CHIME, AEHIS Recognize Cybersecurity Leaders for Annual Awards

Nov. 5, 2019
Mac McMillan and Erik Decker received honors this week at the CHIME/AEHIS Fall Summit

The College of Healthcare Information Management Executives (CHIME) and its spinout group for healthcare’s senior IT security leaders, the Association for Executives in Healthcare Information Security (AEHIS), have named respective winners for the Health Information Security Innovator of the Year award and CHIME Foundation Industry Leader award.

Erik Decker, the chief information security and privacy officer at University of Chicago Medicine, faced a daunting task in 2017 when he was asked to serve as the industry lead and co-chair of the 405(d) Task Group. His job, along with government lead and co-chair Julie Chua, was to bring a diverse mix of more than 150 healthcare and cybersecurity experts together to develop and draft a cybersecurity toolkit—a consensus-based report that organizations of any size could use to strengthen their cybersecurity posture.

Following two years of work on this initiative, last year, the Department of Health and Human Services (HHS) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication—a four-volume issue that outlines voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.

In a recent interview with Healthcare Innovation, Decker described those efforts, noting that the task force first took to identifying the five biggest healthcare cybersecurity threats, while then selecting 10 best practices, assuming the group could limit them to just 10, to mitigate those threats.

“We came up with that exercise and approach in May 2017 and in the seven sessions that took place in the 18 months following, we went through the process of building out those best practices, stratifying them by small, medium and large organizations, and ultimately applying a how-to guide to implementing those practices based on the size of your organization,” said Decker.

The first volume of the publication discusses the current cybersecurity threats facing the healthcare industry, while setting forth a call to action for executive decision makers, with the goal of raising general awareness of the issue. The subsequent volumes get into the best practices and sub-practices for organizations of each size. While the main document is designed for C-suite healthcare executives, hospital and health system boards, and clinicians themselves, the publication also includes two technical volumes geared for IT and IT security professionals.

“Decker’s innovative approach is considered a model that others can use to build consensus, consolidate insights and produce a practical resource for a diverse group of users. His achievements have earned him the AEHIS inaugural Health Information Security Innovator of the Year title,” AEHIS officials said. The award was announced this week at the AEHIS Fall Summit in Phoenix.

“I have had the privilege to work with many talented cybersecurity leaders, both in the private sector and in government,” Decker said. “We all are constantly learning, sharing and innovating to stay ahead of bad actors. It is an honor to be recognized by my peers, and to be named AEHIS’ very first Health Information Security Innovator of the Year.”

Meanwhile, another cybersecurity leader, Mac McMillan, CEO Emeritus of CynergisTek, was named the 2019 CHIME Foundation Industry Leader Award. The award recognizes a CHIME Foundation firm representative who has demonstrated exceptional dedication and made outstanding contributions to the healthcare industry, CHIME and the CHIME Foundation. The award was presented during the 2019 CHIME Fall CIO Forum in Phoenix.

After a career that spanned more than two decades in defense, McMillan decided to transfer his knowledge and skills as a security leader to the healthcare sector. What he discovered when he co-founded cybersecurity firm CynergisTek in 2004 was an industry that was woefully unprepared for the cyberthreats that were lurking.

“Undeterred, he made it his mission to raise awareness and educate CIOs in provider settings through CHIME forums. And when CHIME launched an association dedicated to security leaders in 2014, CHIME tapped McMillan to serve on the inaugural board,” CHIME officials noted in a statement, adding that McMillan also served as the keynote speaker at the first AEHIS Summit and testified at CHIME’s invitation before a U.S. House Committee about the HHS Data Protection Act.

“I am honored and humbled to receive this award,” McMillan said. “When I look back to when I first came into healthcare to where we are today, we are a much different industry with respect to cybersecurity. We are much further along than we were, but we still have a way to go. I think we will get there, though.”