Security chiefs are hard to find

Debate goes on about whether to recruit within healthcare or tap from other sectors
By Evan Schuman
June 26, 2014
11:53 AM

CEOs and CIOs are quickly moving to make hiring chief information security officers a top priority, but CISOs are hard to come by – and expensive.

The position, which has to somehow get a handle on privacy, compliance and traditional security issues, is in high demand as industry and government requirements increase for data sharing between patients and doctors, from hospital to hospital, with government agencies, labs and insurance companies. Add mobile devices to the mix, and the security/privacy/compliance headaches for CIOs are about to get more painful.

Attitudes about security change

Bert Reese, the CIO of the 125-year-old 12-hospital $5.6 billion Sentara healthcare enterprise, said his vision of what a CISO should do has morphed sharply since December 2013 when he hired his current CISO, Kathy Jobes.

"My thinking has changed since the arrival of Kathy. Before, I thought of it as more of the traditional role. I didn't know what I didn't know," Reese said. He now sees it as changing the whole security culture, impacting every element of the enterprise.

For many healthcare operations, he said, applications have had terrific functionality but security was rarely a priority, at least with major application developers.

"The (application) security function never matured," Reese said. "Today, we literally run 1,000 different applications to support the enterprise. Choreographing them into a truly secure architecture is, to say the least, entertaining."

Making matters yet more challenging for CISOs, he added, is that large healthcare enterprises are often seen as soft targets for cyber thieves, foreign espionage agents and saboteurs.

"We see about a million hits a day from China alone, trying to break into our network," Reese said, speculating that the attackers want to access standard corporate applications – such as ERP – so they can figure out the coding and then use it to attack more lucrative – but more secure-targets such as financial, retail, aerospace or manufacturing corporations.

Hire from within, or tap other industries?

To get the talent needed, some argue that healthcare CIOs must abandon insisting on healthcare experience, opting instead to hire an experienced CISO from another industry and then training that executive in healthcare issues. It's the price that healthcare execs must pay, said healthcare IT recruiter Judy Kirby, for having ignored security for too long.

"It's not something that in the past was very important to us. When your data wasn't online, the risks were minimal," said Kirby, who has run Kirby Partners since 1994. "Healthcare has lagged behind financial institutions and now they have to play catch-up. Because we didn't need them in the past, we didn't grow them. We don't have internal ones that could easily promote. You now then have to go outside of healthcare and then teach them healthcare."

But another veteran healthcare IT recruiter, Rich Miller, senior vice president for B.E. Smith, argues that CIOs are better served by staying within healthcare IT, but training the hired executive in security.

Miller's argument is that a talented healthcare IT executive – one who has demonstrated the persuasive communication skills – is the much better place to start. "A proven healthcare information leader can quickly become a proven information technology security leader," Miller said. "Any IT leader could ascend into this role, as long as it's a proven leader with great leadership potential. I'm a strong advocate of looking within to identify the future CISOs."

One of Miller's concerns is that recruiting talent execs from other industries – and certainly from healthcare competitors – is too expensive.

"The CISOs that are good are well-taken-care-of and not interested in making a move," he said.

Finding the right CISO

Although healthcare operations want to hire the best talent for such a sensitive and important role, more than one healthcare IT exec has wondered whether they are being unrealistically picky.

Shafiq Rab is not only the VP/CIO at the Hackensack University Medical Center, as well as a physician. He's also in the middle of a search for a CISO. Rab is the first to admit that this search is challenging.

"Are our standards too high? We want the ideal candidate to have so many attributes," Rab said. "This position has to be visible at the CEO level and also visible to the board. Is this a policy person? Education? Technical? Anybody who's very good is already employed."

Rab places himself into the lack-of-healthcare-experience-is-not-a-deal-breaker category. "Healthcare is important, but we're not that unique in information technology. Qualified people are only a few. Are they savvy enough to sell it? Do they have that balance between business and security? Can they deliver consensus by begging?"

One of the more sensitive issues with any hiring position is compensation, that delicate corporate dance between paying too much and not enough.

Declining to name a targeted CISO annual salary figure beyond "more than $200,000," Rab said that his management is very good at understanding the value – the ROI – of the position. "We're very empirical people: We counted the number of bad things that could happen to us" if the CISO duties weren't properly performed and how much such bad things would cost the hospital, he said.

Training CISOs for healthcare

The College for Healthcare Information Management Executives considers the situation dire enough that it's creating a program solely intended to help train and prepare CISOs. George McCulloch, CHIME's executive VP for membership and professional development, said that CISOs are not only important roles, but their jurisdictions right now are borderline untenable.

"Healthcare is a highly-regulated organization whose technical infrastructure continues to evolve," McCulloch said. "How can a person know and do all of that?"

Beyond security, the challenge is still handling the data once it leaves the hospital's hopefully secure network as well as deciding how and when to share information.

"What kinds of clinical information should anybody be able to see?" McCulloch asked, illustrating the challenge by referencing an 18-year-old patient who is on his/her parents' insurance and whose non-covered medical expenses are also paid by those parents. "What are the rights of a parent to see that information? And what do we do about certain especially sensitive test results, such as blood tests for potential HIV, DNA or psychiatric records? What should my treating physician know about it?"

A big part of this quasi-IT challenge is that the very nature of electronic records makes it so much easier to share far more data. In turn, that forces more decisions about what and when to share – along with a list of exceptions to deal with the inevitable unusual situation.

"I can now know an awful lot about you," McCulloch said. "A DNA test might hint at what diseases you might eventually contract. Should it go to the insurance company? Health exchanges? Other providers?"

Hackensack's Rab added that new government requirements are forcing some of those new decisions and policies. "The good government wants us to share information with everybody, but they also want to audit and fine everybody if something bad happens," Rab said.

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care