Sue Schade: Eight Signs of a Strong Security Culture

Cybersecurity incidents in healthcare are on the rise. Organizations are continuing to strengthen their security programs.

I’m currently working with two clients who are focusing on security. One is a large regional organization that is hiring its first chief information security officer (CISO). They asked StarBridge Advisors to provide an interim CISO to help build the security program while they recruit. The other is a university health system that is consolidating its security program under the university CISO and hiring an associate CISO to focus on the health system. Both organizations recognize the importance of the CISO role and the need to continually strengthen their security profile.

While it may be surprising to see organizations hiring their first CISO in 2018, what matters is that they recognize the need and are making the investment.

When I served as chief information officer at Michigan Medicine for the hospitals and health centers, we crossed that bridge in 2015. The IT leader responsible for infrastructure had been responsible for security as well—not uncommon in healthcare organizations. I recognized that the security function needed a dedicated focus, so we hired a full-time CISO.

To do that, I engaged a third-party security expert to conduct an assessment using the National Institute of Standards and Technology (NIST) framework. As a CIO, I learned a great deal through that process. With the help of our consultant, I was able to educate the executive team as well. One component of the final assessment report was about creating a “security culture.”

Security cannot just be the job of the CISO. It is everyone’s job. These are the eight signs that an organization has developed a security culture:

  • Security is discussed at the senior executive level, with critical decisions about organizational security activities made by the CEO and other senior leaders.
  • Senior executives receive regular reports on the security posture of the organization and incorporate them into overall organizational risk management.
  • The organization has a CISO, positioned to influence organizational activities, and who operates independent of conflicts of interest.
  • Security staffing levels are adequate to address the existing and future security issues.
  • Security is a defined budgetary item, with security spending sufficient to address identified risks.
  • Security is incorporated into overall organizational activities, including system acquisition, and data sharing with business partners.
  • The organization’s research arm views security as critical to research activities, even if the research involves information considered public.
  • Workforce members are aware of their roles and responsibilities with respect to IT security and are held accountable to meeting them.

Can your organization check off all the boxes on this list? If not, you’ve got work to do.

A nationally recognized leader in health information technology, Sue Schade is a principal at StarBridge Advisors, a healthcare technology advisory services firm. She is a member of the AAMI Board of Directors.

3 thoughts on “Sue Schade: Eight Signs of a Strong Security Culture

  1. I think the key part on the last of the eight is “held accountable.” The boots on the ground employees are the ones who support the organization and make normal operations happen every day. They must adopt the tenant of responsibility, if not organically, then by being “held accountable” by the chain of command of that organization.

  2. I couldn’t agree more with the eight signs Sue specified. Some companies hire a CISO thinking, hey, we’re done. The fact is, just a CISO alone won’t mitigate or control the risk. The hardest parts of implementing a security and privacy program are those that relate to organizational culture and changing it make information security an “us” thing rather than a single individual’s responsibility (the CISO).

  3. All short lists suffer from their inherent over simplification. Is it really just these eight signs such that if we can check each one who have the problem solved? One way to remember that the answer is probably no to always have “Other” on any short list.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s