A hospital's success in cybersecurity is only as good as the relationship between its chief information security officer and its chief medical information officer, according to Hospital Corporation of America CISO Paul Connelly.
Speaking at the Healthcare Information and Management Systems Society's annual conference in Las Vegas this week with former Cleveland Clinic CMIO Dave Levin, Connelly said that while the agendas for each can sometimes seem "adversarial"--with CISOs tending to err on the side of caution over innovation--a strong bond between the two goes a long way toward ensuring cybersecurity is seen as a priority among clinical and IT staffers alike.
"We've got to get to a point where security is baked into a whole life cycle," Connelly (pictured right) said. "I want to be involved [in technology implementation initiatives] from the start. I want to build in security governance on what's happening."
Levin added that both sides must ditch silos and come together to better determine risks worth taking and facilitate processes that lead to the best optimized answers.
"We spend too much time in our cubicles, staring out the window ... thinking that the sun is shining and the birds are singing, but they're not," he said. "Getting out into the real world is painful sometimes. But ... seeing what our patients and our IT staff are dealing with is an important reality check on a regular basis."
Other steps Connelly and Levin said must be taken to get the most out of the CISO/CMIO relationship include:
- Define and develop a reciprocal relationship
- Ensure communication lines are consistently open
- Shadow each other to understand differing pain points
- Approach leadership as a team sport
- Constantly be aware of human factors in cybersecurity
"We don't need to oversimplify this," Levin said. "There are very real technical and legal issues, but many of those can be dealt with via this kind of cooperation."
To learn more:
- view the session handout (.pdf)