Cybersecurity incidents in healthcare are on the rise. Organizations are continuing to strengthen their security programs. 

I am currently working with two clients who are focusing on security. One is a large regional organization that is hiring their first Chief Information Security Officer (CISO). They asked StarBridge Advisors to provide an interim CISO to help build the security program while they recruit. The other is a university health system that is consolidating their security program under the university CISO and hiring an associate CISO to focus on the health system. Both organizations recognize the importance of the CISO role and the need to continually strengthen their security profile.

While it may be surprising to see organizations hiring their first CISO in 2018, what matters is that they recognize the need and are making the investment.

When I served as CIO at Michigan Medicine for the hospitals and health centers, we crossed that bridge in 2015. The IT leader responsible for infrastructure had been responsible for security as well – not uncommon in healthcare organizations. I recognized that the security function needed a dedicated focus, so we hired a full-time CISO.

I engaged a third-party security expert to conduct an assessment using the NIST framework. As a CIO, I learned a great deal through that process. With the help of our consultant, I was able to educate the executive team as well.  One component of the final assessment report was about creating a security culture.

Security cannot just be the job of the CISO. Continue reading →