Where do CISOs fit in the healthcare C-suite?

The chief information security officer and chief information officer roles are intertwined, yet clearly different. Executives review organizational structures that work, and why.
By Bill Siwicki
08:05 AM

The booming gravity of information security in healthcare is giving rise to the CISO.

Data breaches are no longer the main threat. The malware du jour - that being ransomware, of course - and the proliferation of sophisticated attacks coming from cybercriminals, hacktavists, social engineering and spear-phishing, even espionage by nation states, all against the backdrop of a talent shortage, are converging to make security specialists something of an invaluable resource.

Yet, in many hospitals and large health systems, chief information security officers are lower down the reporting chain than may be realistically practicable given the consequences of data breach, loss, theft or spill.

While many CISOs report to the CIO, frequently with a dotted line to the chief privacy or compliance officer or to general counsel, the hotter the fire blazes under healthcare organizations to safeguard protected health information and personally identifiable information the more pertinent the question: Who should CISOs really report to? Should it be the chief executive? Or are there actual advantages to forging a strong partnership with the chief information officer?

[Also: Buyers Guide to intrusion detection and prevention tools]

For CIO Adam Buckley, MD, of the University of Vermont Health Network the reporting structure boils down to the complexity of the positions at a given organization. His job as CIO is, like that of most CIOs, highly complex, encompassing high-level organizational strategy that requires him to report to the CEO. Security is a matter of enough import that Buckley literally needs a CISO reporting to him who can protect the data while he deals with a raft of other issues.

"If I was of the mindset that I need to be all things to all people, that would not be ideal," Buckley said. "It’s valuable to have someone, for example, who wholly owns security because of the enormity. I like having someone who is focused on security, and I like that they are doing the things that I do not have the ability to do because of all the other areas I have to focus on. It’s enormously reassuring to know I have someone with the C-level title out there doing the work that needs to be done."


>> POLICY UPDATE: Congressional attempts to empower HHS CISO could serve as model for private hospitals
>> STRATEGIES: CIOs and CISOs share insights on strategic collaboration


Understanding organization’s culture and philosophy
Heather Roszkowski is Buckley's CISO. She believes having a CISO report directly to the CIO and the CIO reporting directly to the CEO is the best set-up to confront the security and IT challenges the University of Vermont Health Network faces today.

"There are schools of thought where the CIO and the CISO should be peers, where the CIO is providing IT services and the CISO is providing security services," Roszkowski said. "But the two roles are so intertwined in healthcare today that they need to be part of each other with a strong level of collaboration. It’s about support and focus."

CISO is an interesting title, Roszkowski added, because when the CISO walks into a room, everyone quickly and easily understands that executive's role and stake in the organization.

Buckley and Roszkowski agree that the structure suits University of Vermont Health Network, but does that mean it will work as well elsewhere?

And what are the duties of the healthcare CIO and CISO at the C-level? How should the healthcare C-suite work as a group? And what about smaller or mid-sized healthcare organizations that do not have C-level executives for IT or security?

“Other reporting relationships exist. Some CIOs report to chief administrative officers or CFOs,” said Russ Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME). “We've found there are just as many good reporting relationships as bad ones. It really comes down to what the best personal relationship is, and what is best for that organization."

Many chief executives don’t actually want a lot of direct reports, Branzell explained. Where a CIO and CISO stand on the ladder depends on the culture and philosophy of an organization; it's all about a provider making sure it has the proper representatives at the right meetings to create realistic processes.

Evolution: Organizational and industry-wide
At Beth Israel Deaconess Medical Center in Boston, the CISO, chief technology officer, chief medical information officer all report to the CIO. This structure is a product of evolution, both at the provider organization and in the healthcare industry.

"From 1997 to 2010, I was responsible for the duties of what would become the CIO, CISO, CTO and CMIO, and I reported to the CEO," said John Halamka, MD, CIO at Beth Israel Deaconess Medical Center and a professor of medicine at Harvard University. "But over the last few years, there has been an explosion of security-related issues. So I moved the security responsibilities to a CISO, who reports to me. I moved the day-to-day operations of the entire organization to a CTO, who reports to me. And I handed the planning for all clinical strategy and clinical optimization to a CMIO, who reports to me. More or less, the office of the CIO needs these four components, with the CIO as the strategist."

Halamka believes that the CIO, as a major strategist in an increasingly digital world, must report to the CEO. As for the CISO, he says there are basically only two places where that executive can report: IT or compliance/legal.

"So much of what a CISO does is policy and education, so it could be that a CISO reports to compliance/legal," Halamka said. "But when it comes to making decisions on threats and technical matters, compliance/legal would have to defer to the CIO. Ultimately, having the CISO report to the CIO, where the bulk of the day-to-day issues take place, that makes sense."

The centerpiece? IT innovation
Christiana Care Health System CIO Randy Gaboriault might take issue with any suggestion that its CISO, Anahi Santiago, report to anyone other than the CIO.

"My responsibility is broader than just the IT framework — with all of the transformation taking place, that means building a new business model that is adjunct to the current business model," Gaboriault said. "All of that is powered by some form of technology — information technology more than medical technology. Once you get past real estate and such, the single largest consumer of capital in our program is the IT function, which itself drives a lot of the innovation."

And within that security has become an all-encompassing consideration, Gaboriault said, so it’s essential that CISO Santiago’s skill set aligns with Christiana’s broader mission.

"Information security has become such an integral aspect of being able to build brand and advance progress in healthcare delivery, so being able to report to the person who sets the vision and thus integrate information security into everything we bring out to the market has become really important," Santiago said. "It also helps the CISO to be so close to the capital of the CIO; some of my peers who do not report into IT struggle to gain the capital leverage to implement things, and often are at odds with IT because they are seen not as a peer but as an enforcer. So having IT as my peer helps for implementing controls, for example. I am not at odds with IT, I am one of them." 


Sign up for the Healthcare IT News Privacy & Security Update newsletter.  


Santiago, though she reports to the CIO, does have direct access to the CEO, CFO and chief clinical leader.

"I am written into the charter for the audit committee of the board," she explained. "That committee has direct oversight over the information security function and accountability for it. I have direct access to all leaders in the organization and have a voice, and even have informal lunches with the chairman of the audit committee of the board where he can pick my brain. We have some candid conversations. I have a strong voice at that level, and I am heard, and they understand the importance of information security."

Leverage IT decisions
Just having a CISO is a relatively new reality for many hospitals and systems.

At Fairview Health Services in Minneapolis, for instance, security was previously buried within the IT framework, with a handful of people responsible for security and other duties as assigned, Fairview CISO Barry Caplin said.

"Then the organization had a breach, and part of the recovery was recommendations from external consultants saying the organization needs a formal security program," he said. "With the previous person responsible for security, the organization at one point tried to stick that person in risk management. But in these organizations ― and this is not unusual for healthcare - risk management means insurance, and sticking security there did not work out well."

Caplin, who became Fairview’s first chief information security officer, believes there's a huge bonus, so to speak, to the CISO reporting to the CIO and not compliance, privacy or legal.

"General counsel never has a budget. If you are going to buy anything and leverage IT decisions, you have to have some money, and being plugged into the CIO and his or her IT budget is an advantage for a CISO,” Caplin added. “Regardless of where you report, if you do not have a really solid relationship with your CIO, then you are done from the get-go.

Associate Editor Jessica Davis and Editor-in-Chief Tom Sullivan contributed to this report.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.