Beverly Hills Security Summit CISO Forum. Photo: Tina Kitchen. |
- What is it that keeps your CEO and Board up at night?
- How do you communicate cybersecurity risk to the Executive Leadership Team and the board, and do you talk to enterprise risk or just technology security risk?
- In planning to address ELT and board risk concerns, how are you going about the development of a security risk remediation plan?
- Have you considered the development and maintenance of a multi-year enterprise Security Roadmap and do you have anyone to help you in its development?
- What approaches work best at other healthcare entities and what can we all learn from one another?
Richard Staynings. Photo: Tina Kitchen. |
The event was held at the Sofitel Los Angeles at Beverly Hills, and attracted several hundred CISOs, CIOs, COOs, along with various Directors of Technology, Cybersecurity and Health Information Management.
The lunch was arranged and sponsored by Optum Security Solutions, part of Optum under the UnitedHealth Group umbrella, and was hosted by Optum's Tina Kitchen.
Mark Hagland, Editor and Chief at Healthcare Informatics, and Richard Staynings of the HIMSS Privacy and Security Committee led the discussion.
Institutional reputation remains one of the biggest concerns, particularly at high profile clinics attended by celebrities, but is the patient population becoming sufficiently jaded and numb to all of the breaches of health information to walk elsewhere? And if most other healthcare delivery outlets are impacted by security breaches then where do patients go? At the end of the day, law suits and restitution notwithstanding, we heard that patients want the best possible treatment they can afford, and will suffer through the diminished reputation of a clinic in order to receive that care and attention.
The complexity of large health systems, particularly as mergers and acquisitions drive even larger conglomerates, creates political and technological barriers to the implementation of enterprise-wide holistic security controls and causes duplication of effort and expense. Where management of these systems has not been consolidated and centralized, the Enterprise Chief Information Security Officer will have an especially hard time. Numerous divisional leaders including CIOs and COOs need to be consulted before new security controls can be implemented, and this task becomes even more daunting for the CISO in research or academic health where conflicting business drivers can seriously compound problems in access to PHI.
The frequency and magnitude of attacks against healthcare continues to climb, as well-funded and highly motivated attackers, be they nation states or criminal gangs, ply their craft at healthcare's expense. This is keeping all of us on our toes and stretching security in many hospitals to the limit. Understanding where threats are coming from and quickly identifying potential indicators of compromise is increasingly becoming a challenge and one where for healthcare, the need for help from specialist partners becomes increasingly evident.
Risk remediation needs to be targeted to the areas of greatest potential impact for each institution. Available resources simply don't allow for the remediation of all areas of weakness. The number of security resources available to security leaders is also a constraining factor and is leading to a dramatic increase in the consumption of managed security services from partners like Optum and others. This trend is set to continue as the availability of security resources becomes even more competitive and better-funded financial services organizations attract more and more healthcare security professionals.
Taking all these factors into account, we heard that the importance of an Enterprise Security Roadmap is becoming critical in not only security planning, but also for communication upwards of that plan to senior executives and the board. We also heard that Optum Security Solutions has had great success in helping healthcare customers to develop and maintain security roadmaps for a wide range of healthcare entities, and these have greatly helped reduce security risk and to stave off attacks.
Overall the lunchtime session resulted in a full and frank exchange of ideas from assembled guests along with a better understanding of what seems to work best in a healthcare environment, where compliance, institutional reputation and patient safety all play a critical role.
Attendees included:
Attendees included:
- Sriram Bharadwa, CISO, UC Irvine Health
- Carl Cammarata, CISO, Northwestern University - Feinberg School of Medicine
- Cris Ewel, CISO, UW Medicine
- Mark Hagland, Editor and Chief, Healthcare Informatics
- Norman Hibble, County of San Luis Obispo - Health Agency
- Chris Joerg, CISO, Cedars-Sinai
- Tina Kitchen, Sr. Solutions Executive, Optum
- Surya Mishra, IT Director, Blue Cross Blue Shield Association
- Olaf Neumann, CIO, Inland Behavioral and Health Services, Inc.
- Casie Phillips, Regional Manager, Healthcare Informatics
- Richard Staynings, HIMSS Privacy and Security Committee
Photo: Tina Kitchen. |