Why Cybersecurity Remains a Top C-Suite ConcernUPMC CISO John Houston Discusses Top Cyber Challenges for 2019
Healthcare C-suite executives shouldn't have to worry about cybersecurity, contends John Houston, CISO and chief privacy officer at Pittsburgh-based integrated health delivery network UPMC. Nevertheless, for the second year in a row, cybersecurity was named the top priority for senior executives in a survey of 40 U.S. health systems.
The study was conducted by the Health Management Academy and the Center for Connected Medicine, which is jointly operated by UPMC, GE Healthcare and Nokia.
Among those surveyed for the Top of Mind for Top Health Systems in 2019 study were CIOs, chief medical informatics officers, chief nursing informatics officers as well as CEOs and chief operating officers.
"It's troubling that cybersecurity remains a high priority for those individuals," Houston says in an interview with Information Security Media Group. "It's also sad because those individuals shouldn't be worried about cybersecurity. They should be worried about things like improving quality of care and [patient] outcomes.
"It would be nice if we lived in a world and an environment where we didn't have to worry about cybersecurity. I don't think there's an easy solution for cybersecurity ... and so they have to worry about it."
Houston says it would be ideal "to go to my CEO or CIO and say, 'Don't worry about cybersecurity. It's handled and we will never have a problem and it's a thing of the past.' But we all know that's not the case."
We're either one step ahead or one step behind the bad guys, Houston argues. "And we will continue to be diligent, continue to expend significant resources, continue to see copious examples throughout not just in healthcare industry but other sectors where the cybercriminals have gotten a leg up on us and have done bad things."
The top security challenge Houston is dealing with at UPMC is managing the risks posed by the cloud vendors that deliver IT services, he says.
"In the past, all I had to worry about was securing the data within my institution, my data center. That was my responsibility ... and I and my team were directly accountable for securing that information. But with the cloud, I can't directly secure that information. You have to rely on those cloud vendors. I need to make sure they're prepared do that."
To help assess the security practices and posture of its cloud services providers and other business associates, UPMC - as well as a number of other healthcare organizations - is requiring each of their vendors to earn HITRUST Common Security Framework certification (see: Simplyfing Vendor Security Risk Management.)
In the interview (see audio link below photo), Houston also discusses:
- Cybersecurity spending trends among healthcare entities;
- Medical device cybersecurity challenges, especially those involving legacy equipment;
- Other cyber-related findings from the "Top of Mind" study.
Houston is vice president of information security and privacy and associate counsel at UPMC. Formerly known as the University of Pittsburgh Medical Center, UPMC is a $19 billion organization with 85,000 employees, 40 hospitals, 600 doctors' offices and outpatient sites, and a 3.4 million-member insurance services division. Houston, who has been an information security leader at UPMC for more than 20 years, has also been involved in a variety of startups, including both a regional health information exchange and cloud-based identity management company.