November 3, 2024
Three Key Challenges for Healthcare CISOs

Cybersecurity is continuously evolving and adapting, which can be onerous in health care environments especially as the number of cyberattacks against hospitals — often in pursuit of sensitive patient and financial data — skyrockets.

Hospitals are in an increasingly vulnerable position today due to the growth of connected devices employed in health care facilities worldwide. The recent ransomware attack on Change Healthcare highlighted vulnerabilities that exist within the industry (and its supply chain) and the wide-ranging impacts that inadequate security can have on hospital operations.

This makes the already critical position of Chief Information Security Officers (CISOs) more difficult in the healthcare space. Today, there are three key challenges for healthcare CISOs to contend with.

1. Keeping up with the latest healthcare technology

By nature, health care organizations must balance innovation and progress with the priority of protecting patient safety. Innovation is requisite for reducing burdens on nurses and physicians and offering the highest quality of care in an increasingly complicated economic climate. The speed of this change has been amplified as the new, tech-native generation of physicians calls for wearables, Internet-of-Things (IoT) devices, the latest imaging machines, and more.

However, adopting new technology requires architectural vetting, contract reviews, and significant time and resources. The process of managing technology lifecycles is an uphill battle for CISOs in any organization, especially as complex new technologies emerge. Incorporating innovative technologies must also be done in tandem with “keep the lights on” systems like maintenance, upgrades, and patching, and CISO workloads are facing an all-time high.

Fortunately, there are ways for CISOs to streamline existing processes without curbing the flow of technological upgrades, such as preparing contract templates, setting clear expectations, and improving project resourcing and portfolio management. Information technology (IT) and information security teams should also be incorporated into the technology planning processes. These teams can provide invaluable counsel to hospital leadership — input that could make-or-break the successful implementation of novel technologies.

2. Making impactful IT investments that demonstrate value

CISOs and senior leadership should consider IT investments as strategic business assets that generate innovation, promote collaboration, and introduce scalability. At a time when hospital staff experience record levels of burnout across the industry, introducing modern technology can lighten workloads for care providers while lowering costs. Investments that eliminate tedious manual processes, reduce safety risks, cut down diagnostic times, and streamline the revenue cycle provide the most obvious value to the organization. Health care facilities should also seek ways to minimize clinician “pajama time,” or after-hour administration work, to help alleviate burnout and lessen the burden of the ongoing physician shortage.

While some technology is universally welcomed, not all IT investments provide equal advantages to the organization. Health care organizations run on tight margins, and despite the obvious value of cybersecurity investments, CISOs often face an uphill battle when communicating the return on investment of risk reduction strategies. CISOs can address hesitation by quantifying the potential impacts of cyber risk reduction efforts. For example, when communicating the value of a proposed new IT investment, CISOs can use the Factor Analysis of Information Risk (FAIR) model or to estimate the value of hourly downtime avoided relative to average daily revenue.

Anticipating workforce needs, constant communication with other stakeholders, and linking technical risks to business outcomes are key to ensuring that security practices and IT investments are in alignment with the facility’s needs and expectations.

3. Championing cybersecurity practices hospital-wide

Some of the most cumbersome elements of an information security role involve communicating the importance of security protocols to staff and linking technical risk to real-world outcomes. Clinical staff handle a daily influx of complex patient requests and tasks, and CISOs must provide enough security information to be effective without adding extra burden, continuing to reinforce best practices over time.

CISOs can effectively share cybersecurity information through organization-wide forums such as leadership meetings, town halls, and committees. The information security team can provide updates through these forums and develop outreach programs to educate the workforce on the latest security enhancements and requirements. Having hospital leadership share cybersecurity information also helps underscore the importance of these practices.

Health care CISOs should take on the role of an advocate when educating IT teams and broader hospital staff about the importance of existing and new security measures. Making the information security and IT teams accessible to staff who have questions will help maintain or ramp up hospital-wide security processes. It is also important for these teams to be able to provide clinical staff with reasoning for administrative and technical controls that may seem tedious to avoid any internal resistance and ensure smooth adoption.

The changing role of security

Health care organizations face numerous cybersecurity challenges as security and IT teams continuously work to maintain data and systems security against evolving cyber threats. The need to address these challenges is critical as cyberattacks on hospitals grow and complexify. Fortunately, there are several steps that CISOs and cybersecurity professionals can take to get ahead of looming digital threats in the healthcare space. Streamlining technology adoption, integrating teams and hospital leadership when making purchasing decisions, and finding new avenues to share cybersecurity information will help CISOs bring their organization and the broader health care industry to a safer, more secure place.

Photo: anyaberkut, Getty Images


Sahan Fernando is the Chief Information Security Officer for Rady Children’s Hospital, one of the nation’s top pediatric health care systems. His experience includes security operations and engineering, incident response, and IT and Information Security Program Development in different verticals. He has spoken at multiple security conferences including Bsides CLT, Health-ISAC, Blue Team Con, and Epic XGM. In addition to industry certifications, he is a member of the Tribe of Hackers: Blue Team organization and serves on the board for Health-ISAC and advises other industry groups and government.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

link

Leave a Reply

Your email address will not be published. Required fields are marked *