Cyberattacks in the healthcare sector remain a constant threat to hospitals, compromising their ability to provide effective care and exposing them to serious financial losses and data privacy breaches. This type of cybercriminal activity shows no signs of slowing down. For example, Michigan Medicine, a university based in Ann Arbor, recently reported that the health system experiences approximately 500,000 hacking attempts each day.
Because of these ever-increasing cybersecurity threats, healthcare systems are prioritizing the role of the chief information security officer (CISO), said Zach Durst, a consultant with leadership consulting firm WittKieffer.
“Today, the CISO is typically the only technology leader in their organization, outside of the CIO, who regularly reports to the CEO and board. The goal is to ensure that senior management understands at all times the ever-changing threat landscape and how their organization is mitigating cybersecurity risks and developing contingency plans in the event of attacks or black swan events,” he explained.
According to Durst, “almost every health system” now has a chief information security officer or at least someone with the title of director. He says healthcare organizations have finally recognized the importance of having a dedicated leader who is responsible for understanding their risk environment and establishing appropriate methods of protection.
A recent survey by WittKieffer found that about 65% of healthcare information security leaders are at the vice president or senior vice president level, with most of the rest at the executive director or director level.
To be effective, a healthcare CISO must be able to interact with nearly every executive in a health system, Durst said. That often means having a close working relationship with the chief technology officer or another executive who manages the organization’s technology infrastructure, as well as the chief data and analytics officer or another executive responsible for patient information. It also typically means having a strong partnership with the chief legal officer and chief compliance officer, Durst said.
CISOs should also work closely with their organization’s CEO and CIO to ensure the cybersecurity program is adequately resourced, he added.
“The modern CISO can’t hide behind his desk,” Durst said. “He must be visible and able to build consensus across broad groups of stakeholders.”
From his experience working with CISOs across the healthcare industry, Durst has learned that the need is not so much to invest more in cybersecurity resources and salaries, but rather to invest the resources that healthcare systems have wisely.
From his perspective, good CISOs are pragmatic and can assess their organization’s risk tolerance and build a cybersecurity program around it with the resources available.
“While the ROI of IT security programs is difficult to demonstrate, how do you put a price on attacks prevented or avoided? Most organizations today understand the importance of cybersecurity and are funding it. Even financially strapped health systems can’t afford to take significant security risks,” he said.
Photo: Traitov, Getty Images