There are many actionable items and methods a CISO can use to minimize risk in the healthcare industry. After all, there are all kinds of tools, project management resources, and resource management solutions that can help keep businesses in order and safe. However, there just a few areas in which action should be taken.
As simple as it might sound, having radical transparency within the security department is a must. Where security operations may fall short is when the department does not know what they really do for the company and/or organization.
Setting a clear tone, mission, and overall open doors (within reason) of the overall objectives would help check egos, false impressions, and roadblocks from negatively affecting operations.
I have seen both small and big companies suffer from these issues. The same questions always arise: “What do they really do here?” and “Why are they even here?”
They create high amounts of toxicities, all of which can separate teams and cause cross-department tension.
The observation can be made that smaller companies are better at this than bigger companies because the former do not have the time and/or overall money/energy to spend dealing with this. In small-to-mid-sized companies, the tone of “either you know it or you do not” is strong, and no one has time for egos to get in the way.
Bigger companies have layers that just get in the way, and sometimes, no one knows what each other really does. Establishing pillars for focus areas expertise and running them in parallel with the overall arching mission of “protecting this home” helps to shed light on all the areas of information security.
CISOs need to understand and really understand from a topical and technical level how their environments work and function with their organizations’ line of business.
Cyber thieves have their eyes set on not only the information they can obtain but also the value of obtaining the information along with what they can do with it. Selling the information is a byproduct of stealing the information; causing the pain and damage by using the information is the root agenda.
CISOs might want to implement not only multiple secure layers but also adhere to different rules and regulations such as HIPAA to ensure most of their organizations’ bases are covered.
So, what can be done?
From a leadership point of view, I say knock down the walls, open up the floors, and get out of your offices as much as you can.
I understand there might be certain areas like incident response and digital forensics that might not be able to do so easily. However, implementing into action the above advice would go miles. General McChrystal did this approach when he was head of Special Operations in Iraq/Afghanistan; his actions prove that even working in some of the most secret and high-tempo industries, implementing transparency can help drive better performance.
This “no BS and no one hides” approach regardless of rank or title helps bring issues, concerns, and projects to the forefront and helps to quickly address anything that needs to be handled.
From a technical point of view, it’s useful to consider adopting different tools that would monitor the interactions of doctors and other professionals regarding their access to PHI/PII. Using multiple layers of security stacked upon multi-factor authentication would also provide a deeper, more secure platform of operations.
Adopting a mixture of the above would provide any CISO with a great opportunity to be ahead of the power curb and be ready to respond to any unknown security threat. Applying these elements in a unified manner will help shed some light on the moving target to ensure adjustments can be made, measured, and marked for success.