HOW TO BE AN EFFECTIVE CYBERSECURITY LEADER IN HEALTHCARE

Transcription

1 HOW TO BE AN EFFECTIVE CYBERSECURITY LEADER IN HEALTHCARE Session CYB1, March 5, 2018 Karl J. West, CISO & AVP Intermountain Healthcare Erik Decker, CPSO The University of Chicago Medicine 1

2 Conflict of Interest Karl J. West Has no real or apparent conflicts of interest to report. 2

3 Conflict of Interest Erik Decker Has no real or apparent conflicts of interest to report. 3

4 Learning Objectives Describe the characteristics of an effective security leader and when an organization should have a security leader to lead its cybersecurity program Identify the key ingredients for effectively governing an organization s cybersecurity program from a security leader s perspective Explain best practices for overseeing an organization s cybersecurity program in the role of a security leader Demonstrate how a security leader can effectively communicate with other executives and other management about the organization s cybersecurity program, initiatives, and security incidents 4

5 Karl J. West, CISO & AVP Karl is the Chief Information Security Officer and AVP of Information Systems at Intermountain Healthcare, an integrated delivery network of 22 hospitals and 185 clinics. Karl is a wellrespected speaker and security expert who is often sought after by other organizations that want to embed his holistic solutions in their security strategies. At Intermountain, Karl is responsible for all aspects of the organization s security strategy. Karl s leadership throughout the planning, development, implementation, and maintenance of an excellent security program has earned Intermountain national recognition as a leader in health information security. 5

6 Quick Facts about Intermountain Healthcare Headquartered in Salt Lake City 39,000 employees 470 volunteers governing trustees on 32 boards Created in 1975 when LDS Church donated its 15 hospitals to the communities they served 22 hospitals with 2,769 licensed beds $419 million in charity care during 2016 (249,000 cases) Integrated Health System Serving Utah and Southern Idaho 1,600 employed physicians and caregivers at more than 180 clinics SelectHealth insurance plans with 850,000 members TeleHealth Homecare & Hospice InstaCare Connect Care Life Flight Precision Genomics Strong Bond Agency Ratings S&P: AA+ Moody s: Aa1

7 Intermountain Cybersecurity Governance Chief Information Officer Chief Security Officer Central Compliance Committee Executive Privacy and Security Committee Privacy and Security Working Group Chief Compliance Officer Chief Privacy Officer Governance of Information Risk Reporting & Funding Authority 7

8 Erik Decker, CSPO Erik Decker is the Chief Security and Privacy Officer for the University of Chicago Medicine, and is responsible for its Cyber Security, Identity and Access Management and HIPAA Privacy Programs. Erik has 18 years of experience within Information Technology, with 12 years focused on Information Security. The majority of his career has been focused on Academic Medical Centers; establishing two information security programs and an identity and access management program. Erik is the current Chair of the AEHIS Board, and joined AEHIS in This association focuses on educating the CISO and providing cybersecurity resources within the Healthcare sector. 8

9 Quick Facts about The University of Chicago Medicine On track to become a Clinically 1000 Integrated Network Beds with recent acquisition of Ingalls Created in 1927 Headquartered in Chicago Journeying toward being an Integrated Delivery Network 12 Nobel Prize Winners 500,000 Outpatient Visits Annually 9

10 UCM Cybersecurity Governance Chief Information Officer Executive Cyber Risk Committee Chair: CEO Staff: CISO Executive Corporate Compliance Committee Chair: CEO Staff: CCO & Privacy Officer Chief Compliance Officer Security & Privacy Officer Privacy and Security Steering Committees Chair: Security & Privacy Officer Staff: GRC, Privacy Governance of Information Risk Reporting & Funding Authority 10

11 Source: Microsoft Ignite 11

12 What my mom thinks I do. What my friends think I do. What my wife thinks I do. What I think I do. 12 What I REALLY do.

13 Think Frictionless! Security Not a is Barrier an Enabler 13

14 The Characteristics of an Effective Security Leader Technical Communication Presentation Collaboration Leader of Leaders Understanding Healthcare Process & issues Financial Accumen Business Leadership Capital And, occasionally walking on 14 water!

15 15

16 Taking the Necessary Steps TRUST PEOPLE TAKE FEEDBACK GIVE FEEDBACK AFFIRM POTENTIAL INSPIRE ACTION ESTABLISH VISION 16

17 Do you Need a CISO? Consider the size of the organization (e.g. system vs. single hospital) All organizations need a privacy and security function regardless of size 17

18 Key Ingredients for Effective Governance 18

19 Security Operations 19

20 Key Relationships to Nurture CEO CFO CMO CNO Facility CEOs CMIO CNIO and their main business units. LEGAL COMPLIANCE PRIVACY 20

21 Oversight Best-Practices Risk Assessment & Management Patch & Vulnerability Management Data Inventory Data Classification Identity Management Third-Party Assessment 21

22 Oversight Best-Practices GOVERNANCE & RISK MANAGEMENT Policy Procedure SecOps/Incident Response Sec Architecture Education Awareness GRC & Shared Services 22

23 Effectively Communicate Your Program 23

24 Effectively Communicate Your Program Instill and bake in common metrics Monthly 1:1 meetings (key stakeholders) Participate in other governance to assist in drawing the line 24

25 25

26 Questions Karl J. West, Intermountain Eric Decker, The University of Chicago 26