8 Signs of a strong security culture

Cybersecurity incidents in healthcare are on the rise. Organizations are continuing to strengthen their security programs. canstockphoto45375611 (1) security culture

I am currently working with two clients who are focusing on security. One is a large regional organization that is hiring their first Chief Information Security Officer (CISO). They asked StarBridge Advisors to provide an interim CISO to help build the security program while they recruit. The other is a university health system that is consolidating their security program under the university CISO and hiring an associate CISO to focus on the health system. Both organizations recognize the importance of the CISO role and the need to continually strengthen their security profile.

While it may be surprising to see organizations hiring their first CISO in 2018, what matters is that they recognize the need and are making the investment.

When I served as CIO at Michigan Medicine for the hospitals and health centers, we crossed that bridge in 2015. The IT leader responsible for infrastructure had been responsible for security as well – not uncommon in healthcare organizations. I recognized that the security function needed a dedicated focus, so we hired a full-time CISO.

I engaged a third-party security expert to conduct an assessment using the NIST framework. As a CIO, I learned a great deal through that process. With the help of our consultant, I was able to educate the executive team as well.  One component of the final assessment report was about creating a security culture.

Security cannot just be the job of the CISO. Continue reading

Facebook: cute pics, political organizing or privacy threat?

Chances are you are on Facebook. More than 2 billion people around the world are active monthly users. I joined in 2006 because my brother said he wouldn’t send pictures of his first grandchild by email canstockphoto7547507 facebookanymore – I could see them on Facebook instead. I joined. And then I soon figured out it was a great way to keep in touch with family and friends around the country.

I have always been suspicious of apps that I could sign into through Facebook. I didn’t want uncontrolled data sharing. I did not answer the many Facebook quizzes; I had heard someone say that the answers were probably building a profile on you for who knows what purpose.

I sometimes check out a sponsored ad if the product really grabs my attention, but I rarely purchase it. It’s an online shopping/browsing thing like looking at catalogs that still come in the mail.

I am vocal about my politics in my original posts, my likes, comments and shares of other posts. And I have joined certain private groups that share my politics. So yes, somewhere there is a profile on me and my politics.

On Twitter, I try to maintain a professional presence as much as possible and leave politics for my Facebook circle instead. I have read so much about online harassment of women on Twitter, and we do have a President who appears to be the cyberbully-in-chief.

With the latest exposure that Cambridge Analytica used Facebook data on 50 million Americans to influence the 2016 election, I am questioning how we can protect our personal information yet continue to utilize social media platforms and all the good they bring: keeping families and friends in touch or accelerating social movements around important issues. Continue reading

The journey continues

What better time than year end to reflect on our collective progress as an IT team. You will see a lot of “top 10” type stories in December – top trends, breakthroughs, stories, and even top predictions for the coming year. I’ll leave those to people with far more time to research and write. What I’d like to share is the progress my incredible IT team has made in partnership with our many internal customers at UMHS in 2015. These are common journeys for health care CIOs around the country. Continue reading

Creating a security culture

I wrote recently that if the CIO is the only one worrying about the EHR implementation, it’s a problem. Likewise, if the CIO and the Chief Information Security Officer (CISO) are the only ones thinking about IT security, it’s a problem.  You only have to read the news any given week to see the rising number of breaches within health care – the recent Anthem breach being the biggest to date with over 80 million records involved.  And there is a new breach we are all hearing about as of this week – Premera Blue Cross potentially involving financial and medical records of up to 11 million customers.

IT security is a common topic amongst health care CIOs these days. We are continually trying to learn from one another and share best practices.

I recently had a third party IT security assessment done for our health system in order to identify key gaps and get recommendations to strengthen our IT security program. One of the best pieces in the final report was about creating a security culture. So what’s a security culture?

Signs an organization has developed a security culture include the following: Continue reading