Healthcare CISOs Sound Off, Volume 2: Risk Reporting & Engaging with the Business

Blog Post by Brian Selfridge, Partner at Meditology Services and Host of The CyberPHIx Podcast

I have been hosting The CyberPHIx healthcare cybersecurity podcast for over three years now. During that time, I have had the honor and privilege to speak with some of the healthcare industry’s most innovative thought leaders and experts in cybersecurity, privacy, compliance, and risk.

We have produced 69 podcast episodes and counting thus far. For those who don’t quite have the time to binge-listen through the entire catalog, we have compiled some highlights from our guests on a focused set of topics. We will be releasing these as our Healthcare CISOs Sound Off blog series in several installments.

The topic of our second blog is risk reporting and engaging with the business. The following are quotes and recordings from some of the industry’s best and brightest leaders related to this important area of focus for healthcare risk management programs.

Lauret Howard, Former Chief Risk Officer, BCBS of Michigan

“I think the key one to avoid is you don't want to be the person of no. No, you can't do that. No, that's not the right way to do that. You really have to turn that around and become a key resource and become a partner to those in the business. So you need to find a way to yes, you need to work and understand what's the business outcome you're trying to get to.


You know, what potential type of data or risks are you creating for the business and what is the work that needs to be done to be able to address those particular risks? So when the security team and risk management can help business people be successful, then they are going to be engaged at the beginning of the process.”


Britton Burton, Director of Risk Management, Information, Protection and Security, HCA Healthcare

“The key that I am trying to do in my role is make risk visible to my leadership. So the risk is such a nebulous concept to so many people. And you ask 10 different people what they mean by risk and you'll have 10 different answers. Right. So if you can't make it tangible to people, especially people who don't speak security, right, then it will either be lightly regarded or not regarded at all, which is probably worse. So I think rolling up and grouping is key.


Business leaders may not understand a threat vulnerability pairing, and they're probably not going to stand a lot of our controls, especially more technical controls. But they do understand concepts like data breach, interruption of operations, harm to a patient, you know, material compliance failure. They also understand key areas that can be grouped into like risks.”


Chris Golden, Director of Information Security, Horizon Blue Cross Blue Shield of NJ

“There is something that's referred to as FAIR. I'm not sure if you or your listeners are familiar with that, but it stands for Factor Analysis of Information Risk. I would go to the board and I'd say, board, this particular server's got four hundred thousand risks associated with it or something like that. The old way of saying it, it would say that maybe ten thousand of those are critical. We've got to fix them within 30 days. Another hundred thousand are P1, we got to fix those within three months, et cetera, et cetera.


But now we can say, based on our analysis, we think that someone is going to get access to that server, based on the vulnerabilities presented once out of every five years, is what we think the frequency of that is going to occur. And if they do, the impact of the organization will be a two-million-dollar event every time that happens.


And so now we're talking. This is tough, right, now they can say, hey, that is well within our risk tolerance. That's a great idea. Keep doing what your doing. Or they can say no. We think once every five years is not enough. We'd like to push it out to once every seven years. What's it going to cost to do that?


And you go back and rerun the analysis with new controls, figure out which one gets you to the once every seven year and then the cost of that control, you go to the board and say if you want to move that, this control is forty thousand dollars that moves the needle from once every five years to once every seven years. And so being able to talk in numbers of cost is a game changer for talking to the board. It is a game changer when you're talking in meetings because people generally do not argue with math.”


Stoddard Manikin, CISO, Children's Healthcare of Atlanta

“We as security professionals need to take that balanced approach of saying, yes, we want to be compliant, of course, but we're not doing a security program as a box checking exercise. If we have leadership that says show me we're compliant and that's all we're going to invest in, that's not the right approach. And I think that very few boardrooms take that perspective anymore, given how high the incidence of ransomware is.


So I think we've got to take that balanced approach and make sure that we're secure and compliant at the same time. And if we have to choose one over the other, I would probably to secure in most cases and document why we chose not to be compliant so that we can justify it and prove that we don't have willful negligence.”


Mitch Parker, CISO, Indiana University Health

“I think the biggest thing you can do is just make sure you keep aligned with your business. Make sure you still have good customer relationships and that you're always make sure you're meeting your customer’s needs. Because, again, security, there's a lot of people that think that security is more important than the business.


Security is there because of the business, is there to support the business. And more importantly, it's there to support the businesses, customers. And we always have to keep our customers in mind. So the more that we do that, the better off we are and the more success will have in being able to meet their needs while also addressing security needs.”


Wes Wright, CTO, Imprivata

“Good identity governance program is kind of like plumbing. Well, you don't see plumbing and it's hidden in the walls. And unfortunately, in your organizations, I would bet there's hardly anybody at the in the C level suite, this CEO or CFO and so on, that realize exactly how important digital identity is and how important it is from a patient safety perspective, from a cybersecurity perspective. So that's where I would start.


I mean, if you're if you're a CTO, brief your CIO about why digital identity is important. If you're a CIO, brief your counterpart, your CEO or your CFO and get in and get an understanding in their minds exactly why this is so critical to the organization. So that if you're doing nothing else, then then constantly be marketing to your compatriots in other divisions.


Exactly how important digital identity is to the safety, because cybersecurity is a patient safety issue in my mind, to the safety of your organization. That is where you've got to get that that that that executive staff on board with the importance of identity governance. So that's where you have to start.”


TJ Mann, CISO, Children's Mercy Hospital

“Cybersecurity is an enterprise risk. So when cybersecurity breaches, incidents do occur and it's also a matter of when, not if they impact the entire organization and they don't disrupt one single business unit or one single team, they impact the entire organization. So it's the entire organization that is responsible for reducing cyber risk by partnering with the cyber security teams and change the organizational culture.”


Contact our team to learn more about our enterprise risk reporting services and innovative risk engine for healthcare metrics & KPI reporting.

Read Healthcare CISOs Sound Off, Volume 1: Medical Device Services
Read Healthcare CISOs Sound Off, Volume 3: HIPAA Compliance and Risk Management
Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More