On March 14, at HIMSS22 in Orlando, Fla., as part of the Healthcare Cybersecurity Forum, a Leadership Panel titled “CISO State of Mind” focused on what to expect in the industry during these turbulent times. The panel featured speakers Erik Decker, CISO at Intermountain Healthcare; Anahi Santiago, CISO at ChristianaCare; and Vugar Zeynalov, CISO at the Cleveland Clinic. The panel was moderated by Daimon Geopfert, principle of cyber, risks & regulation implementation & operations, PwC.
Geopfert kicked off the panel by asking the speakers, “What’s keeping you up at night?” Zeynalov said that he sleeps like a baby, “waking up every two hours to cry.” He then seriously commented that building resiliency and agility keep him up along with three other areas. “How do we do business to keep up with constantly changing and, often, competing priorities?” he adds. “The second thing is enabling the organization to grow both physically and digitally. And the third area is attracting top talent.”
Decker added that “Selling and evangelizing cybersecurity is a way of the past.” He went on to say that the demands and competing priorities are akin to a car needing to drive faster and, therefore, needing better brakes. When it comes to cybersecurity, when an organization wants to push through better innovation, it needs better cybersecurity.
Santiago said that “We're focused on really pushing out how we deliver care through virtual means. We’re doing things that really haven't been done traditionally across the industry from a security perspective and we’re figuring out how we can still fulfill our mission of protecting data—protecting technology that is no longer running on our network but instead in somebody else's house. And that doesn't absolve us of having to do the same things that we do when things are on our network.”
Geopfert then asked the speakers about how CISOs can earn a seat at the table. Decker immediately jumps in and says that “Before you can become a business leader, you have to be trusted, if not, good luck.” He added that the entire healthcare system in the U.S. is being run on digital platforms and the platforms need to be up and functioning to achieve volumes and clinical outcomes. Cybersecurity needs to rally around resiliency and patient safety as the key issues to discuss with those at the table.
Zeynalov commented, “Trust is the key to foundation, and trust means two things—right intentions and right heart and competency in delivering those intentions. The key of earing a seat at the able is trust, people don’t care what you have to say until they see you care. When dealing with clinicians, this means going out there and being there.” He added that in his role he went through all of his facilities and built trust. “Try to speak their language,” he said. “Healthcare professionals don’t speak the language of business or risk management, but they do understand liability and safety, which cybersecurity relates to very well. Try to take the training and reword it and build it into quality training and it will earn a lot of trust.”
When the panel opened up the floor for audience questions, Geopfert mentioned that many people had questions about mergers and acquisitions (M&A) and cybersecurity posture that is already there, or perhaps, is not.
Santiago said that “It goes back to building strong partnerships with your business and stakeholders.” She explained that they understand that at the end of the day when you look M&A, due diligence up front is very important—seeing cyber as its own workstream and doing due diligence on technology having its own path is key. She concluded that you should prepare to engage in an in-depth dialogue with stakeholders.
Last year, this editor reported that resiliency was also a major theme at HIMSS21 in Las Vegas.
