New Grad Program for Healthcare CISOsTraining Aims to Bolster Leaders' Risk Management Skills
The Health Information Trust Alliance and Southern Methodist University have partnered to offer a new graduate certificate program aimed at developing stronger risk management skills among healthcare information security leaders.
Launching in October, the new Healthcare Information Security and Technology Risk Management Graduate Certificate Program, or CHISTRM, will be offered quarterly as a four-day course at SMU in Frisco, Texas, taught by SMU professors and adjunct faculty.
The program is aimed at healthcare leaders - such as CISOs and their deputies -- who are responsible for information security in healthcare-related organizations, says Dan Nutkis, CEO of HITRUST, which is best known for establishing the Common Security Framework. That framework is designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information.
The new CHISTRM program aims to broaden the risk management skills of senior healthcare infosec leaders, whose jobs are increasingly evolving into "chief risk officer" leadership jobs, Nutkis says.
"The role of the CISO in healthcare is no longer just about implementing controls; there are many information risks," he says. Although some CISOs might argue they've been handling all kinds of risks within their organizations for some time, the reality for many is that their experience is rooted in technical and compliance backgrounds, he says.
"They look [at the job] as technology blocking and tackling, and technology as perimeter defenses, rather than the new risks that are created when you have BYOD, for example," he says. A goal of the program is to have top information security leaders within healthcare organizations equipped to manage risks more holistically, including emerging cybersecurity threats, he says.
Is New Program Needed?
Not all healthcare information security leaders, however, are convinced that another infosec-related certification is necessary.
"I don't think another certification is needed," says Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest. "Cybersecurity is not monolithic, nor is it a topic easily digested or disseminated at the c-suite level. Maybe this is part of the objective of this program? It seems a stretch to bridge the leadership and deep technical competency expanse with a certificate program."
Paidhrin adds, however, that "the alignment of IT risk and strategy with organizational risk and strategy is self-evident as the viable model. If this program can serve the real needs, I'll advocate its mission."
A supporter of continuing education, Paidhrin says he is sending about 10 people from his team to take training courses for the new HealthCare Information Security Privacy and Practitioner, or HCISPP certification which was introduced last year from (ISC)Â². That program also was developed in collaboration with HITRUST.
"The (ISC)Â² HCISPP cert will have immediate value and credibility, as that [organization] is the CISSP group," Paidhrin says.
Nutkis says the HCISPP certification developed between (ISC)Â² and HITRUST is more geared to helping professionals "build up fundamental, lower-level blocking and tackling skills." By contrast, the new CHISTRM program is targeted at CISOs and individuals "a tier lower" to help them round out their risk management leadership skills, Nutkis says.
The curriculum spans a range of topics including:
- Information technology and security challenges in a healthcare environment;
- How to create a culture of security and privacy;
- IT leadership and dealing with privacy and ethics issues;
- Impact of industry, state and national regulations and policies;
- Economics of information security and risk management;
- IT security within business processes, and the IT infrastructure;
- Project management;
- Risk assessment and management methodology.
Admission to the fellowship program will be based on nomination by the applicant's senior management, such as CIOs, CISO, and others. Tuition for the program is about $4,000, Nutkis says.