Issue link: https://beckershealthcare.uberflip.com/i/1034012
158 THOUGHT LEADERSHIP Why Catholic Health Initiatives' CISO says awareness training is pivotal in hospital cybersecurity By Jackie Drees S heryl Rose, chief information secu- rity officer and senior vice president at Englewood, Colo.-based Catholic Health Initiatives, discusses the evolution of the CISO role and how hospital systems can implement best practices for data protection. Question: What tasks require most of your time as CISO? Sheryl Rose: e role of the CISO has evolved over the years. It's important to have a solid technical background, but as recent years have shown, having a strategic, balanced approach to security is extremely important. It is critical to understand your or- ganization's threat landscape. e potential security threats that may impact an organization are continually changing. You must have strong processes for identifying, remediating and communicat- ing risks to your organization. In some cases, you will have to think about compensating con- trols in mitigating the risks as not all risks can be addressed. I spend a lot of time focusing on the projects that will enhance our security posture. is means working with the teams to have a solid focus on people, process and technology. Cyber threats in healthcare are real and spending your time focusing on how to prevent as well as detect [them] is critical. While I spend a large portion of my time working through our risk management processes and the associated projects, it is also extremely important to focus on strategy. Everyone's responsibility is security, and to get support is necessary to balance the business with the security needs. Understanding the impact of security on healthcare providers as well as patient care is significant if you want to get engagement at all levels. I spend a lot of time taking very technical security controls and metrics and turning them into meaningful business analytics that can be discussed and balanced with business need, cost, risk appetite, etc. I also spend a lot of time ensuring that our leadership team has a deep understanding of our risks and support for security initiatives. As you know, some security initiatives may pose certain restrictions from an operations perspective; balancing security con- trols and users' experience is a delicate balance. Q: How do you train clinicians and front-line staff to pro- tect patient data and avoid cyberattacks? SR: One of the most significant threat vectors for a cyber event is phishing. Training your end users is critical, but not just training, getting them to truly understand the potential impact of their ac- tion is also critical. It is beneficial to continue to enhance your train- ing to focus on healthcare security as well as specialized role-based training. It is a balance to do so when clinicians' priority is patient care, but through thoughtful, ever-changing awareness training and scheduled phishing exercises, more awareness can be brought for- ward. Cybersecurity and awareness training cannot be underesti- mated even though we continue to implement technical controls in managing phishing threats. Q: What do you see as the next big cybersecurity threat hospitals should look out for and why? SR: I don't know if there is something specific for the 'next big thing' hospitals should look at. Instead, I think continued steady improvement in your security risk posture is important. Security isn't all about technology, it is critical to balance your people and processes as well. Having solid pre- ventive controls but ensuring you align those with detective controls is key. e healthcare industry is mak- ing huge leaps into the technology space with consumer demands, mo- bile applications, "internet of things" and telehealth. ese are definitely areas to engage and make sure you understand your organization's risks. e industry overall continues to see complex agreements with physician practices and partnership with oth- er organizations that change the risk landscape dramatically. e outsourc- ing of technology and impact of cloud service providers in the healthcare space require an emphasis on third-party risk management programs to closely monitor existing and new partners' security practices. Q: What do you consider to be the most important aspect in hospital data protection? SR: e amount and the type of confidential data handled by healthcare entities and the ability to apply a true risk management approach in identifying critical infrastructure systems and critical data. I definitely see a lot of partnership in collaborating IT, busi- ness and operations leaders in addressing operational security risks. One of the most important aspects of hospital data protection is educating your end users on the criticality of the data they handle and providing them guidance on how to transmit or store this data. In addition having a strong data loss prevention program provides detective controls to identify where sensitive data may be at risk. Fi- nally, most healthcare organizations do not have unlimited funds to address IT- and security- related risks. It is important to be creative in addressing significant risks facing an organization. As always, a cybersecurity program is a journey, not a destination. n "Security isn't all about technology, it is critical to balance your people and processes as well." — Sheryl Rose, CISO and Senior Vice President of Catholic Health Initiatives