Seattle Children's CISO: Focus on security and compliance will follow

A good information security program will bring the organization into compliance with security mandates, making it unnecessary to pursue better compliance, Chris Ewell, CISO of Seattle Children's Hospital, tells Healthcare Info Security in an interview.

It's a nuanced difference, he admits.

"Just philosophically how I design an information security program for here at Children's ... is I will have information security controls in a process governance structure architecture around the entire program and strategy ... and out of that strategy will come regulatory compliance," he said.

In the 2015 Healthcare Information Security Today survey, respondents said achieving better compliance was their top priority. Ewell sees that as getting it backward.

"I do not have or will ever have a goal of saying I'm going to improve regulatory compliance," he says. "I'm going to improve our maturity of information security controls and then, out of that improvement of those controls ... will come much better regulatory compliance."

Whether you seek Payment Card Industry (PCI), HITRUST or HIPAA compliance, you can achieve it by focusing on a good information security program, he says. Ewell sees improving breach detection as a higher priority than improving regulatory compliance.

Criminal attacks on healthcare organizations are now the leading cause of data breaches, the Ponemon Institute reported recently. Half of the covered entities and business associates in that study said they had little or no confidence in their ability to detect all patient data loss or theft.

Ewell notes in the interview that, when hackers penetrate healthcare systems, they stay there for more than a few days--sometimes weeks or months--without being detected. That makes it even more critical to detect breaches early and develop controls to deal with them. Seattle Children's is taking a range of steps in this area, including using analytics technology.

Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force, for one, stresses the idea that regulatory compliance and security are two different things. "You can have a totally compliant program and still have vulnerabilities," he told FierceHealthIT.

To learn more:
- read the article