Do All Hospitals Need a CISO?Sizing up security strategies
Conducted late last year by the Healthcare Information and Management Systems Society, the survey of 196 organizations, primarily hospitals, also found that most spend less than 3 percent of their total IT budget on data security.
Many larger hospitals and academic medical centers, such as Johns Hopkins Medical Center in Baltimore, not only have a CISO but also a team of data security experts and a long list of well-funded projects. Some midsize hospitals, like Southwest Washington Medical Center in Vancouver, Wash., have a full-time CISO supported by members of the IT team that devote part of their time to data security issues.
But at many community hospitals, like Good Samaritan Hospital in Vincennes, Ind., the CIO wears many hats, including head of security. And most American hospitals fall into the "community hospital" category and have relatively limited IT budgets.
(For a comparison of these facilities' strategies, read the sidebar story.)
Need a full-timer
Virtually all hospitals should have a full-time CISO in light of the rapid automation of clinical records, says Lisa Gallagher, senior director for privacy and security at Chicago-based HIMSS.
"Spreading the responsibility of the role across several positions invites problems, especially for accountability," contends Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center. Without a point person for security, hospitals run the risk of "problems taking root in unmanaged areas. And that's a risk no healthcare organization should accept."
Based on her experience as a security consultant to hospitals, Kate Borten insists the HIMSS survey overstates the number of hospitals with a full-time CISO. "A lot of organizations don't even have one person full-time on security," she contends.
Borten, president of the Marblehead (Mass.) Group, argues that hospitals are way behind their peers in other industries when it comes to data security. Plus, she contends that for many hospitals, "one FTE devoted to security isn't enough."
"Healthcare organizations are still behind when it comes to understanding the full scope and depth of an information security program and what it entails," says the consultant, a former CISO. "There's an awful lot that has to be done."
The most important job for CISOs in the current environment is "helping the organization make informed business decisions," stresses Tom Walsh, president of Tom Walsh Consulting, Overland Park, Kan. "Most CISOs don't do a very good job of communicating to management what all the risks are" as they implement more applications, such as electronic health records, he says.
Measuring security spending
The HIMSS survey's finding that most hospitals spend less than 3 percent of their IT budgets on data security is a warning sign for the industry, argues Gallagher of HIMSS.
"As we put more money into this sector for information technology adoption, we have to find ways to make sure adequate resources are applied to the security area," Gallagher stresses.
And the increased spending, Borten stresses, must go way beyond acquiring new security technologies. A bigger expense, the consultant says, is developing a comprehensive security plan and carrying it out.
Walsh contends it's virtually impossible to measure spending on data security at hospitals. Ideally, hospitals should purchase new clinical applications that have security functions, such as encryption, built in, the consultant says. That's preferable to "spending a lot of money on the back-end securing it," Walsh argues.
"So the amount of money you spend on security doesn't necessarily reflect on the quality of the security program," he adds.
A difficult task
Paidhrin of Southwest Washington Medical Center agrees that measuring security spending is a difficult task.
"I would estimate we're near the 3 percent number, but I don't know whether that measurement is fair," he says. IT budgets include huge sums devoted to acquiring and maintaining a wide variety of applications, he notes. "I would say security costs will always be a small percentage in comparison to other costs.
Rather than worry about what percentage of their IT budget is devoted to security, hospitals should conduct an annual risk assessment and then focus on "addressing real risks," Paidhrin argues.
At Southwest Washington, this year's top-priority data security project involves strengthening data loss prevention capabilities, he notes.
Charles Christian, CIO at Good Samaritan Hospital says it's difficult for a community hospital to measure spending on security "because we have it spread over so many different folks and it is part of what they do every day."
He estimates, however, that the hospital likely spends less than 3 percent of its IT budget on security matters. "It's like everything else; you have to do the best you can with what you've got, particularly in light of the current economic conditions."