As cybersecurity grows increasingly important, leadership must work alongside its IT team to make the hard choices.
“Executives have become our advocates,” John Donohue, associate CIO of Technology and Infrastructure for Penn Medicine said, during the Healthcare Security Leadership Panel at HIMSS Privacy Security Forum in Boston on Monday.
Penn Medicine previously leaned toward convenience, but over the last 18 months the organization has made significant changes in its security model. But Donohue explained because of the organization’s long lens, changing the culture becomes increasingly difficult.
“It’s been a sprint for us,” Donohue said. “In the past it’s been grassroots, but now it’s the board pushing us. Telling use to ‘behave as if you’ve been breached.' That’s been a huge difference; that’s probably the largest change."
[Live coverage: Here's what happening at the Privacy & Security Forum right now]
For Anahi Santiago, CISO of Delaware-based Christiana Care Health System executives have been vital when it comes to making the difficult choices. When Christiana Health decided to enact ‘downtime exercises,’ there were many groans from clinicians and providers.
“However, we have the support from executives,” Santiago said. “Education is a top priority. We’ll be focusing on organization in the coming year and within it, we’re forcing physicians to practice operations under downtime - without using any technology to simulate a downed system - to prepare when the system goes down.”
And it’s not a question of whether the systems will or will not go down - it’s a matter of when. An organization needs to be prepared for any circumstance.
“This isn’t an IT problem,” Donohue said. “There are people in the infrastructure team to make sure these security features are rolled out without issues. But you can no longer rely on a core set of folks. We now rely heavily on other teams to make sure it’s goes smoothly.”
“We live in a very collaborative environment; telling stories is really effective,” he added, “especially with our senior executives.
Penn Medicine’s C-suite is trained that if something doesn’t look right in an email - don’t respond. Instead, reach out to the IT team.
“There’s a hypersensitivity in our executives; they don’t want to fall for it,” Donohue said.
And Donohue believes that mentality shift translates into a need for cyberattacks to be more sophisticated to be effective.
For Santiago, this means working with executives to craft better security plans.
“HIPAA was meant to be a baseline, a place to get you started,” she said. “But it doesn’t define what good information security is. If you’re managing risk securely, you’re effectively complying. But if your program isn’t maturing, there will always be issues.”
The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
