Healthcare needs are complex
Most gravitate toward the idea that healthcare CISOs have far more complex jobs, including diplomatic skills (rarely one of the better tools in the arsenal of the traditional security chief). Why diplomacy? How else to convince doctor offices and dozens of other kinds of data partners to upgrade their own security before connecting to your network? And by "their own security," that doesn't merely mean firewalls and encryption of data in transit.

If the data is printed and a copy is left in the waiting room-or office staff speaks of the confidential data loudly enough to be overheard by other patients, that information can leak out just as easily as from an unsecured data port. If that data had been given only to the hospital staff and it somehow finds its way to an unauthorized data broker or a cyber thief, the hospital – the "deep pocket," in legal parlance – will get the blame. It doesn't matter if the leak was caused by incompetent behavior from people you can't control.

Finding the right CISO
Although healthcare operations want to hire the best talent for such a sensitive and important role, more than one healthcare IT exec has wondered whether they are being unrealistically picky.

Shafiq Rab is not only the VP/CIO at the Hackensack University Medical Center, as well as a physician. He's also in the middle of a search for a CISO. Rab is the first to admit that this search is challenging.

"Are our standards too high? We want the ideal candidate to have so many attributes," Rab said. "This position has to be visible at the CEO level and also visible to the board. Is this a policy person? Education? Technical? Anybody who’s very good is already employed."

Rab places himself into the lack-of-healthcare-experience-is-not-a-deal-breaker category. "Healthcare is important, but we're not that unique in information technology. Qualified people are only a few. Are they savvy enough to sell it? Do they have that balance between business and security? Can they deliver consensus by begging?"

One of the more sensitive issues with any hiring position is compensation, that delicate corporate dance between paying too much and not enough.
Declining to name a targeted CISO annual salary figure beyond "more than $200,000," Rab said that his management is very good at understanding the value – the ROI – of the position. "We're very empirical people: We counted the number of bad things that could happen to us" if the CISO duties weren't properly performed and how much such bad things would cost the hospital, he said.

Training CISOs for healthcare
The College for Healthcare Information Management Executives considers the situation dire enough that it's creating a program solely intended to help train and prepare CISOs. George McCulloch, the CHIME executive VP for membership and professional development, said that CISOs are not only important roles, but their jurisdictions right now are borderline untenable.

"Healthcare is a highly-regulated organization whose technical infrastructure continues to evolve," McCulloch said. "How can a person know and do all of that?"

Beyond security, the challenge is still handling the data once it leaves the hospital's hopefully secure network as well as deciding how and when to share information.

"What kinds of clinical information should anybody be able to see?" McCulloch asked, illustrating the challenge by referencing an 18-year-old patient who is on his/her parents' insurance and whose non-covered medical expenses are also paid by those parents. "What are the rights of a parent to see that information? And what do we do about certain especially sensitive test results, such as blood tests for potential HIV, DNA or psychiatric records? What should my treating physician know about it?"

A big part of this quasi-IT challenge is that the very nature of electronic records makes it so much easier to share far more data. In turn, that forces more decisions about what and when to share – along with a list of exceptions to deal with the inevitable unusual situation.

"I can now know an awful lot about you," McCulloch said. "A DNA test might hint at what diseases you might eventually contract. Should it go to the insurance company? Health exchanges? Other providers?"

Hackensack's Rab added that new government requirements are forcing some of those new decisions and policies. "The good government wants us to share information with everybody, but they also want to audit and fine everybody if something bad happens," Rab said.