View
3
Download
0
Category
Preview:
Citation preview
Selecting The Right CISO April 13, 2015 Mac McMillan
Chair, HIMSS Privacy & Security Task Force
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Heather Roszkowski
CISO, The University of Vermont Medical Center
Conflict of Interest Mac McMillan, MA Heather Roszkowski, MSIA No real or apparent conflicts of interest to report.
© HIMSS 2015
Learning Objectives 1. Assess current operational and threat environment factors that inform the
working knowledge that CISOs must possess to succeed in Healthcare 2. Identify the required skills, knowledge and experience healthcare information
security officers need today 3. Explain how to build the critical structures and a supportive ecosystem to
enable a successful information security program 4. Develop the knowledge to recruit, select and fill key information security
positions with the right candidates
Understanding the Value of the CISO
Greater Confidence,
Trust & Patient Safety
Operational Savings
Patient, Provider Staff Satisfaction
Quality & Safety
E3 Reliable
Data Prevention
Patient Education
An Introduction to the Benefits Realized for the Value of Health IT
Agenda • Your Cheese Has Moved • Professional Skills • Personal Skills • Environmental Factors • Q&A
Polling Question
Is security in your organization perceived as: A. A top priority B. Somewhat a priority C. A lesser priority D. Not a priority https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23194
Your Cheese Has Moved
Understanding The Importance of The Professional CISO
Security Challenges Are Increasing
• Insider threats
• Supply chain risks
• Medical device insecurity
• Malware & advance persistent threats
• Mobile devices & mobile apps
• ID theft & fraud
• Physical theft & loss
• Emerging threats
Discovery, Notification &
Response
Business Disruption
ID Theft Monitoring
Investigation/Review
Civil Penalties
Federal CAP/RA
State Actions
Law Suit Defense
Criminal Penalties
Insurance
Degradation of Brand/Image
Distraction of Staff
VBP Payments Impacts
HCAPPS Score Impacts
Patient Confidence/Loy
alty
Physician Alignment/Nurse
s and Staff Agreement
Security Incidents Are Costing Us More
The Threat Has Evolved • 4M medical records maintained
on four workstations • Physician loses laptop with
psychiatric patients records • Neurologic institute accidentally
emails 10,000 patient records to 200 patients
• Phishing/hacking nets nearly $3M from six healthcare entities
• University reports laptop with patient information stolen out of student’s car
• Printers returned to leasing company compromise thousands of patient records
• Portable electronic device with patient data stolen from hospital
• 2200 physicians victims of ID theft/tax fraud
• Vendor sends 800 letters with patient information to the wrong addresses
• Vendor sells hospital’s X-rays (films) to third party
• 400 hospitals’ billings delayed as clearinghouse hit with ransomware
• Resident loses track of USB with over 500 orthopedic patients’ information
• APT causes major breach, 4.5M patient records stolen
• Physician robbed at gunpoint, threatened for passwords
• State Sponsored Foreign Hackers attack, 80M identifies stolen
Increased Reliance & Hyper Connectivity
• Today’s CISO has to understand business needs
• Must have security expertise to match the cyber threats and business demand
• Understanding HIPAA is not enough in today’s modern health IT environment
• It’s not about compliance, it’s about assurance
Big Data
Physician Alignment
BYOD
Patient Engagement
Supply Chain
HIEs
MU
Ingestibles
BAs
ACOs
Research
Polling Question
Do you have a dedicated security position, CISO, for your org? • Yes • No https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23191
Yet, We Still Suffer From Insufficient Resources • In 2014 HIMSS study HC CISOs gave themselves
an average maturity rating of 4.35 on a scale of 1-7 • Many reported missing critical technologies to fight
today’s threats • More than half of healthcare entities spend less
than 3% of their IT budget on data protection • Less than half have a full time CISO or information
security manager • Many healthcare security managers are first timers
6th Annual HIMSS Security Survey. Feb. 2014.
Professional Skills
Program Vision
Risk Management • Defining an integrated risk
management approach that is right for the business.
Promoting Governance • Understanding the right information
to report to the right body to promote oversight support for the program.
Appropriate Policies • Effectively crafting and
communicating policies that support the business operations and goals.
Creating Structure • Ability to develop implement the right
security framework to address all laws, regulations, standards, etc. that apply to the business.
Creating Accountability • Establishing a culture of privacy and
security that is aligned with the business.
Achieving Compliance • Ensuring that compliance is an
important side benefit of effectively securing the business and its data.
Addressing Risk
Contingency Planning • Effectively lead development of an
actionable disaster recovery and continuity program with business owners.
Handling Incidents • Implement proactive measures to
identify, investigate, document and communicate potential and real breaches.
Being Responsible • Promote and assist in auditing
controls and processes to ensure effectiveness and integrity.
Know Yourself • Ensure appropriate due diligence by
facilitating on-going mitigation of risk through regular and periodic assessment.
Know Your Enemy • Understand what threats concern the
business and monitor proactively for signs or indications of their presence.
Analyze Information • Analyze info from incidents, logs,
assessments, processes, workflows, etc. to identify threats and to inform selection/implementation of controls.
