More and more across healthcare, provider organizations are adding a new C-suite role to their rosters – or at least a new letter to the acronym of their chief security officer's title.

 

Chief information security officers are fast-becoming de rigeur in an industry where more patient data is digitized than ever – and more under threat.

 

In their session at the 2015 HIMSS Annual Conference & Exhibition in Chicago, "Selecting the Right CISO and Building the Security Office," Heather Roszkowski, CISO at University of Vermont Medical Center, and Mac McMillan, CEO of CynergisTek, will help attendees gauge the threats posed to protected health information these days, and offer tips on setting up the infrastructure for successful data security program.

 

Critical to this is finding the right CISO, and equipping him or her with the right tools and team. In their session, McMillan and Roszkowski will offer their perspectives on the necessary skills and experience CISOs and their staff should have, and give tips for recruiting the right candidates. 
"The role of the CISO has been around for quite a while – in other industries," says McMillan. "In terms of healthcare, it's been around since before HIPAA. But it's just that it hasn't been a prominent role that healthcare has filled.

 

[See also: Top healthcare CISOs hard to come by.]

 

"Healthcare, having its own nomenclature for everything, calls for a chief security officer but it doesn't differentiate between a CSO and a CISO," he adds.

 

"If you go outside of healthcare, if you have what's called a true CSO, they're going to be responsible for more than just IT security – whereas a CISO is someone who's fundamentally focused on protecting information as it resides within IT systems. It's more of a technical definition."

 

Whether it's snooping employees or full-on cybercriminals, the dangers posed to patient data are more acute than ever.

 

"I've definitely seen CISO positions growing," says Roszkowski. "Some hospitals discover the need – as this hospital did three years ago. There wasn't a dedicated security position prior to me coming on board. It's definitely growing more and more. People see it can't be done as a secondary role."

 

Roszkowski works both with her own IT team and with other execs enterprise-wide.

 

[See also: Compliance isn't everything.]

 

"I have a team of individuals, analysts and an engineer, to work on technical challenges, project work, policy work," she says. "I'm also working with other IT leaders. Across the organization, I work with HR, director of risk, the privacy officer, the compliance officer."

 

Does every provider organization, large or small, need a CISO?

 

"I think it's getting to the point where every organization needs one," she says. "I can see smaller organizations having difficulty, though. They could find, potentially, a creative solution to having that covered – maybe partnering with another hospital? But there really needs to be someone dedicated to that job."

 

"I would agree with that as well," says McMillan.

 

As for the qualities to look for in a CISO candidate, he says, "You have to have a certain technical acumen. You have to have your certifications, etc. But when I look for a CISO – and this is particularly true in healthcare – you need to have an individual who has leadership skills, someone who has good communication and collaborative skills." 

 

After all, says McMillan, "Security is a team sport. The CISO can't do it all by themselves. I'm looking for someone who knows how to budget, how to plan strategically, to be part of that leadership team."

 

All to often, he says, security officers are "not very good at translating security knowledge to business knowledge. When you're talking to the leadership of a hospital you have to talk business."