Healthcare organizations want their clinical ecosystems to be interactive, collaborative, and productive. Those systems should also allow innovation, while remaining client-focused and user-friendly. It’s possible that only after these factors have been considered does information security come into focus. Security can be a repulsive subject because, even after all these recent years of growth in the information and cyber security industries, the Security department is often seen as the department of “No.” Infosec can be viewed as the anchor that weighs down any kind of advancement.
Anyone in healthcare, or anyone who deals with health data (e.g., clearinghouses, business associates), can attest to the numerous details involved in complying with HIPAA or HITRUST. Years ago, when I worked in IT in a healthcare org, a coworker told me about a time a few years before when an insurance company interpreted the rules so stringently that they sent out insurance cards with no information on them. That was because the way they read the rules meant that simply having PHI on the card was publicly displaying the cardholders’ personal information. Navigating the waters of proper and improper disclosure of PHI, along with the many other controls inherent to HIPAA, and in addition to other regulations and rules that may apply to an organization – the complexity often leaves personnel feeling vulnerable to lawsuits. For more information about complying with the HIPAA safeguards, please see here: https://itegriti.com/2020/compliance/achieving-hipaa-compliance-2-2
Adding Leadership to Management
The solution is not more technology – if mismatched, administration becomes a nightmare within just a year, if not sooner. The solution is not necessarily better management – as Stephen Covey said, “You lead people; you manage things,” and the focus can be on trying to manage people and lead technology.
The solution is not better systems – “better” usually means “faster,” and if one can’t oversee the current systems, then faster systems just develop faster inefficiencies.
The solution is security leadership.
Regardless of the industry, more and better tech combined with trained management do not equate to leadership in a company. Please don’t misunderstand my intention – there’s going to be an aspect of more and better technology along the way, and managers can better manage, and even lead, their departments. These are all necessary.
What will make for a bad corporate environment and experience will be when there’s a lack of cohesion between the various technologies; an administrative technological burden due to incongruous, even contradictory, systems; and a lack of communication between the departments, upper management, and the board of directors.
Creation of Correct Coordinates on a Cartograph (or Building a Proper Roadmap)
Here’s an acronym game (I just now made it up, so it hasn’t been play-tested; and I have no doubt that it will never show up on shelves or a GitHub repo). Starting with the first series of acronyms, continue going down in each domain to see which acronyms you know – no worries…no one’s keeping score.
ePHI, PHI, PII, HHS, ACA, EOB, SSA
HIPAA, GDPR, CPRA, 23 NYCRR 500, PIPEDA, HITRUST, FecRAMP, CCPA, PCI-DSS
ROI, FIFO, ACV (not apple cider vinegar), B2B, PTE, EPS, M&A, CRM, EOB (not the same as the one under the Healthcare section)
MTTF, MTTR, MAC (not the Apple product), IETF, API, AV, CPU, SOAR, VM
NIST CSF, 0Day, Red Team, APT, CIS, ISO, SOC, C2, TTP
Did you understand them all? A CISO understands all of these and many more. In order to attain and maintain compliance with the immediately applicable Privacy and Security Rules of HIPAA (see here for more information: https://itegriti.com/2020/compliance/understanding-hipaa-security-2/); in order to move toward a more mature framework of something such as HITRUST CSF; and, in order for your healthcare group to attain proper information security (which includes the previously mentioned aspects of technological cohesion and interdepartmental communication), you’ll need a CISO.
The Cost of Security Leadership
What’s the salary of a CISO? Looking at sites such as Glassdoor, Salary, and ZipRecruiter, there exists a fairly wide range of salaries. Remember that one’s salary depends upon at least 3 aspects:
- Level of knowledge and responsibility
- One’s position in the company
- The company’s position in society
But if you think of $200,000, that’s about average.
A healthcare institution may find 200K a bit steep. For smaller companies, it might be possible to add some lines to a current position to allow for additional duties that will provide this leadership position, but it’s likely impossible to hire a full-time CISO. For those who are not able to either boost a current job position or hire a CISO, a vCISO might be just what’s needed.
How much does a vCISO cost? When browsing various sites, one might not find the price. A long-held tradition in the foodservice industry is that the menus of high-priced restaurants don’t have the prices on them. The idea is: if you have to ask, you can’t afford it.
This is definitely not the way with a vCISO. Like many professional services, there are numerous individual factors, such as how often the vCISO will be involved and how much work needs to be done on your security program. Maybe you only need to contract 10 hours a month to maintain your program, or you may need 40 or even 300 to get your program started. Your organization’s needs will play into the cost, and this direct alignment of needs and expertise is one of the core benefits of retaining a vCISO rather than a CISO. Also, each company that provides vCISO/CISO-as-a-Service has different deals, commitment times, operating terms, and options. But the annual vCISO cost is an average of $112,000. Keep in mind that the low end is around $25K and the upper end is about $200,000. All in all, it’s a much lower average than a full-time on-prem CISO. By all means, use that “Contact Us” form on sites to initiate the conversation.
Assessing the Advantages of a vCISO
A Virtual Chief Information Security Officer provides a firm the expertise with each of the acronyms noted a few paragraphs above, including many other domains of knowledge. Additionally, the vCISO brings the typical and necessary leadership qualities – leading by example, maintaining composure during a crisis, commitment to transparency, and standing up for those around them (more information on these and more qualities here: https://www.wgu.edu/blog/what-effective-leadership2012.html
Maintaining the alphabet soup of regulations; leading the healthcare group to better information security by providing a framework; keeping an eye on both current and upcoming legislation (there’s always something up-and-coming); being a connection point between employees, management, and leadership; and understanding how patient care, business goals/vision/mission, and information security can mesh; are all part of a vCISO’s job.
The healthcare vCISO understands the profession, product, and processes of a healthcare group. And a vCISO will cost significantly less than a full-time CISO. For groups who cannot afford a full-time security leadership position but still aspire to improve their security posture, there’s hope.