The chief information security officer – new challenges, new responsibilities

Hospitals depend on information to effectively manage and deliver health services. Given the unremitting escalation in cyber-attacks and patient data breaches at hospitals today, the role of the CISO (Chief Information Security Officer) has moved to centre stage.  
As their own responsibilities have expanded, hospital CISOs have also faced the need to understand perspectives of other boardroom leaders. These range from business practices to risk management, the economics and cost-benefit of security as well as legislation about privacy and liability. Indeed, some American hospitals refer to the CISO as Chief Information Privacy and Security Officer.

Data breaches and ransomware threats escalate
The frequency of reported data breaches at hospitals has grown especially sharply in the US. Over just two days in the middle of September this year, Children’s Hospital Colorado, Morehead Memorial in North Carolina and Georgia’s Augusta University Hospital reported security breaches which potentially affected personal health data of several thousand patients.
Europe has also seen its share of attacks. In May 2017, the National Health Service in Britain was hit by a ransomware attack which crippled the ability of some 16 units to access patient data.  In July, an insider breach at health insurance giant Bupa exposed data of 108,000 customers.
In France, over 1,300 attacks on hospitals and healthcare facilities were voluntarily reported to the Ministry of Health in 2016.

Scale of threat grows, so do delays in response
Nevertheless, a data breach scandal in another business sector depicts the sheer scale and impact of the phenomenon. In September, Equifax, a major US credit reporting agency, announced its IT systems had been compromised, potentially exposing credit card details, Social Security numbers, and other personal information for up to 143 million Americans.
Although critics of Equifax complained about the delay, the longest gap in discovery of a breach concerns Tewksbury Hospital in Massachussets, which took 14 years to discover that a clerk had been inappropriately accessing patient records since 2003.

The role of the CISO
Such events have propelled CISOs to the frontlines of information security, strengthening a trend that dates to the late-2000s.
In 2011, a PricewaterhouseCoopers (PwC) survey found that 80% of businesses had a CISO or equivalent, compared to less than half in 2005. Almost two-thirds reported to the Chief Executive or the Board of Directors, and the rest to a Chief Information Officer (CIO). 

60 percent of US healthcare facilities have CISO role

The situation in the healthcare sector has mirrored, if slightly lagged, this trajectory. In 2017, 71 percent of respondents to a US cybersecurity survey by HIMSS (the Healthcare Information and Management Systems Society) stated their organizations allocated a specific budget for cybersecurity.
Almost half said this was over 3 percent of the budget, while one in ten said the share was more than 10 percent. Another interesting finding from the HIMSS survey was that 60 percent of respondents said their organizations employed a CISO or senior information security leader.

The CISO in Europe
The above figures refer to the US. Europe is likely to be some way behind. Nevertheless, it too is catching up. In France, for example, the Association for the Security of Health Information Systems (APSSIS) made specific recommendations at a recent annual conference on the role of the CISO (known in French as ‘responsable de la sécurité des systèmes d’information or RSSI) and the need for close coordination with the CEO.
In the UK, HCA Healthcare, London’s largest private hospital group (including top facilities such as The Harley Street Clinic, Princess Grace Hospital and The Wellington Hospital) announced an opening for a CISO at the end of August 2017. The HCA described the CISO job as being “responsible for providing strategic leadership and operational oversight for the security of information technology and systems and Information Governance…” Specific tasks which were identified include risk assessment and management, patient privacy, development of policies, standards, procedures, and guidelines, as well as threat/incident response and corporate communications on security.

The CISO and compliance: ISO standards
CISOs are in fact responsible for information-related compliance in all business sectors. Compliance principally involves two information security frameworks published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

IEC/ISO 27001:2013
The first, IEC/ISO 27001:2013 is a guideline with requirements “for establishing, implementing, maintaining and continually improving information security management.”  The second, ISO/IEC 27002:2013, is a standard, and provides implementation rules. It focuses on the confidentiality, integrity and availability of information; it also provides best practice recommendations. Both are applied internationally.

ISO 27799:2016 focuses on healthcare

Hospitals, nevertheless, face very specific information security challenges. These are embodied in another standard, ISO 27799:2016, to protect the confidentiality, integrity and availability of personal health information. This ISO standard provides implementation guidance for the controls in ISO/IEC 27002:2013 and supplements them where necessary, to make them relevant for health-specific information security requirements.

ISO 27799:2016 applies to information in the form of words and numbers, sound recordings, drawings, video or medical images, whether it is stored in print or in writing on paper or electronically. Also covered are the means used to transmit the information – by hand, through fax, over computer networks, or by post.
It is important to note that although ISO 27799:2016 and ISO/IEC 27002:2013 jointly define information security requirements for healthcare, they do not specify how these should be met. In other words, they are technology-neutral.

