Issue link: https://beckershealthcare.uberflip.com/i/1522996
52 52 CIO / HEALTH IT Health system CISO role evolves as ransomware attacks take center stage By Laura Dyrda C hief information security officers are seeing their roles elevate as hospitals renew focus on cybersecurity and ransomware attack prevention. In the last year, Nashville, Tenn.-based HCA Healthcare suffered a significant data breach affecting 11 million patients. Lehigh Valley Health Network in Allentown, Pa., was attacked by a Russian ransomware gang and St. Louis-based Ascension continues to recover from a ransomware attack in early May. ird-party vendors are also being hit, most notably Change Healthcare, part of Optum, suffered a large-scale cyberattack earlier this year disrupting the company's payment processing for hospitals across the U.S. Hospitals and physician practices struggled to find solutions for payment processing while Change revived its network, and millions of patients' data was exposed during the attack. All C-suite executives are watching the attacks unfold and taking the necessary (and costly) precautions to avoid falling victim. ey are also relying more on CISOs to become part of the strategic planning for overall health and viability of the organization. Splunk's CISO report said 86% of respondents felt like they had a "different job" because of how the role has evolved from a technical role to a business leader. e report also noted around 47% of CISOs now report directly to the CEO and can have a bigger influence with the leadership and board of directors. Many organizations believe it's a matter of when, not if, they will be hit by a cyberattack. And then they have to respond. "We're not really able to actively mitigate threats so much as react to them very, very quickly," said Aarom Wiseman, CISO of Main Line Health, on an episode of the "Becker's Healthcare Podcast" hosted by Molly Gamble. "Some of the more successful CISOs are able to do that at scale continually and keep their organizations safe as long as they can. ere's also an element of being able to plan for that downtime and figure out, once our organization is hit with ransomware, how do I make sure I promote my confidence in my ability to respond to that throughout the organization." It takes collaboration across the organization and being able to explain security concepts to clinical and administrative staff. ose communication skills are essential so CISOs can convince their team cybersecurity best practices are a patient safety and patient dignity issue, not just a technology issue, said Mr. Wiseman. ere is also more collaboration among cybersecurity leaders and teams to spread learnings for cybersecurity recovery. Being able to network and leverage those connection points will prepare CISOs and their organizations for what happens aer the attack. "ere's a lot more what I consider shared therapy sessions around [ransomware attacks] where folks come together and talk about this horrible shared plight, the threat of ransomware attacks and how health systems are organizing around that," said Mr. Wiseman. "Healthcare, fortunately, has had, through HIPAA, this longstanding obligation to report healthcare breaches and breaches of protected health information. Some health systems now have the added difficulty of responding to SEC regulations and having to report under much tighter timelines. I think it's becoming a lot more complex, but it's also driving a lot more collaboration within the healthcare industry." Renton, Wash.-based Providence has also been elevating cybersecurity operations by developing a global IT enterprise. e health system has employees in India to support the system's cybersecurity efforts during evening hours in the U.S. e move has had a big strategic impact on Providence's team, and staff satisfaction is up because the team doesn't need to take night shis. "Cybersecurity is a cost center for an organization, and there is a fine balance that you have to walk between pouring more money and resources into solving cybersecurity as a problem space. What are the risks? What's the dollar value of the risks that you're solving for?" said Mr. Zoller on an episode of the "Becker's Healthcare Podcast" hosted by Laura Dyrda. "Every dollar that you spend on security is a dollar you take away from patient care in some fashion or take away from innovation or from reducing technology or process debt." n CVS Health adds governance chief By Laura Dyrda K ristina Fink, former vice president, corporate secretary and chief governance officer of American Express, joined CVS Health as senior vice president, corporate secretary and chief governance officer in mid- May, according to a LinkedIn post. While at American Express, Ms. Fink led efforts to support American Express National Bank and served as a member of the General Counsel Organization's leadership team. She also has experience in leadership roles at Guardian Life Insurance Company of American and Clifford Chance US LP. In her new role, Ms. Fink will work with investors on governance issues and oversee the annual proxy statement process, according to CVS Health's website. She will also oversee corporate and securities matters and provide legal support for the treasury, corporate finance, compensation and benefits. Ms. Fink is the immediate past president of the New York Chapter of the Society of Corporate Governance Professionals as well as secretary and treasurer of the Shareholders Relations Society. n