Selecting The Right CISO April 13, 2015 Mac McMillan

Chair, HIMSS Privacy & Security Task Force

DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

Heather Roszkowski

CISO, The University of Vermont Medical Center

Conflict of Interest Mac McMillan, MA Heather Roszkowski, MSIA No real or apparent conflicts of interest to report.

© HIMSS 2015

Learning Objectives 1. Assess current operational and threat environment factors that inform the

working knowledge that CISOs must possess to succeed in Healthcare 2. Identify the required skills, knowledge and experience healthcare information

security officers need today 3. Explain how to build the critical structures and a supportive ecosystem to

enable a successful information security program 4. Develop the knowledge to recruit, select and fill key information security

positions with the right candidates

Understanding the Value of the CISO

Greater Confidence,

Trust & Patient Safety

Operational Savings

Patient, Provider Staff Satisfaction

Quality & Safety

E3 Reliable

Data Prevention

Patient Education

An Introduction to the Benefits Realized for the Value of Health IT

Agenda • Your Cheese Has Moved • Professional Skills • Personal Skills • Environmental Factors • Q&A

Polling Question

Is security in your organization perceived as: A. A top priority B. Somewhat a priority C. A lesser priority D. Not a priority https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23194

Your Cheese Has Moved

Understanding The Importance of The Professional CISO

Security Challenges Are Increasing

• Insider threats

• Supply chain risks

• Medical device insecurity

• Malware & advance persistent threats

• Mobile devices & mobile apps

• ID theft & fraud

• Physical theft & loss

• Emerging threats

Discovery, Notification &

Response

Business Disruption

ID Theft Monitoring

Investigation/Review

Civil Penalties

Federal CAP/RA

State Actions

Law Suit Defense

Criminal Penalties

Insurance

Degradation of Brand/Image

Distraction of Staff

VBP Payments Impacts

HCAPPS Score Impacts

Patient Confidence/Loy

alty

Physician Alignment/Nurse

s and Staff Agreement

Security Incidents Are Costing Us More

The Threat Has Evolved • 4M medical records maintained

on four workstations • Physician loses laptop with

psychiatric patients records • Neurologic institute accidentally

emails 10,000 patient records to 200 patients

• Phishing/hacking nets nearly $3M from six healthcare entities

• University reports laptop with patient information stolen out of student’s car

• Printers returned to leasing company compromise thousands of patient records

• Portable electronic device with patient data stolen from hospital

• 2200 physicians victims of ID theft/tax fraud

• Vendor sends 800 letters with patient information to the wrong addresses

• Vendor sells hospital’s X-rays (films) to third party

• 400 hospitals’ billings delayed as clearinghouse hit with ransomware

• Resident loses track of USB with over 500 orthopedic patients’ information

• APT causes major breach, 4.5M patient records stolen

• Physician robbed at gunpoint, threatened for passwords

• State Sponsored Foreign Hackers attack, 80M identifies stolen

Increased Reliance & Hyper Connectivity

• Today’s CISO has to understand business needs

• Must have security expertise to match the cyber threats and business demand

• Understanding HIPAA is not enough in today’s modern health IT environment

• It’s not about compliance, it’s about assurance

Big Data

Physician Alignment

BYOD

Patient Engagement

Supply Chain

HIEs

MU

Ingestibles

BAs

ACOs

Research

Polling Question

Do you have a dedicated security position, CISO, for your org? • Yes • No https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23191

Yet, We Still Suffer From Insufficient Resources • In 2014 HIMSS study HC CISOs gave themselves

an average maturity rating of 4.35 on a scale of 1-7 • Many reported missing critical technologies to fight

today’s threats • More than half of healthcare entities spend less

than 3% of their IT budget on data protection • Less than half have a full time CISO or information

security manager • Many healthcare security managers are first timers

6th Annual HIMSS Security Survey. Feb. 2014.

Professional Skills

Program Vision

Risk Management • Defining an integrated risk

management approach that is right for the business.

Promoting Governance • Understanding the right information

to report to the right body to promote oversight support for the program.

Appropriate Policies • Effectively crafting and

communicating policies that support the business operations and goals.

Creating Structure • Ability to develop implement the right

security framework to address all laws, regulations, standards, etc. that apply to the business.

Creating Accountability • Establishing a culture of privacy and

security that is aligned with the business.

Achieving Compliance • Ensuring that compliance is an

important side benefit of effectively securing the business and its data.

Addressing Risk

Contingency Planning • Effectively lead development of an

actionable disaster recovery and continuity program with business owners.

Handling Incidents • Implement proactive measures to

identify, investigate, document and communicate potential and real breaches.

Being Responsible • Promote and assist in auditing

controls and processes to ensure effectiveness and integrity.

Know Yourself • Ensure appropriate due diligence by

facilitating on-going mitigation of risk through regular and periodic assessment.

Know Your Enemy • Understand what threats concern the

business and monitor proactively for signs or indications of their presence.

Analyze Information • Analyze info from incidents, logs,

assessments, processes, workflows, etc. to identify threats and to inform selection/implementation of controls.

