Security Leaders in Healthcare

September 29, 2016 by

Infosec

The healthcare industry was the number one target for cyber-attacks in 2015, the number of attacks even surpassing those directed at financial organizations. With the number of attacks on healthcare predicted to rise even more, the role of security leaders in the industry, particularly that of the CMIO, has come under the spotlight.

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

Traditionally tasked with helping hospitals support the adoption and implementation of health technologies, CMIOs (and/or CIOs, CTOs and CISOs) these days are required to be internet security (IS) experts as well as medical professionals.

Let’s take a look at the role of security leaders in healthcare today. We’ll touch on the cybercrime wave against healthcare organizations in recent years and posit some reasons the industry has been singled out by criminals, including failed leadership, lack of education and awareness, and vulnerable networks.

What Does a CMIO do?

A CMIO is usually a practicing physician with a core understanding of, if not formal training in, technology / informatics. According to the U.S. Department of Health and Human Services (HSS), “Because the field of health informatics is still developing, a CMIO’s duties may vary from one organization to the next. However, most CMIO’s are practicing physicians or IT professionals with specialized training, and their responsibilities reflect their dual areas of expertise.” The CMIO’s duties are to:

[clist id="1475161547679" post="37534"]

A quick search of CMIO jobs advertised on the Internet shows that a suitably qualified CMIO has many hats, but expertise in cybercrime is not one of them. IT security commentator, Mansur Hasib, in an article on the InformationWeek website, commented that “the problem [that results in data breaches] is that too many healthcare and other organizations implement cyber-security at the end of the development cycle, not at the beginning; they do not bake cyber-security into all their business and development processes. They also tend to view the cost of cyber-security as an unnecessary evil instead of a vital component of their business strategy. It is a failure of corporate leadership and governance—not technology. ”

It could be argued that healthcare organizations employing medical information officers should insist that applicants have demonstrable experience and/ or knowledge of cybercrime, and not learn about it on the job.

Healthcare Security Leaders’ Salaries 

According to PayScale, a CMO earns an average salary of $277,803 per year. Pay for this job does not change much by experience, with the most experienced earning only a bit more. The website lists the most popular skills required by recruiters and organizations wanting to hire a CMO and what each skill has on pay. The list below is an indicator of how a particular skill may affect an applicant’s salary:

[clist id="1475161725395" post="37534"]

Job Titles and the Changing Role of the CMIO

A CMIO essentially serves as the bridge between medical and IT departments at a health care organization.

Some interesting figures are revealed by SSi-Search, an executive recruitment firm for the healthcare industry, about whom a CMIO should report to. From a survey done by SSi-Search, half of the respondents said that a CMIO should report to the CMO or the CEO, but half of the CIOs queried, believed a CMIO should report to them.

Why does this matter?  Are these respondents just jostling for leadership? Who should the CMIO report to for best results with regard to internet security in healthcare?

Samantha Burch, senior director of congressional affairs at Healthcare Information and Management Systems Society (HIMSS), says studies show that organizations in which the CISO reported to the CIO experienced 14 percent more downtime due to cyber-security incidents than those organizations in which the CISO reported to the CEO. And, organizations in which the CISO reported to the CIO reported financial losses 46 percent higher than when the CISO reported to the CEO.

John D. Halamka, MD, MS, is the CIO of Beth Israel Deaconess Medical Center. Although his business cards describe him as a CIO, in 1998 he was given the title CMIO. In reality, he works as a CIO, CISO, CMIO and CTO.

“Whom should the CMIO report to?  Choices include the CIO, the CMO, the COO, the CEO, or some governance group, i.e., the Medical Executive Committee. Every organization is different and the reporting relationship should be a function of where the CMIO can have the greatest impact, visibility, and support.”

Researchers at the US National Library of Medicine say the CCIO role has not been well defined nor has the role been derived from a clear set of expectations, skill sets, or educational standards. Their research found the operational role of the CCIO was heterogeneous, with individuals deriving from a variety of clinical settings and backgrounds. They found that, in the real world, the title encompassed the more commonly used terms of CMIO, chief nursing informatics officer (CNIO), chief pharmacy informatics officer (CPIO) and chief dental informatics officer (CDIO). The term CHIO was sometimes used synonymously with the term CCIO who might also report to a CHIO for overall supervision.

