To Whom Should CISOs Report?

Consultant says compliance, not IT, best fit Hospital chief information security officers should report to the compliance department, not the IT department, one consultant advises.

"I think it's wrong for security to report to IT," says Feisal Nanji, executive director of Techumen, a security consulting firm. "You cannot audit yourself. Information security is a compliance/audit function, not an IT function."

In a presentation at the HIMSS Conference in Atlanta on March 1, Nanji also urged healthcare organizations shopping for an electronic health records system to ask vendors tough questions about the software's security functions.

He advised shoppers to be sure to ask to see a detailed analysis of the vendor's code review results that help illustrate the level of security. "Very few EHR vendors are actually looking at the code for security vulnerability," he contended.

To prepare for HITECH Act compliance, Nanji advised hospitals to "make sure you have a security awareness program that's worth its salt," the consultant added. "Make sure everybody understands the gravity of the issue."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.