Health IT, Providers

Can Health Systems Afford to Overlook the CISO Role?

As a result of ever-growing cybersecurity threats, health systems are prioritizing the role of the chief information security officer, according to a consultant at WittKieffer.

Healthcare cyberattacks remain a constant threat for hospitals, endangering their ability to provide efficient care and putting them at risk for serious financial losses and data privacy violations. This type of cybercriminal activity doesn’t seem to be slowing down any time soon — for example, Ann Arbor-based Michigan Medicine recently reported that the health system experiences about 500,000 hacking attempts each day.

As a result of these ever-growing cybersecurity threats, health systems are prioritizing the role of the chief information security officer (CISO), pointed out Zach Durst, a consultant at leadership advisory firm WittKieffer.

“Today, the CISO is typically the only technology leader in their organization other than the chief information officer who regularly reports to the CEO and board of directors. The goal is to ensure that top leadership, at all times, understands the ever-evolving threat landscape and how their organization is mitigating cybersecurity risks and developing contingencies for attacks or black swan events,” he explained.

Durst declared that “nearly all health systems” now have a CISO or at least a leader with a director title who is responsible for information security. In his view, healthcare organizations have finally recognized how important it is to have a dedicated leader focused on understanding their risk environment and establishing the appropriate protection methods.

A recent survey conducted by WittKieffer found that about 65% of healthcare information security executives are at the vice president or senior vice president level, with most others at the executive director and director level.

In order to be effective, a healthcare CISO needs to be able to interact with nearly every leader in a health system, Durst noted. This often involves having a close working relationship with other the chief technology officer or another leader who manages the organization’s technology infrastructure, as well as the chief data and analytics officer or another leader who is in charge of patient information. It also usually means having a strong partnership with the chief legal officer and chief compliance officer, Durst pointed out.

CISOs also need to work closely with their organization’s CEO and CIO to ensure the cybersecurity program is adequately resourced, he added.

presented by

“The modern CISO can’t hide behind their desk,” Durst said. “They have to be visible and capable of driving consensus across broad stakeholder groups.”

From his experience speaking with CISOs across the healthcare industry, Durst said he hears that the need isn’t so much for greater investment in cybersecurity resources and salaries, but rather in thoughtfully investing the resources that health systems have at their disposal. 

From his point of view, good CISOs are pragmatic and can assess their organization’s risk tolerance and build a cybersecurity program around it with the resources available. 

“While the return on investment for information security programs is hard to show, how do you put a price on attacks that are prevented or avoided? Most organizations viscerally understand the importance of cybersecurity today and will fund it. Even financially strapped health systems can’t afford significant security risk,” he declared.

Photo: Traitov, Getty Images