The title for the job role of medical information office is often seen to change in line with new business strategies. When building its Center for Informatics and Analytics, the University of Mississippi Medical Center reinvented itself as a knowledge-driven health system. One of the changes it made was to the title of John Showalter, MD, from CMIO to chief health information officer (CHIO). "The CHIO position here is really much more focused on analytics and driving institutional return on investment from our clinical IT. When I was the CMIO, I was much more focused on adoption and usability for the clinicians."

Aligning Business and Security Needs

Collaboration between leaders may be the first step in securing healthcare networks and protecting patients’ confidential medical records.  Paul Connelly, CISO of Hospital Corporation of America and Dave Levin, M.D., chief medical officer at Sansoro Health and previously CMIO for the Cleveland Clinic Health System, emphasize the need for collaboration between healthcare leaders to meet the needs of the business and mitigate cyber-attacks.

“The view of the CMIO is to find a way to maximize the value of clinical IT at a time when medical systems and data are in the crosshairs,” Levin said.

“The CISO view is to look at this from the perspective of how to keep systems safe to protect your patients when there are organizations with many non-secure legacy systems and threats and the access and dissemination of data is growing exponentially,” Connelly said.

Do Healthcare Organizations Need Dedicated Security Leaders?

Healthcare is particularly lucrative for cybercriminals because it presents an opportunity to steal multiple types of sensitive information, including personal, medical, and financial, in one attack. Credit card and Social Security numbers sell on the black market for about $1 each; medical records can fetch up to $75 each.

The sector is also an appealing target for cybercriminals because the industry’s approach to cyber-security is often behind the times. A Sophos survey of National Health Service (NHS) organizations in the UK found that encryption was “well established” in just 10 percent of them. In another survey across multiple industries in six countries, Sophos found that the healthcare sector had one of the lowest rates of data encryption, with only 31 percent of healthcare organizations reporting extensive use of encryption, while 20 percent said they don’t use encryption at all. Legacy systems are particularly vulnerable and, once again, the problem may well lie with leaders who don’t understand quite how tech-savvy the modern criminal is in cyberspace.

The future might see the emergence of a new role: Chief Medical Security Information Officer (CMSIO).

The Failure of Leadership in IS (Internet Security)

A 2015 Guardian roundtable initiative in the UK invited cyber-security experts to discuss how best to protect the UK’s critical networks and businesses from cyber-attacks. “Many leaders probably started their careers when their business was paper-based, and in their minds that’s how the business still works. They don’t realize how IT has transformed their business … Therefore, when chief executives make decisions on whether to invest in cyber-security, they have no instinct for it,” commented one of the panel members. In addition, as healthcare organizations are run as businesses, security is seen by old-school leadership as an unnecessary cost that eats into profits.

The leadership problem was again highlighted during a U.S. House Energy and Commerce Subcommittee on Health hearing where healthcare leaders and security experts testified in support of proposed legislation to empower the CISO at HHS.  Mac McMillan, a healthcare IT security expert and CEO of CynergisTek Consulting, said, “What most healthcare organizations suffer from most today is a lack of leadership.” He proposed that the best way to address the situation would be by creating a cyber-security leadership post and to do that by elevating the CISO position.

How can healthcare security leaders mitigate cyber-attacks?

The new breed of dedicated IS leaders in healthcare, like CISOs and CMIOs, can ward of attacks in a number of ways:

[clist id="1475162034920" post="37534"]

Going Forward

[clist id="1475162131852" post="37534"]

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

Conclusion

You can make a start on improving awareness for company employees (and leaders) by signing up with InfoSec Institute for their employee awareness training program: https://www.infosecinstitute.com/iq/security-awareness-training/?utm_source=resources&utm_medium=infosec%20network&utm_campaign=infosec%20iq%20pricing&utm_content=hyperlink.