patient data and avoid cyberattacks?
SR: One of the most significant threat vectors for a cyber event is phishing. Training your end users is critical, but not just training, getting them to truly understand the potential impact of their action. It is beneficial to continue to enhance your training to focus on healthcare security as well as specialized role-based training. It is a balance to do so when clinicians' priority is patient care, but through thoughtful, ever-changing awareness training and scheduled phishing exercises, more awareness can be brought forward. Cybersecurity and awareness training cannot be underestimated even though we continue to implement technical controls in managing phishing threats.
Q: What do you see as the next big cybersecurity threat hospitals should look out for and why?
SR: I don’t know if there is something specific for the 'next big thing' hospitals should look at. Instead, I think continued steady improvement in your security risk posture is important. Security isn't all about technology, it is critical to balance your people and processes as well. Having solid preventative controls but ensuring you align those with detective controls is key. The healthcare industry is making huge leaps into the technology space with consumer demands, mobile applications, [Internet of Things] and telehealth. These are definitely areas to engage and make sure you understand your organization's risks. The industry overall continues to see complex agreements with physician practices and partnership with other organizations that change the risk landscape dramatically. The outsourcing of technology and impact of cloud service providers in the healthcare space require an emphasis on third-party risk management programs to closely monitor existing and new partners' security practices.
Q: What do you consider to be the most important aspect in hospital data protection?
SR: The amount and the type of confidential data handled by healthcare entities and the ability to apply a true risk management approach in identifying critical infrastructure systems and critical data. I definitely see a lot of partnership in collaborating IT, business and operations leaders in addressing operational security risks. One of the most important aspects of hospital data protection is educating your end users on the criticality of the data they handle and providing them guidance on how to transmit or store this data. In addition to this, having a strong data loss prevention program provides detective controls to identify where sensitive data may be at risk. Finally, most healthcare organizations do not have unlimited funds to address IT and security related risks. It is important to be creative in addressing significant risks facing an organization. As always, a cybersecurity program is a journey, not a destination.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference Sept. 19-22, 2018 in Chicago. Click here to learn more and register.