There's a little bit of good news in the healthcare IT arena: CEOs and CIOs are quickly moving to make hiring chief information security officers a top priority.
The position, which has to somehow get a handle on privacy, compliance and traditional security issues, is in high demand as industry and government requirements increase for data sharing between patients and doctors, from hospital to hospital, with government agencies, labs and insurance companies. Add mobile devices to the mix, and the security/privacy/compliance headaches for CIOs are about to get more painful.
That's why it's just a little bit of good news. It's also coupled with some bad news for CIOs and HR execs, the folk who have to make these hires. Healthcare CISOs are hard to come by – and expensive.
Much of the reason for that is healthcare's relative lack of security interest for many years, which means today the industry lacks homegrown healthcare security IT execs who have enough of the germane capability: IT management, security management and healthcare industry experience.
[See also: Where will HIT security be in 3 years?.]
Attitudes about security change
Bert Reese, the CIO of the 125-year-old 12-hospital $5.6 billion Sentara healthcare enterprise, said his vision of what a CISO should do has morphed sharply since December 2013 when he hired his current CISO, Kathy Jobes.
"My thinking has changed since the arrival of Kathy. Before, I thought it as more of the traditional role. I didn't know what I didn't know," Reese said. He now sees it as changing the whole security culture, impacting every element of the enterprise.
For many healthcare operations, he said, applications have had terrific functionality but security was rarely a priority, at least with major application developers.
"The (application) security function never matured,” Reese said. “Today, we literally run 1,000 different applications to support the enterprise. Choreographing them into a truly secure architecture is, to say the least, entertaining."
Making matters yet more challenging for CISOs, he added, is that large healthcare enterprises are often seen as soft targets for cyber thieves, foreign espionage agents and saboteurs.
"We see about a million hits a day from China alone, trying to break into our network," Reese said, speculating that the attackers want to access standard corporate applications – such as ERP – so they can figure out the coding and then use it to attack more lucrative – but more secure-targets such as financial, retail, aerospace or manufacturing corporations.
[See also: How Kaiser does privacy and security.]
Hire from within, or tap other industries?
To get the talent needed, some argue that healthcare CIOs must abandon insisting on healthcare experience, opting instead to hire an experienced CISO from another industry and then training that executive in healthcare issues. It's the price that healthcare execs must pay, said healthcare IT recruiter Judy Kirby, for having ignored security for too long.
"It's not something that in the past was very important to us. When your data wasn't online, the risks were minimal," said Kirby, who has run Kirby Partners since 1994. "Healthcare has lagged behind financial institutions and now they have to play catch-up. Because we didn't need them in the past, we didn't grow them. We don't have internal ones that could easily promote.
You now then have to go outside of healthcare and then teach them healthcare."
But another veteran healthcare IT recruiter, Rich Miller, Senior VP for B.E. Smith, Inc., argues that CIOs are better served by staying within healthcare IT, but training the hired executive in security.
Miller's argument is that a talented healthcare IT executive – one who has demonstrated the persuasive and communication skills – is the much better place to start. "A proven healthcare information leader can quickly become a proven information technology security leader," Miller said. "Any IT leader could ascend into this role, as long as it's a proven leader with great leadership potential. I'm a strong advocate of looking within to identify the future CISOs."
One of Miller's concerns is that recruiting talent execs from other industries – and certainly from healthcare competitors – is too expensive.
"The CISOs that are good are well-taken-care-of and not interested in making a move," he said.
One key issue in recruiting a CISO may explain why seemingly contradictory advice is not necessarily contradictory. The definition, duties and responsibilities of CISOs vary, so a lot depends on what you need/want this executive to do. For some businesses outside of healthcare, a CISO is truly a security officer, overseeing a team of cryptographers, programmers and other security specialists whose sole job is to protect the company against brute-force attacks and from internal threats.
Healthcare needs are complex
Most gravitate toward the idea that healthcare CISOs have far more complex jobs, including diplomatic skills (rarely one of the better tools in the arsenal of the traditional security chief). Why diplomacy? How else to convince doctor offices and dozens of other kinds of data partners to upgrade their own security before connecting to your network? And by "their own security," that doesn't merely mean firewalls and encryption of data in transit.
If the data is printed and a copy is left in the waiting room-or office staff speaks of the confidential data loudly enough to be overheard by other patients, that information can leak out just as easily as from an unsecured data port. If that data had been given only to the hospital staff and it somehow finds its way to an unauthorized data broker or a cyber thief, the hospital – the "deep pocket," in legal parlance – will get the blame. It doesn't matter if the leak was caused by incompetent behavior from people you can't control.
Finding the right CISO
Although healthcare operations want to hire the best talent for such a sensitive and important role, more than one healthcare IT exec has wondered whether they are being unrealistically picky.
Shafiq Rab is not only the VP/CIO at the Hackensack University Medical Center, as well as a physician. He's also in the middle of a search for a CISO. Rab is the first to admit that this search is challenging.
"Are our standards too high? We want the ideal candidate to have so many attributes," Rab said. "This position has to be visible at the CEO level and also visible to the board. Is this a policy person? Education? Technical? Anybody who’s very good is already employed."
Rab places himself into the lack-of-healthcare-experience-is-not-a-deal-breaker category. "Healthcare is important, but we're not that unique in information technology. Qualified people are only a few. Are they savvy enough to sell it? Do they have that balance between business and security? Can they deliver consensus by begging?"
One of the more sensitive issues with any hiring position is compensation, that delicate corporate dance between paying too much and not enough.
Declining to name a targeted CISO annual salary figure beyond "more than $200,000," Rab said that his management is very good at understanding the value – the ROI – of the position. "We're very empirical people: We counted the number of bad things that could happen to us" if the CISO duties weren't properly performed and how much such bad things would cost the hospital, he said.
Training CISOs for healthcare
The College for Healthcare Information Management Executives considers the situation dire enough that it's creating a program solely intended to help train and prepare CISOs. George McCulloch, the CHIME executive VP for membership and professional development, said that CISOs are not only important roles, but their jurisdictions right now are borderline untenable.
"Healthcare is a highly-regulated organization whose technical infrastructure continues to evolve," McCulloch said. "How can a person know and do all of that?"
Beyond security, the challenge is still handling the data once it leaves the hospital's hopefully secure network as well as deciding how and when to share information.
"What kinds of clinical information should anybody be able to see?" McCulloch asked, illustrating the challenge by referencing an 18-year-old patient who is on his/her parents' insurance and whose non-covered medical expenses are also paid by those parents. "What are the rights of a parent to see that information? And what do we do about certain especially sensitive test results, such as blood tests for potential HIV, DNA or psychiatric records? What should my treating physician know about it?"
A big part of this quasi-IT challenge is that the very nature of electronic records makes it so much easier to share far more data. In turn, that forces more decisions about what and when to share – along with a list of exceptions to deal with the inevitable unusual situation.
"I can now know an awful lot about you," McCulloch said. "A DNA test might hint at what diseases you might eventually contract. Should it go to the insurance company? Health exchanges? Other providers?"
Hackensack's Rab added that new government requirements are forcing some of those new decisions and policies. "The good government wants us to share information with everybody, but they also want to audit and fine everybody if something bad happens," Rab said.
