Security: Winning CEO SupportSummit Speakers Offer Real-World Insights
Need a bigger information security budget to keep up with the evolving threat landscape? At Information Security Media Group's June 11 Healthcare Information Security Summit in Boston, a CIO and two CISOs offered insights on how to gain buy-in from the CEO and board. And they also provided timely insights on building a culture of security.
See Also: Passwords Alone Aren't Enough
Beth Israel Deaconess Medical Center CIO John Halamka, M.D., told the audience to remember the advice of Rahm Emanuel, mayor of Chicago and former chief of staff for President Obama: "Never let a serious crisis go to waste."
There's nothing like an AG consent agreement to get an organization moving.
When major breaches such as Anthem Inc. and Target grab headlines, it's important for the CEO and board to remember that your organization is also at potential risk for similar assaults, Halamka said.
When it comes to such mega-breaches, "the likelihood is low, but the impact high," he said. And senior leaders need to consider their tolerance for risk.
Beth Israel Deaconess' board recently raised the medical center's annual information security budget from $500,000 to $3 million, allowing Halamka, among other things, to hire five additional information security professionals, as well as to work with an outside firm to conduct periodic social engineering tests on employees to assess whether they recognize phishing emails.
But it isn't only headlines about other organizations' breaches that helped convince Beth Israel Deaconess' board that more resources were needed for information security. Also hammering home the point was the medical center's own misfortune.
A 2012 incident that involved the theft of an unencrypted laptop from a physician's office resulted in a $100,000 fine last November from the Massachusetts attorney general (see Beth Israel Deaconess Fined for Breach). The breach exposed PHI on 3,800 individuals, including brief summaries of medical information used for administrative purposes within the medical center.
"There's nothing like an AG consent agreement to get an organization moving," Halamka says.
In the Trenches
Breaches can also provide teaching opportunities for the healthcare workforce, the panelists said.
For instance, a recent phishing-related breach at Partners HealthCare System, which exposed PHI on 3,300 individuals, is also serving up lessons for that Boston-based delivery system, said Jigar Kadakia, CISO and privacy officer. Partners is "leveraging the recent incident to remind and train staff" about important patient privacy issues, Kadakia said.
Mitch Parker, CISO of Temple University Health System, said it's vital that organizations provide security and privacy training messages "that are relevant" to staff members' departments and jobs. "You need to emphasize the benefit of change," he said.
Relationship-building between a CISO and the department heads within a healthcare organizations is vital to the effort to build a culture of security, Parker said. At Temple, departmental social media allows doctors to provide input about technology needs and problems, helping Parker's team to configure solutions that are secure yet meet their needs, he said.
During the summit, I also provided attendees with an overview of some key trends emerging from our 2015 Healthcare Information Security Today survey. A full report on the survey is now available.
Among the findings: For the third year in a row, improving security awareness and training was named a top information security priority.
So, what are your best tips for getting buy-in for information security funding from the top and cooperation from the troops at your organization? Share your insights in the space below.