CISOs: Healthcare's new rock stars

'Every board is going to be asking its CEO, "How secure are we?" That wasn't a question ever asked in boardrooms.'

October 14, 2015

08:00 AM

There's a new chief in town responsible for safeguarding healthcare organizations' most valued asset: information.

Amid the near-constant flood of data breaches and a fast-evolving cyberthreat landscape, the absolute need to prioritize information security is only growing stronger.

That calls for a leader who can protect his or her organization's critical clinical and financial data from such a relentless and multifarious threat: the chief information security officer.

The drumbeat of news in recent years has been sobering for security professionals. In May 2014, for instance, the U.S. Department of Health and Human Services slapped Columbia University and New York-Presbyterian with a record $4.8 million HIPAA settlement after patient data wound up on Google.

And this year, hackers have hit healthcare harder than ever. In February and March, they went after health plans Anthem and Premera Blue Cross, compromising the health data of 79 million and 11 million people, respectively. In July, cyber crooks swiped the data of 4.5 million patients at UCLA Health System.

"Every board is going to be asking its CEO, 'How secure are we?' That wasn't a question ever asked in boardrooms," Ted Schlein, general partner at Silicon Valley venture capitalist Kleiner Perkins Caufield & Byers told PBS' Charlie Rose. "Every board is going to end up with a security expert on it."

New breed
Research shows that's starting to happen. More than half of respondents to the 2015 HIMSS Cybersecurity Survey have already hired a full-time employee to manage information security. And 87 percent indicated that infosec has become a more significant priority during the past dozen months.

The survey also determined, not surprisingly, that the job demands a diverse skill set. It's not only about IT or security. Rather, today's CISOs are also responsible for developing organizational policy, handling remediation and notification of breaches, interacting with government compliance authorities as well as third-parties responsible for securing information.

Any one of those could, quite literally, be a full-time career -- which is why Mitchell Parker, CISO at Philadelphia's Temple Health, said there's one critical skill more important than all others.

"Communication," Parker said. "The CISO role is strategic and advisory, so you have to speak to a lot of people who don't have your technological background."

CISOs, in turn, also have to understand what other C-suite executives are talking about.

At Seattle Children's, that means CISO Chris Ewell, who made the Assumption of Breach methodology part of his doctorate, has to be very well versed in the hospital's business practices, perhaps not notably risk management and contract negotiations.

"Anything that revolves around data, I'm part of that negotiation to ensure we have the right protection measures in place," Ewell said. "That partnership between the CISO and legal and IT and executives -- that's going to be a hard challenge for organizations that don't have CISOs."

Bright future, big money
The notion that Kleiner Perkins' Schlein presented -- that every board would someday invite a CISO to its table -- manifests from a long and reputable history in the security world. He made another bold prediction, too.

"Chief information security officers are going to be rock stars in the future," Schlein said. "I would argue that they'll probably be the most highly paid people in corporate America and around the world going forward."

Here we profile six men and women already proving their worth as CISOs at hospitals and health systems from coast to coast. They tell us about how they chose this challenging career, talk about the daily ups and downs of risk assessment and incident response, and offer their thoughts about a cyber future that seems to grow more complex by the day.