Managing Others Vendor Management • Develop and implement

processes to assess life cycle risks associated with external service providers, consultants and partners.

System Selection • Identify requirements and

establish processes for timely assessment of new technology.

Mergers & Acquisitions • Assess risks to support due

diligence negotiations and educated incorporation of assets.

Setting Expectations • Set service level agreements guide

program outcomes and service expectations for stakeholders.

Resource Planning • Develop, defend and implement

budget and resource planning that solicits key stake holder inputs and priorities.

Security Advocates • Select and foster key individuals

throughout the organization to act as security advocates; use them to provide value to ongoing security initiatives.

Personal Skills

Are Certifications Important?

Knowledge

Basic Learning • Certain certifications represent a starting point in determining

some formal knowledge of security principles and practices.

Credibility

Value

Experience

Advanced Learning

• Other certifications demonstrate specialization in a particular security discipline or focus and depth of knowledge.

The Right Certification • When selecting an ISO certifications that demonstrate more

practical knowledge of managing security like the CISM are more valuable, as are other certifications that show a broader experience (e.g. PMP, CHP or CISA).

Most Important •There is no replacement for experience which is far more important than certifications. Certifications say “they should know how to do it”, experience says “they have done it”.

Polling Question

Where or to whom does your CISO report? A. CEO/COO D. General Counsel B. CFO E. Compliance C. CIO https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23192

Find People Who Can Create Success

Information

People like to know what is happening and why. Provide updates often, synthesize essential points and deliver in concise messages.

Alignment

Appropriateness

Service

Look at security from the customers point of view, if you are perceived as understanding their plight/goals they are more apt to listen.

Apply security realistically, keep it simple when possible, so when hard decisions are necessary they’ll be more supportive.

Remember the business does not exist for security, security exists because of the business. Your job is to serve, to enable.

Building A Supportive Ecosystem

Many Different Models

CISOs have been found in many different organizations within Healthcare entities. The majority are found in Information Technology, followed by Compliance, Finance, Legal, and occasionally a few others.

Information Technology

Compliance

Finance

Legal

Other

Does Placement Matter?

CISO=CIO

CISO is CIO

CISO reports to CIO

CISO layers below CIO

In Healthcare 90% Report to CIO

• Pros: – Access to executive

leadership – “C” level skills & org

awareness – Easier to make IT

change to promote security

– Increases influence for CIO

• Cons: – IS oversight is limited – May detract CIO

attention from other priorities

– Conflicts of interest – Loss of full

organizational access

Polling Question

Do you feel security has enough visibility in the org? • Yes • No https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23193

It’s As Much About Who As It Is Where

• Short answer: CISOs have been equally successful and unsuccessful in nearly all organizational structures.

• The keys to success or failure include ability of the person, level of visibility and real support for the program, the position and the person.

• The executive team should be regularly briefed by the CISO.

“When the board took an interest in the program, things changed, resources started coming.”

Program Management Leadership • The CISO needs to be able to

create vision, influence others and motivate the organization to follow.

Relationship Building • Effectively create alliances by

assisting others. Giving support is how you get support.

Articulating Threat • Effectively explaining risk to the

business, not just to systems and data, is critical to being relevant and heard.

Healthcare Acumen •Hospital Executives expect CISOs to be able to relate security requirements to the mission of providing safety and care.

Planning Ahead •Planning enables communication of priorities, budget defense, identifying objectives and measurement.

Human Nature •Understanding human behavior is critical to understanding the most volatile element in security…people.

Building Collaboration

Effective Relationships • Proactively working security

issues with key stake holders: Compliance, Legal, Internal Audit, Compliance, etc.

Communicate Status • Establish regular reporting of

performance, business accomplishments and maturity of program.

Representation • Establish relationships with external

agencies, law enforcement and others than can provide valuable threat information and support.

Collegiality • Demonstrate the presence and

maturity to work effectively on teams, committees, boards, etc. to secure support for security.

Other Factors Know the Limits •The organization (and the CISO) need to know what tools are better managed internally vs. externally.

How To Say ‘Yes” •It is important for the security team to help find a way to say ‘yes’ but not be afraid to say ‘no.’

Establish Security Council •The council can help prioritize initiatives and champion changes.

Predictability • Build predictable processes to deal

with unpredictable circumstances.

Impact • Know and understand the impact of

implementing security tools has on the customer and more importantly, the patient.

Patient Safety • Poor information security can put the

patient at risk.

Recruiting For Success

Healthcare Needs CISOs That…

• Are leaders • Possess business acumen • Are comfortable managing risk • Embrace enablement • Think strategically, act tactically • Are effective communicators • Are able to drive process • Understand and apply

psychology/sociology • Are politically savvy • Know privacy & security • Possess endless curiosity

Multiple Benefits Acrue From Having a Qualified Dedicated CISO

• Savings • Satisfaction • Quality & Safety • Reliability • Prevention • Education

Greater Confidence,

Trust & Patient Safety

Qualified CISO

Questions • Mac McMillan • mac.mcmillan@cynergistek.com • 512.402.8555 • @mmcmillan07

• Heather Roszkowski • heather.roszkowski@uvmhealth.org • 802.847.8100