Cybersecurity’s Role in the Office of the Chief Medical Officer

February 5, 2024
Guest Author
5 Min Read

The following is a guest article by William Thorn, CISSP, CDPSE, Senior Strategist and Architect at Trellix

Do cyber threats feel like an inevitable workplace hazard? Attacks may seem rare when trying to anticipate them from afar. Once the threat materializes, it is common in healthcare settings for hospitals to choose a reactive approach. To choose not to invest in cyber defense education, tools, or any other preventative measure until it is too late.

But picture a similar strategy in a clinical setting — imagine if we didn’t approach health safety in layers of defense. Examination rooms wouldn’t be regularly sanitized. Doctors wouldn’t wash their hands before interacting with each patient, or wear gloves during a physical exam. Is it better to treat the patient with an invasive procedure after they feel ill, rather than doing what can be done to prevent the illness in the first place?

Of course not. It is common sense to do the affordable, preventative tasks before the expensive ones. In the same way, investing in cybersecurity early on makes digitized healthcare manageable — preventing the dreaded cyber-attack before it ever infiltrates the hospital ecosystem.

CMO Meet CISO, CISO Meet CMO

It’s the Chief Medical Officer (CMO) who oversees this level of secure hospital management. To achieve a cyber-secure hospital environment, the CMO can turn to their Chief Information Security Officer (CISO) for a team-based approach.

This executive allyship produces fruitful outcomes for all stakeholders, yet the vast majority of healthcare CISOs don’t feel the strength of their executive team behind them. A November report found that 98% of healthcare CISOs received more support from their board after they went through a major cybersecurity incident.

These results are certainly not for want of common interests, because patient care and protection reside at the top of each executive’s priority list. While the CMO achieves high-quality patient care for hospital success, the CISO leads digital operations guarding patient information from threats. They’re already on the same team. 

The stakes are high to succeed. In the event cyber protections fail, patient data can be exposed — violating compliance laws including the Health Insurance Portability and Accountability Act (HIPAA), which carries sizable fines — and brings significant operational consequences. Patient data at risk may make historical records completely unavailable, causing delays or errors in treatment. This directly impacts patient care. 

While these worst-case scenarios are not completely inevitable; they are preventable. They simply require a well-insulated plan prepared well in advance of malicious threats. 

The CMO and CISO Partnership Starter Pack

The CMO and CISO’s plan to protect from cyber dangers must begin with a collaborative partnership. The CISO can orchestrate cybersecurity protections if given the opportunity to do so by their CMO. Commonly reported barriers to success for CISOs in healthcare, like legacy technologies, budget challenges, and small team sizes, all fall within the influence of CMO decision-making. 

To begin the process of weaving cybersecurity into the hospital ecosystem, the CMO and CISO must:

  1. Meet to discuss the cybersecurity landscape. CMOs should set aside time to learn from the CISO about the cyber threats the hospital faces. This sets a strong foundation for an executive partnership where both leaders are on the same page for future cybersecurity decisions.
  2. Train staff in cybersecurity risks. Cyber-attacks can reach every level of an organization. A hospital staff aware of threats and clear on how they play a role in prevention means patients have another layer of protection. 
  3. Include CISOs in clinical technology decisions. When introducing new technologies or updating existing ones, involving the CISO early in the process helps ensure cybersecurity is baked into the design and implementation.
  4. Value cybersecurity. The top reported impacts of a major cyber incident on their organizations according to healthcare CISOs included increased insurance premiums, regulatory penalties and fines, data loss, and negative public exposure. While some of these carry an exact price, many do not, and the cost of prevention is often less than the cost of a breach. CMOs need to collaborate with their CISO and other risk management teams to protect the hospital and personnel by putting time, energy, and finances behind cybersecurity. 

When it comes down to it, hospital executives will regret letting a preventable cyber threat disrupt an otherwise smooth delivery of care. Integrated cybersecurity operations feel natural as soon as they begin.

About Bill Thorn

Thorn is a leader in security innovation, risk reduction, and program management with more than 20 years of cybersecurity experience. He is an expert in the planning and execution of complex security initiatives, building of global security operations capabilities, and development of cross-functional risk reduction programs. As a respected leader and trusted adviser across multiple verticals, Thorn has advised hundreds of organizations on how best to align their security capabilities with cyber risk management and control initiatives.

Tags
   

Categories