Managing Others Vendor Management • Develop and implement
processes to assess life cycle risks associated with external service providers, consultants and partners.
System Selection • Identify requirements and
establish processes for timely assessment of new technology.
Mergers & Acquisitions • Assess risks to support due
diligence negotiations and educated incorporation of assets.
Setting Expectations • Set service level agreements guide
program outcomes and service expectations for stakeholders.
Resource Planning • Develop, defend and implement
budget and resource planning that solicits key stake holder inputs and priorities.
Security Advocates • Select and foster key individuals
throughout the organization to act as security advocates; use them to provide value to ongoing security initiatives.
Personal Skills
Are Certifications Important?
Knowledge
Basic Learning • Certain certifications represent a starting point in determining
some formal knowledge of security principles and practices.
Credibility
Value
Experience
Advanced Learning
• Other certifications demonstrate specialization in a particular security discipline or focus and depth of knowledge.
The Right Certification • When selecting an ISO certifications that demonstrate more
practical knowledge of managing security like the CISM are more valuable, as are other certifications that show a broader experience (e.g. PMP, CHP or CISA).
Most Important •There is no replacement for experience which is far more important than certifications. Certifications say “they should know how to do it”, experience says “they have done it”.
Polling Question
Where or to whom does your CISO report? A. CEO/COO D. General Counsel B. CFO E. Compliance C. CIO https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23192
Find People Who Can Create Success
Information
People like to know what is happening and why. Provide updates often, synthesize essential points and deliver in concise messages.
Alignment
Appropriateness
Service
Look at security from the customers point of view, if you are perceived as understanding their plight/goals they are more apt to listen.
Apply security realistically, keep it simple when possible, so when hard decisions are necessary they’ll be more supportive.
Remember the business does not exist for security, security exists because of the business. Your job is to serve, to enable.
Building A Supportive Ecosystem
Many Different Models
CISOs have been found in many different organizations within Healthcare entities. The majority are found in Information Technology, followed by Compliance, Finance, Legal, and occasionally a few others.
Information Technology
Compliance
Finance
Legal
Other
Does Placement Matter?
CISO=CIO
CISO is CIO
CISO reports to CIO
CISO layers below CIO
In Healthcare 90% Report to CIO
• Pros: – Access to executive
leadership – “C” level skills & org
awareness – Easier to make IT
change to promote security
– Increases influence for CIO
• Cons: – IS oversight is limited – May detract CIO
attention from other priorities
– Conflicts of interest – Loss of full
organizational access
Polling Question
Do you feel security has enough visibility in the org? • Yes • No https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23193
It’s As Much About Who As It Is Where
• Short answer: CISOs have been equally successful and unsuccessful in nearly all organizational structures.
• The keys to success or failure include ability of the person, level of visibility and real support for the program, the position and the person.
• The executive team should be regularly briefed by the CISO.
“When the board took an interest in the program, things changed, resources started coming.”
Program Management Leadership • The CISO needs to be able to
create vision, influence others and motivate the organization to follow.
Relationship Building • Effectively create alliances by
assisting others. Giving support is how you get support.
Articulating Threat • Effectively explaining risk to the
business, not just to systems and data, is critical to being relevant and heard.
Healthcare Acumen •Hospital Executives expect CISOs to be able to relate security requirements to the mission of providing safety and care.
Planning Ahead •Planning enables communication of priorities, budget defense, identifying objectives and measurement.
Human Nature •Understanding human behavior is critical to understanding the most volatile element in security…people.
Building Collaboration
Effective Relationships • Proactively working security
issues with key stake holders: Compliance, Legal, Internal Audit, Compliance, etc.
Communicate Status • Establish regular reporting of
performance, business accomplishments and maturity of program.
Representation • Establish relationships with external
agencies, law enforcement and others than can provide valuable threat information and support.
Collegiality • Demonstrate the presence and
maturity to work effectively on teams, committees, boards, etc. to secure support for security.
Other Factors Know the Limits •The organization (and the CISO) need to know what tools are better managed internally vs. externally.
How To Say ‘Yes” •It is important for the security team to help find a way to say ‘yes’ but not be afraid to say ‘no.’
Establish Security Council •The council can help prioritize initiatives and champion changes.
Predictability • Build predictable processes to deal
with unpredictable circumstances.
Impact • Know and understand the impact of
implementing security tools has on the customer and more importantly, the patient.
Patient Safety • Poor information security can put the
patient at risk.
Recruiting For Success
Healthcare Needs CISOs That…
• Are leaders • Possess business acumen • Are comfortable managing risk • Embrace enablement • Think strategically, act tactically • Are effective communicators • Are able to drive process • Understand and apply
psychology/sociology • Are politically savvy • Know privacy & security • Possess endless curiosity
Multiple Benefits Acrue From Having a Qualified Dedicated CISO
• Savings • Satisfaction • Quality & Safety • Reliability • Prevention • Education
Greater Confidence,
Trust & Patient Safety
Qualified CISO
Questions • Mac McMillan • mac.mcmillan@cynergistek.com • 512.402.8555 • @mmcmillan07
• Heather Roszkowski • heather.roszkowski@uvmhealth.org • 802.847.8100
Recommended