CISO: Compliance Is Wrong InfoSec FocusTips for Building Stronger Information Security Programs
Although improving regulatory compliance was named the top priority by participants in the 2015 Healthcare Information Security Today survey, CISO Cris Ewell suggests that building a strong information security program should be at the top of the list instead.
Registration for a free webinar presenting the survey results and offering expert analysis is now available.
"I do not have or will ever have a goal of saying I'm going to improve regulatory compliance," Ewell, CISO of Seattle Children's Hospital tells Information Security Media Group during an interview to analyze the findings of the recent survey of security leaders at hospitals, delivery systems, group practices and health plans.
"I'm going to improve our maturity of information security controls and then, out of that improvement of those controls ... will come much better regulatory compliance. ... I don't go after certain compliance levels," he says.
"Just philosophically how I design an information security program for here at Children's ... is I will have information security controls in a process governance structure ... and out of that strategy will come regulatory compliance. "
In addition to regulatory compliance, top information security priorities identified in the survey included security education and preventing and detecting breaches, which were also among the top three priorities in the survey the past two years.
Ewell argues that breach detection should be a higher priority than regulatory compliance. "We know that most of the adversaries that come in, if you look at the breaches around the country and look at all the statistics that are out there, [the attackers] are in there for more than ... a few days - sometimes weeks and months," Ewell notes. "And so the quicker we have the ability to monitor and detect that unauthorized access, the quicker we can stop that and figure out different controls we can put in place to help that."
In the interview, Ewell also discusses:
- Seattle Children's Hospital's top information security investments and priorities for 2015, including preventing and detecting breaches;
- Tips for verifying the information security programs of business associates;
- Steps Seattle Children's Hospital is taking to improve its breach prevention, detection and response efforts, including the use of analytics technology.
As CISO of the not-for-profit pediatric hospital, which is an academic medical center and research institute, Ewell is senior leader in the organization's information security program. Previously, he served as the director of information security operations at the University of Washington, chief security officer for PEMCO Corp. and chief technology officer for Breakwater Security. Ewell also serves as a professor and guest lecturer at several universities. His current research area includes information security risk management.