Tips for a CISO Navigating Health Care Cybersecurity Standards

By: Pam Baker| - Leave a comment


Every C-level leader in the health care sector is well-versed and well-practiced at meeting compliance requirements unique to the industry. But it’s difficult for the chief information security officer (CISO) to bring organizational cybersecurity up to standard. While there are standards, such as those from the National Institute of Standards and Technology (NIST) and HITRUST, there’s no single, industrywide benchmark to define accountability.

“Right now, you have multiple sheriffs on the road, all saying they have different speed limits. So which is right, which one is wrong?” asked Aaron Miri, chief information officer at Dallas-based Walnut Hill Medical Center, in FierceHealthIT. “NIST is a fantastic framework, HITRUST is a fantastic framework, but which one is it? Which one am I going to be held accountable to?”

Adding to the CISO’s headache is the growing complexity of health care IT systems, which may range from higher demands for big data and analytics to the use of siloed, heavily regulated and technically problematic electronic health records (EHRs). Disparate data and systems are hard to protect, especially when the complexity in and between them is growing, too.

Four Tips for a CISO

Here are a few tips CISOs can apply to navigate this quagmire and build a strong health care cybersecurity framework.

1. Collaborate With the Entire C-Suite

The demands on IT and InfoSec are so high these days that it’s easy to get locked into a silo. The problem is that while you have your head down, you and your staff can be blindsided by threats you didn’t see coming, shadow IT rebels introducing new vulnerabilities and complaints from business users who find security processes bottlenecking their progress.

Begin to unravel these untenable situations by establishing a close partnership with the rest of the C-suite and getting a clearer understanding of company goals and division plans. You can also achieve buy-in more easily when everyone feels they have a say and a stake in the overall cybersecurity effort.

Security leaders will also benefit from the rest of the C-suite’s input and support on which cybersecurity standards take precedence in the organization’s policies. A united front is protective against unwarranted criticism from regulators and other entities.

2. Build Networks With Other CISOs — Even Outside the Health Care Industry

Sharing information on both threats and cybersecurity fixes is the fastest, most efficient and best way to build and maintain an effective cybersecurity effort. It’s important to note that security professionals across industries will have valuable threat intelligence and information to offer, so communications don’t have to exist solely in the health care sphere. Other sectors — with widely adopted security standards — can become models for your organization’s own framework.

3. Map Business Processes

By mapping business processes, you can more clearly see where unaddressed complexities and bottlenecks lie. This will provide insight into where IT systems need tweaking and what vulnerabilities need addressing, helping CISOs realize what areas need to be covered by security standards.

4. Outline Human-to-Process and Human-to-Human Relationships

Mapping relationships means looking into behavior patterns. By establishing a baseline of normal individual behaviors in work processes, you can more easily distinguish abnormal behavior, which can often signify security threats. Behavioral analytics will go far in rapidly and accurately completing this work.

Although this process may seem tedious, it helps CISOs understand where the greatest vulnerabilities lie, what threats they may have to plan for and which areas require the most attention when setting up security standards.

In short, become more intimate with how your organization works, why it operates that way and where it hopes to go. Once you know that, spotting threats becomes easier and your path forward in building a stalwart cybersecurity framework becomes far more clear.

Topics: , ,


About The Author

Pam Baker

Freelance Writer

Pam Baker is an award-winning freelance journalist based in Georgia. Her published credits number in the thousands, including books, e-books, e-briefs, white papers, industry analysis reports and articles in leading publications, including Institutional Investor, CIO, Fierce Markets and InformationWeek, among many others. Her latest book, "Data Divination: Big Data Strategies," has been met with rave reviews, was featured in a prestigious National Press Club event, is recommended by the U.S. Chamber of Commerce for business executives and is currently being used as a textbook in both business and tech schools in universities around the world. Baker is a "big-picturist," meaning she enjoys writing on topics that overlap and interact, such as technology and business. Her fans regualrly follow her work in science, technology, business and finance.

Articles by Pam Baker
See All Posts