As digital healthcare and technology continue to expand, so does the team required to keep information safe and secure.
The chief information officer (CIO) and the chief information security officer (CISO) are both important roles within an organization that complement each other to create solutions to not only enhance security, but educate others to ensure it stays top of mind.
Traditionally, the CIO focuses on the strategic planning of the organization’s information technology initiatives, while the CISO is more of an executive level specialist who focuses on maintaining information and data security.
And while it may seem like more than one “chief” might make them at odds, the two roles often complement each other and are essential parts of a healthcare organization’s IT family.
During a HIMSS21 Digital session, Tressa Springmann, Senior Vice President, Chief Information and Digital Officer, and Rick Miller, Chief Information Security Officer, discussed their experiences occupying their positions at LifeBridge Health.
The organization was growing at a pace that created the need to hire someone to keep security on the forefront of their minds and encourage all of the associates to be mindful of it as well.
“[Miller has] really done a fantastic job getting our team focused and addressing the risks as they become prioritized and advanced,” Springmann said. “So really, a great deal of this had to do with the expansion of our own organization and the complexity of the environment and the requirements that we find ourselves in.”
Though both positions have “chief” in the title, the reporting structure is different. In most organizations, the CIO will report to the hospital’s executives, while the CISO does not.
“The day-to-day reporting responsibility for Rick and his role are to me, the office of the CIO, but he does have quarterly updates and the responsibility both to our board and to our CEO on a number of occasions,” Springmann said.
The CISO can reach out to the CEO if needed. The first step in resolving an issue or finding a solution to a threat is to go to the CIO.
“We'll talk, and we'll discuss what the disagreement is, why I believe we should move forward in this particular space and really just talk about the roadblocks that I'm running into whether they might be resource driven, whether they might be financially driven,” Miller said. “There's always some level of roadblocks.”
He added that no disagreements between him and Springmann have had to be escalated to the CEO.
“I feel like I have a luxury in that regard that I have somebody that's not just operationally focused to talk to, but also sees the security benefits as well,” Miller said.
Whenever they agree to disagree on an issue, Miller and Springmann keep the lines of communication open and work together to find a solution.
“Really, we end up readdressing together, looking at various options on how we get to the same goal line in different mechanisms or in different approaches that we can agree to,” Springmann said.
When it comes to times when there is a conflict between operational needs and security recommendations within the organization, it’s the CIO and CISO’s job to educate leadership on the risks.
The CIO does risk assessments and provides updates to leadership on security needs so they can make an informed decision.
“This is an everchanging threat landscape with many, many variables and multifactorial solutions. So, I think he's done a great job bringing us all along as to the decisions that he's recommending we make and how they address the highest risk,” Springmann said.
When communicating investment needs to the CIO and then to possibly the CEO or board, Miller considers the following:
“If you're coming at a group of people at that level with ‘the sky is falling,’ you get tuned out immediately. So, you really have to have a risk-based communication strategy in order to move your agenda items forward,” Miller said.
Miller works closely with his organization’s innovation team as they try to implement new ideas and technology into the organization.
“Not telling them no, but helping them understand how to make that idea secure so that we can bring it into the organization, so that we can use and take advantage of that innovation,” he said.
One such innovation was how the organization responded to the COVID-19 pandemic by transitioning many employees to remote work.
“They took our security requirements and really did an outstanding, phenomenal job in securing our work from home environment so that really the employees that work from home really are an extension. All of our security measures are in effect when this person's device is sitting in their home office,’” Miller said.
He added that while they were transitioning to work from home measures, he was frequently asked by Springmann about how they were making sure it was done securely.
The CIO and CISO not only work together to find the best security measures for new innovations, they educate others in the organization on how to keep it top of mind when planning.
“This is the mindset of ‘yes, if’ instead of ‘no, because.’ And I would submit that's the secret sauce here,” Springmann said.
December 6–7, 2021 | Digital
Technology will continue to revolutionize healthcare, but the results will come up short if we don’t also secure critical data and protect patient privacy and safety. Now more than ever, not only do security leaders have to maintain their ongoing duties, but they are also forced to protect rapidly expanding, remote infrastructures from more exploitative cyberthreats and phishing attacks.