Ask an Expert Q&A: Being a CISO in Healthcare

The healthcare industry has become a particular target for cyberattacks and data breaches in recent years. Between malicious attacks intended to steal sensitive and highly valuable personal health information and unintentional HIPAA violations from employees inappropriately accessing records, healthcare CISOs have been on their toes to stay ahead of the threats. We spoke to Connie Barrera, Director of Information Assurance & CISO at Jackson Health System in Florida, to see how she’s handling the challenge, what her biggest wins have been in recent years and what threats she foresees on the horizon. 

In general, what’s the most challenging aspect of being a CISO?

Connie Barrera: The most challenging part of being a CISO is the time aspect. You cannot lead in IT Security any longer hidden away in a dark corner. Interacting with the business is critical yet very time intensive- yet must be done. Balancing the operational needs while fostering the important relationships is something that requires constant attention and refocusing.

What’s the most challenging aspect of ensuring information security within the healthcare industry in particular?

CB: IT Security in healthcare is challenging for many reasons but some of the major reasons include legacy software, huge volume of line of business applications and the plethora of non-traditional devices (bio-Med and IoT) that often times do not have security built in by design and yet the hospital system depends on these devices for critical patient care.

What are you doing differently to protect against the increasing rate of data breaches we’ve been seeing lately?

CB: We rely on a robust defense in depth strategy but also highly rely on a key behavioral analytics solution that has proven its value time after time and enabled the team to streamline and fine tune operational tactics yielding greater success and improved productivity.

Is there a technology solution that you’ve found particularly helpful lately?

CB: Working for the county does not allow me to name a vendor in particular but the key solution that is our secret sauce is the behavioral analytics solution we’ve been running for 2 years now.

How does HIPAA compliance play into your everyday job?

CB: As the HIPAA security officer for the organization, HIPAA is part of my daily role and responsibilities. There is a very strong partnership between my team and the Chief Privacy Officer who works out of the compliance division. Together we draft relevant policies and ensure all needed aspects are addressed to form a holistic approach to HIPAA compliance.

What measures do you take to maintain HIPAA compliance?

CB: We perform many proactive actions throughout the year including contracting a HIPAA gap analysis, Security Assessments, Penetration Testing and other associated engagements. We funnel the results of these engagements into our risk management model and handle any remediation accordingly. All of these efforts and yearly policy reviews allows us to feel confident about our HIPAA compliance.

In a 2015 Healthcare IT News article you talk about the importance of communicating with employees and creating a culture of security. What do you do to help employees maintain security best practices?

CB: Establishing a culture of security awareness is a multi-pronged process. Employees not only complete a comprehensive computer based learning module but also receive supplemental mentoring, training, tutoring via different channels including emails, security reminders, newsletter articles, face-to-face training and walk-thrus. It is through a diversity of engaging and memorable contact points that the culture starts to flourish.

What’s the one thing about today’s security landscape that keeps you up at night?

CB: BioMed devices are a big concern to me because they are often managed by either the manufacturer or a third party service provider. These devices have been long ignored and only recently getting the attention they deserve. Remediating and bringing these technologies up to a posture to rival cyber-attack and exploits will take some time to achieve. New implementations are easier to control yet often times deployment requirements may be contradictory to ones established security framework. We need manufacturers to develop devices that will not only meet FDA requirements but support and fit within the security controls we’ve toiled and spent so much money developing.

Do you have any info security predictions for the next year? (Rising challenges, new solutions, etc.)

CB: Rise of the Artificial Intelligent Hacker- we will begin to see many more of the exploits we see today and additional sophisticated attacks that leverage native operating system processes, much like Wannacry and Petya but instead of being executed by individuals, these attacks will be perpetrated by artificial intelligence processes. The possibilities are endless and therefore security professionals must find the time and motivation to think outside the box to position our security programs to withstand the attacks of our adversaries.

You may also like:

• Ask an Expert Q&A: The Future of Virtualization in BPOs
• 2017: The State of Cybersecurity
• 7 Telemedicine Trends Worth Paying Attention To