[BreachExchange] How Cybersecurity Affects the Evolving Healthcare CISO Role

[Audrey McNeil]

http://healthitsecurity.com/news/how-cybersecurity-affects-the-evolving-
healthcare-ciso-role

March 14, 2017 - The healthcare C-suite continues to evolve, along with the
increasingly complex cybersecurity threats. Healthcare CISOs must now have
knowledge in many areas, and understand just how far data breach
repercussions can go.

The Chief Information Security Officer (CISO) role has greatly increased
over the past few years, according to Medical University of South Carolina
(MUSC) CISO Matt Klein. It’s now more critical for CISOs to have
well-rounded backgrounds, and experience in numerous areas, going beyond
just privacy and security.

Recently joining MUSC, Klein had spent 10 years working for Anthem, Inc. In
that role, Klein led Information Security strategic projects and teams. At
Anthem, he explained that his roles were across functional areas including
network security, vulnerability management, database security, application
security, encryption, configuration management, shared services, and
architecture and strategy.

“The CISO role has become quite dynamic when you think about the breadth of
topics a CISO is asked to contribute to,” Klein explained in an email to
HealthITSecurity.com. “Risk management, privacy, legal, compliance and
technology – you name it, the CISO is bound to be involved at some level.”

Klein added that CISOs must be strong listeners to understand and
contribute to the success of an objective or situation.

“[CISOs need to] be a great partner – meaning truly wanting to come out of
a situation with a win-win experience,” Klein stated. “And they must be a
willing sharer of knowledge to help others, no matter their place in the
organization, to learn and grow as a professional.”

Healthcare cybersecurity issues are ever-evolving, and it is difficult to
predict exactly what potential threats lay ahead in 2017 and beyond.
However, Klein explained that most providers have to take a good look at
foundation IT and information security best practices to address future
threats.

“One concept I learned from a past leader goes something like, ‘If you want
great Information Security, you need great IT.’ That translates to doing
the basics the right way – consistent processes, well documented
infrastructure, standardized and simplified technology services and
continuous improvement across the board,” he said. “Far too often do we
read about not doing the basics – in IT or Information Security - leading
to a security incident.”

Covered entities also continue to implement new technologies, such as
mobile devices for BYOD strategies or even connected medical devices.
Providers must strive to find the delicate balance between innovation and
security, Klein maintained.

“The key to the balance of innovation and security is having line of sight
into the organizational strategy,” he stressed. “Most in our field tend to
complain that Information Security is the last to know about a new project
or capability that was purchased and that needs to change.  If Information
Security is informed early about a needed or wanted capability to deliver
healthcare, the more guidance can be provided to secure those innovation
solutions. Being seen by the organization as a great partner, and not as a
barrier, helps here.”

Strong cybersecurity measures are essential, but it is also important to
remember that cybersecurity measures could include anything from security
awareness to network traffic decryption and inspection, Klein added.

“Overall, both covered entities and business associates should be layering
balanced security controls that align to the functions outlined in the
[NIST] Cybersecurity Framework – identify, protect, detect, respond,
recover,” he said. “One area that is troublesome is Information Security
talent availability. You can install best of breed technology tools, but if
your organization doesn’t know how best to run them or better yet,
synthesize the data that comes from the tools, the value of the tools is
significantly diminished.

“Training and real world exercises are vital to ensuring you get the most
value from the Information Security investments you choose to make.”

Trying to remain innovative while maintaining security, and ensuring that
employee workflow is not impeded, can lead to ‘solutions fatigue’ for some
CISOs, ICIT Co-founder and Senior Fellow James Scott explained in a 2016
interview.

Modern CISOs may feel pressure to find comprehensive solutions but there is
also an overabundance of vendor solutions.

“It seems like they’re torn between the technological side of security and
the day to day aspects of working with management for the business model,”
said Scott. “There is also the financial component of having to spend money
on layered security, and understanding how they demonstrate that with the
ROI. There’s all these contributing factors while simultaneously there is
the evolving threat landscape.”

With healthcare CISOs, their solutions overload is also often due to the
vulnerability of the network. “Frankensteined” technologies, where certain
devices that were not meant to be connected to a network are adjusted to do
so, can also add to this problem, Scott stressed.

“They are dealing with sophisticated APTs, that are state-sponsored or
mercenary,” he said. “But they are also dealing with the random ransomware
email that uses extremely basic social engineering to get in, like through
an email. Dealing with employee education is also important. They’re
dealing with everything.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/e79428b4/attachment.html>