At the University of Vermont Health Network, IT and security leaders try to de-emphasize a top-down approach in favor of collaboration between the health system, individual hospitals and its affiliates.

"We’re a relatively new health network, and the reporting relationships have continued to change and develop over the last several years," said CIO Adam Buckley, MD, who reports to the CEO. "There have been various times of direct or indirect reporting to the C-suite. It is transitioning to whatever feels right to the affiliates."

The same goes for the CISO post.

"The role has grown and changed as the organization has grown and changed," University of Vermont Health Network's Chief Information Security Officer Heather Roszkowski said. "When I first came onboard, my reporting structure was different and what was right for the organization at that time. But as security has changed in priority, the reporting structure has changed."

Buckley attends board meetings and said it is incumbent on him to articulate to the board and the C-suite the significance of the security risk the health system faces, the enormity of the task of securing information, and the difficult work the teams of employees are doing to make data secure.

"I am the constant nagging on security at the highest level," Buckley said. "I have more of a focus on that than people might think because the loss of patient data really resonates with me. I bring in Heather when we need to drive the point home or talk about specific initiatives or risks."

>> CASE STUDIES: Where do CISOs fit in the healthcare C-suite?
>> POLICY UPDATE: Congressional attempts to empower HHS CISO could serve as model for private hospitals

Chief responsibilities
Both the CIO and the CISO have duties necessary to keep the whole C-suite informed and engaged — not to mention maintaining network infrastructure uptime and information security.

"The leaders of technology and security need to bring transformational solutions that help the organization move forward in a thriving way against some pretty huge challenges," CHIME’s Russ Branzell said. "Part of it is informational: a CIO or a CISO has a duty of education. The primary role is to be a partner in solving the big executive-level problems in an organization, be part of the executive team."

CIO Randy Gaboriault at Christiana Care Health System offers an example of how he and his CISO Anahi Santiago work together to solve problems at the C-suite level.

"Organizations can have an insatiable appetite to add resources because there is so much demand, and a challenge we have is that we do multiple levels of diligence around incremental head count to be added," he said. "We had put in for a couple of additional heads for security. There is a multidisciplinary committee reviewing the request write-ups, and they ended up first-round declining the security additions. We had to fit the request into a single-page format, and they probably figured, 'Hey, security is in some way working.'"

CISO Santiago was first to receive the news of the decline, late in the day on a recent Friday.

"She e-mailed me: ‘Sorry to give bad news,’" Gaboriault said. "By Tuesday morning it was resolved. I had asked Anahi for additional supporting information; I had a conversation with the CFO about it, putting things right into context; and 15 minutes after that I had an e-mail back to Anahi. It was all about reframing the request."

Working as a group
Reframing a request of the C-level might be as simple as showing how said request fits with the mission of the organization. Ultimately, a C-suite works together to fulfill the mission of the business.

All executives with a C-level title should be working together toward the mission, said Mansur Hasib, program chair for cybersecurity technology at the Graduate School at the University of Maryland University College and author of the books “Cybersecurity Leadership” and “The Impact of Security Culture on Security Compliance.”

"Say a healthcare organization decides to establish relationships with all of the HIV-positive individuals in Baltimore, that is the strategic objective," Hasib said. "The C-level officers should be sitting together and offering each perspective on how to achieve this particular goal. The CIO might say, ‘OK, to do this we need to have a webinar, and we might need connections with the mayor’s office and maybe the state department of health.’ Another officer could say, ‘We need to put some ads in the newspaper,’ and someone else might say, ‘We need some town halls because consumers do not have technology for webinars, and further, maybe some door-to-door canvassing.’"

The different C-level officers fill in the blanks on what it would take to make such things happen, narrowing things down and prioritizing those strategies where they believe they can get a big bang for the buck, Hasib said.

"This is what is called ‘strategic leadership collaboration,” Hasib said. ”It’s all focused on the objective.”

CIO-less organizations
What about managers or directors of IT or security at mid-sized or smaller healthcare organizations where there is no CIO or CISO? CIOs and CISOs and healthcare experts say these executives need to report to a top administration official of some type, one who can fairly represent the needs of IT and security.

"When you get to organizations without CIOs or CISOs, it’s usually about the breadth and skill of that organization," Branzell said. "Then IT or security needs to report to an administrator, and the success of that depends on the individual administrator. There are just as many bad examples as good. If that person is not an advocate at that senior level and helping the person at the highest level of IT get their job done, then that is not a good relationship."

IT or security executives at organizations without CIOs or CISOs can use any number of tactics to make the case for that C-title.

Caplin of Fairview Health Services, for instance, suggested surveying peers.

"It’s a great opportunity to benchmark," Caplin said. "Boards care about that. A security executive can reach out to the C-suite and board and point out survey results that show all of the organization's peers have a CISO title, and ask, ‘Why aren’t we there?’ And add when we have a breach ― not if but when ― when we have this problem and the regulatory authorities start looking at how we are meeting our HIPAA requirements, the authorities will ask that question about security of someone in authority."

Another tip would be to keep a watchful eye on what happens at Health and Human Services. If the legislation passes and the department elevates the CISO to a top-level position there may be lessons that healthcare organizations of all sizes can learn from in the days ahead.

Associate Editor Jessica Davis and Editor-in-Chief Tom Sullivan contributed to this report.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com