Differences between ISO and HIPAA
ISO 27799:2016 is, however, not a legal requirement unlike HIPAA (the Health Insurance Portability and Accountability Act) which regulates the security and privacy of health information in the US, though the two have much in common. Nevertheless, for hospital CISOs, the difference is a major factor.
The latest Data Breach Litigation Report from St. Louis law firm Bryan Cave reports 76 class action data breach lawsuits in 2016, up by 7 percent from the previous year.
However, these actions are potentially only the tip of an iceberg, with only 3.3 percent of publicly reported data breaches leading to litigation. What is more pertinent to hospital CISOs is the fact that 70 percent of publicly reported breaches related to the medical industry, with negligence accounting for 95 percent of all cases.

The Common Security Framework
In the late 2000s, an initiative known as the Common Security Framework (CSF) sought to become the overarching framework to comprehensively map different security standards and practices and provide a one-stop solution for hospitals and the healthcare sector. It was established by the Health Information Trust Alliance (HITRUST) – a US-led healthcare industry organization which has sought to ensure that information security becomes central to both the adoption of technology and the exchange of health data.

HITRUST, in many senses, marks the coming of age of the CISO, in the US. Its founders consisted of CISOs from a broad range of healthcare actors, including Blue Cross Blue Shield, CVS Caremark,  Hospital Corporation of America, Humana and Kaiser Permanente, alongside top executives from Cisco Systems, Johnson & Johnson Health Care Systems and Philips Healthcare.
HITRUST has however yet to make any impact in Europe, where attention to healthcare information data security has been directed either to the electronic health record or included within the broader ambit of protecting personal data.

The Smart Hospital in Europe
Indeed, CISOs in Europe’s hospitals pay far greater attention to ISO 27799:2016 and ISO/IEC 27002:2013, with a leadership role at ISO taken by CEN, the European Committee on Standards.  Recently, this has been accompanied by recommendations from ENISA (European Union Agency for Network and Information Security).
As part of the so-called Smart Hospital programme, ENISA has specified good practices for hospitals, with explicit mention of the role of the CISO. Nevertheless, ENISA too takes cognizance of the central role of ISO and the “2700x series of standards.”

National initiatives
There are several national initiatives, too. In France, for example, APSSIS (the Association for the Security of Health Information Systems) has played a major role in charters to be signed by staff within territorial hospital groups (GHT), so as to make them aware of best practices in computer security.

In Germany, ZVEI (the German Electrical and Electronic Manufacturers’ Association) has published guidelines on the use of IT in medicine, including what it calls “secure medical subnetworks”. In February, ZVEI released a position paper on standards for the use of electronic products used in a medical setting and the legal obligations of operators using such systems.
One of the nightmare scenarios here is, of course, the likelihood of hacking of medical devices.  In 2016, Johnson & Johnson warned customers about a security bug in one of its insulin pumps , while St. Jude has sought to deal with the fallout of vulnerabilities in some of its defibrillators and pacemakers.

Health-specific experience
The issue of health-specific technical experience is now driving recruitment of hospital CISOs.  Healthcare has lagged sectors like banking or retail with regard to IT adoption. Indeed, even when hospitals began to implement IT, functionality rather than security was the priority. As a result, most hospitals have a back-office choking with legacy applications, often numbering in  the thousands. Knitting them into a secure architecture is hardly straightforward.
One consequence of such factors is an inadequacy in the number of IT professionals familiar with both healthcare and security. 

Training and certifications
To access the requisite talent, some argue for jettisoning the search for healthcare experience, and focus on hiring an experienced CISO from another industry, followed by training in healthcare issues.  Others favour the opposite – to look for talent in healthcare IT, but train them in security.
The College for Healthcare Information Management Executives (CHIME), and its affiliate, The Association for Executives in Healthcare Information Security (AEHIS) have launched programmes directed wholly at training hospital CISOs.
The CHIME Certified Healthcare CIO (CHCIO) programme, is in fact the first certification programme exclusively for CIOs and IT executives in the healthcare industry. CHIME members who have been in a healthcare CIO or equivalent position for at least three years and want to enhance their professional stature are eligible to become certified. Currently, over 400 IT professionals are CHCIO-certified. This level of figure is also endorsed in a professional forum like LinkedIn, which lists 240 CISOs at hospitals – out of a total of over 7,500.

For now, generally speaking, one is more likely to find CISOs at larger hospitals and academic medical centres in both Europe and the US. Mid-sized facilities still dedicate the CISO role to a CIO (Chief Information Officer), supported by IT staff who devote part of their time to security issues. Such a piecemeal approach is however fast revealing its limitations, as shown by the growing wave of cyberattacks.