CIO Leader Outlines an InfoSec StrategyCHIME Chair Charles Christian Calls for a 'Blended' Approach
To help protect health data as cyberthreats evolve, healthcare CIOs must roll out a "blended strategy" for security that includes a mix of important technologies, policies and best practices, says Charles Christian, new chairman of the College of Healthcare Information Management Executives, an association for CIOs.
"There's not just one thing that we have to do in order to secure the data that we have," says Christian, CIO at 370-bed St. Francis Hospital in Columbus, Ga. Healthcare organizations need to implement "a blended strategy ... that includes "a variety of things," he says in an interview with Information Security Media Group.
"You have to have policy in place; you have make sure your staff, your teams are educated [about those policies] and you have to audit that to make sure the education is sticking."
On the technology side, "you have to have the routine things like your network access control, you have to have firewalls, and encryption," including on mobile devices, he says. "You have to test and audit those policies. It's not just one or two things, it's a variety of things that we must do," he stresses.
Many smaller healthcare organization don't have a dedicated individual devoted to information security matters, he notes. But even those healthcare organizations that have both a CIO and a chief information security officer need to ensure they are covering all the bases in implementing technology, policies and procedures that safeguard data, he says.
For instance, CISOs and CIOs need to work "hand-in-hand" so that when a new technology is rolled out, not only is that information secured, but that data contained on legacy systems "aren't opened up" and new gaps created, he says.
In the interview, Christian also discusses:
- Cyberthreats that are most worrisome to healthcare CIOs;
- How CHIME is working with federal agencies, including the Office of the National Coordinator for Health IT, on information security related issues;
- How the Association for Executives in Healthcare Information Security, or AEHIS, a subgroup recently launched by CHIME, aims to help healthcare organizations fortify their information security programs.
Christian is vice president and CIO of St. Francis Hospital, an acute care, community hospital in western Georgia. In that role, Christian is responsible for all information technology activities throughout the enterprise. Before joining St. Francis in 2013, Christian served as the CIO for Good Samaritan Hospital, in Vincennes, Ind., for almost 24 years. In 2010, Christian was recognized by CHIME and Healthcare Information Management and Systems Society with the John E. Gall Jr., CIO of the Year Award. He also served as chairman of the HIMSS board from 2008 to 2009. Christian is also a member of HealthcareInfoSecurity's board of editorial advisers.