How good leadership can improve cyber security outcomes
While attending the Healthcare Privacy & Security forum in Boston recently, I had the good fortune of sitting in on two presentations, one by Beth Israel Deaconess Medical Center CIO John Halamka, M.D., the other by CynergisTek CEO Mac McMillan. Both are prominent health IT experts who understand the critical need for security in healthcare.
They were not talking about technologies or methods, per se. Instead, they were focusing on leadership, an oft-overlooked facet of data breach prevention.
Halamka: More data sharing, more risk
Dr. Halamka talked about surviving as a healthcare information security leader in 2016. He offered real-world examples of what he has experienced at his hospital and how he deals with the day-to-day issues and the “fire alarms” at a health system utilizing 26 different EHRs on its network.
“You’re still as vulnerable as your most gullible employees,” he said, and that has never been truer. So, in order to survive as a security leader in this age of a possible breach a day, it is important to make security everyone’s job and foster a no-blame culture.
A security leader has to manage the compliance environment – HIPAA audits, for example – and the risk to an organization’s reputation if breached. This job isn’t for the faint at heart. Healthcare organizations are going to see more volatility as reimbursement models move from fee-for-service to value-based. Clinicians will be sharing more data across networks, which increases an organization’s risk profile. And the nature of the attacks will be more sophisticated, complex and unpredictable.
Dr. Halamka urged security leaders to, above all else, stay calm and be able to offer an “emotional evenness that is predictable and consistent.” Recognize there is a process in place for incident response, forensics and documentation. He also advised people to offer guidance and a consistent vision for security which everyone can support and understand.
Leaders should set clear mandates for what to do and in what order, as well as what not to do in certain situations. When a project runs into difficulty, the security leader should offer “air cover.” And finally, it is more important than ever for security to have a direct line of communication with the board and senior management, which by the way, is feeling more pressure to pay closer attention to an organization’s security program as a way to evaluate the company’s overall financial stability.
McMillan: Security leaders need business acumen
Part technologist, part security expert, part psychologist, part politician, part business person, part cheerleader…that is how McMillan described a good privacy and security leader. One of his first comments was that a security leader should manage risk without owning it. Security staff should not be accountable for risk, but rather they should identify risk and objectively report it. In fact, he believes that security is so important it should be removed from the IT organization.
Expanding upon Dr. Halamka’s suggestion that the security leader should communicate with the other C-level executives, McMillan believes he or she possesses business acumen and good communications skills, as well as the ability to be “comfortable in chaos.”
In order to own the department, a security leader should be able to put a budget together and defend it. And most importantly, this person should show an appreciation for the business and translate how security supports healthcare and business initiatives, such as ACOs.
While those who would be guardians of our health data should stay apprised of known and emerging threats, these two speakers confirmed that it also takes leadership talent to motivate an organization to address those threats.
Featured Image: Design for Key Holes by Androuet du Cerceau; Maker Name: Édouard Baldus, printmaker (French, born Germany, 1813 – 1889); Type: Photographs; Medium: Heliogravure; Place Created: Paris, France; Date: 1866; Source: J. Paul Getty Museum
Latest posts by Davida Dinerman (see all)
- HIMSS16: Building Leadership in Health IT, One Woman at a Time (Part 2) – March 28, 2016
- HIMSS16: Building Leadership in Health IT, One Woman at a Time (Part 1) – March 22, 2016
- #HIMSS16: Education, Exhibition and Networking – Part 2 – February 19, 2016