To Whom Should CISOs Report?Consultant says compliance, not IT, best fit Hospital chief information security officers should report to the compliance department, not the IT department, one consultant advises.
"I think it's wrong for security to report to IT," says Feisal Nanji, executive director of Techumen, a security consulting firm. "You cannot audit yourself. Information security is a compliance/audit function, not an IT function."
In a presentation at the HIMSS Conference in Atlanta on March 1, Nanji also urged healthcare organizations shopping for an electronic health records system to ask vendors tough questions about the software's security functions.
He advised shoppers to be sure to ask to see a detailed analysis of the vendor's code review results that help illustrate the level of security. "Very few EHR vendors are actually looking at the code for security vulnerability," he contended.
To prepare for HITECH Act compliance, Nanji advised hospitals to "make sure you have a security awareness program that's worth its salt," the consultant added. "Make sure everybody understands the gravity of the issue."