As security threats against healthcare organizations proliferate, the role of chief information security officers (CISOs) is gaining more visibility. And in smaller organizations, the CIO might have to take on that role, as well.
That's one of the reasons the College of Healthcare Information Management Executives (CHIME) created a new group to support healthcare security pros--the Association for Executives in Healthcare Information Security.
"It's a very technical area. The challenge of CIOs has been to maintain a technical competence or knowledge as well as a depth that I think is getting more and more difficult," George McCulloch, former deputy CIO at Vanderbilt University Medical Center and head of the new association, says in an interview with HealthcareInfoSecurity.
Increasingly, CISOs are asked to address the board of directors about security threats and preparations without the CIO being present, which is "really changing the CISO role from a technical one--particularly at large organizations, but even small ones--to a leadership role and [one of] communication," McCulloch says.
And threats to the industry are only increasing. Healthcare information is worth many multiples more than financial data on the black market, and organizations are trying to understand what security and privacy mean for their business, he adds.
"In privacy, we have more opportunities [for a breach] with multiple devices, wireless devices, patient portals that are relatively new that we need to focus on to make sure they're useful, but also very secure," McCulloch says.
Edward Marx, senior vice president and CIO at Dallas-based Texas Health Resources, who also serves on FierceHealthIT's Editorial Advisory Board, has suggested elevating the CISO role.
"You want to position the [CISO] for success by giving them all the authority and autonomy that they need," Marx said in an interview last fall with HealthITSecurity.com.
To learn more:
- read the interview