Building a Hospital Security Structure
Many hospitals and integrated delivery systems might be inclined to start at the top when defining an organizational structure -- for example, by trying to decide whether they need a full-time chief information security officer or chief security officer and where in the organization that role should "live."
But that's putting the cart before the horse. The type of individual selected to manage the security office will depend on what you decide they need to do -- what the scope of the security office is.
Structuring the security organization and assigning leadership is about more than just fulfilling some regulation.
Does your hospital need someone with leadership expertise to head a large team? Do you need someone with strong technical skills to get their hands dirty? Or do you need someone who can wear a variety of hats?
To answer those questions requires that you decide what functions you will locate in the security office.
If your hospital is like most, it probably has decentralized many security functions. For example, "tech savvy" departments like pharmacy, lab, diagnostic imaging and biomedical engineering might provision user access -- such as roles, permissions, and allocation of new accounts -- for the specialized applications and systems they use on a daily basis.
Deciding what functions to centralize and what functions to leave distributed is the first step toward determining how to staff and structure your security operations.
Keeping aspects of information security decentralized enhances the flexibility of your organization because it distributes overhead. So under that model, much of the work gets done without directly affecting the IT budget.
But how much of staff's time -- if totaled across the whole organization -- goes into performing these security duties? Your hospital, if it's sizable, might have hundreds of specialized applications requiring a great deal of security attention.
Consolidating security management increases efficiency by enabling specialized staff to develop streamlined processes.
For many larger hospitals, centralization of services already is routine. But for many smaller ones, a more flexible model may be appropriate. A centralized model requires managers to oversee specialized areas of security operations, including user access provisioning, network security and application security, among others. Consider leveraging the ISO 27002 security standard. It's a best practice guide to security controls for implementing an information security management program. This document provides a list of security domains that can help you make sure you're at full coverage when it comes to deciding which controls to standardize.
Once you know what areas of responsibility you want to centralize and what areas you want to distribute, you should be able to determine your security staffing needs. And once you have a solid idea about the number of staff members you'll need and what their functions will be, then you can begin to define the leadership position.
Knowing the functions the security leader will manage will give you a good idea about the skills the leader should have. But you'll still need to figure out a reporting structure.
In many hospitals and integrated delivery systems, information security reports to IT. This is a logical decision given the nature of the job that information will perform and the required skill sets.
Consider, however, that having security report to the CIO can lead to some potential conflicts of interest. For example, what happens when a critical clinical application is determined to lack adequate security? A security organization may need the authority to postpone deployment to remediate issues (if the risk is high enough), something that might run very contrary to the CIO's customer service interests.
To avoid such conflicts, many organizations should consider having the security leader report to the chief compliance officer, the chief risk officer/risk manager, or the chief financial officer.
Lastly, you'll need to determine whether the security leadership job should be a senior-level position with strategic scope or a more operational role.
The position should be senior enough to reliably effect change, to articulate key goals to executives and to assign priorities based on organizational goals.
Organizational budget also is an important factor. In many hospitals and health systems, the security budget is hidden within the broader IT budget. But an independent security budget can be important. A separate, transparent budget enables senior leadership to track return on investment (for example by correlating dollars spent on security to technology risk) and to ensure that dollars earmarked for risk reduction are actually spent in fulfilling that mission.
Obviously making these decisions isn't easy, and there's a lot to consider. But structuring the security organization and assigning leadership is about more than just fulfilling some regulation. It's about deciding what functions make sense to include in the security office's purview and structuring that office to avoid undesirable outcomes, such as conflicts of interest and a lack of transparency and accountability.
Ed Moyle is a manager with healthcare consultancy CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide. He is also a founding partner of the analyst firm Security Curve.