Healthcare CISO Association LaunchedNew Group Designed to Boost Professional Development
Healthcare information security leaders face industry-specific challenges, ranging from patient safety and clinical workflow concerns to HIPAA compliance. Now the College of Healthcare Information Management Executives is launching a professional organization that's designed to help CISOs deal with critical issues.
CHIME, which serves healthcare CIOs, says its new Association for Executives in Healthcare Information Security, or AEHIS, is the first group designed specifically for chief information security officers and other top-ranking infosec leaders who work at healthcare entities of all types and sizes.
The CIO group decided to launch the new association for CISOs after seeing a need for educational resources, professional development and networking, says Russell Branzell, president of CHIME, and former CIO of Poudre Valley Health System, which is now Colorado Health Medical Group, a division of the University of Colorado Health.
In CHIME's work educating healthcare CIOs, including boot camps that are also sometimes attended by CISOs, it became apparent that there is a significant void in the educational, professional development, and peer-to-peer collaboration resources available for healthcare CISOs and CSOs, Branzell tells Information Security Media Group.
"A lot of healthcare CISOs come from other industries, other sectors of the economy. And there's a pretty big gap for them to learn healthcare," he says, including specifics such as HIPAA regulations. "In banking, you secure it... and if [security technologies] slow things down, you don't care. But what they've learned painfully in many cases in healthcare is that security needs to somehow complement patient care," he says. CHIME leaders believe "there's an opportunity, but even more so, a requirement, for us to support that segment of the industry," he adds.
AEHIS will offer in-person educational events and online resources, says George McCulloch, CHIME executive vice president of membership and professional development. For instance, the new group is working with professional development and education organization, Institute of Health Information Technology Transformation, also known as IHTÂ², to offer healthcare CISO activities co-located at upcoming IHTÂ² events. AEHIS also has a new LinkedIn group for its members, he says.
On a related theme, accreditation organization (ISC)Â² last year began offering a new certification aimed at healthcare infosec professionals. The HealthCare Information Security and Privacy Practitioner certification is designed to validate that a practitioner has the core level of knowledge and expertise required to address specific security concerns (see New Health InfoSec Credential Debuts).
Key Topics for CISOs
The new CISO association's topics for discussion and educational resources will include best practices, trends, security alerts, reminders about upcoming regulatory deadlines, and materials that "help [members] be more proactive, rather than reactive, which is more beneficial in helping them get ahead in their careers," McCulloch says. That includes resources and professional advice sharing for CISOs who have aspirations of one day becoming a CIO, Branzell says.
Security is "a huge emerging focus for healthcare, including the CIO," Branzell notes. He recalls that when he was a CIO, "one of the few things that kept me up at night was security. Was someone going to do something dumb with a laptop? Or was there a huge vulnerability in our network? Or was there a back door that some vendor left open?"
Because the size of healthcare entities range from the smallest doctors' offices to the largest academic medical centers, AEHIS is open to professionals who don't necessarily hold the "CISO" or "CSO" title, but are the highest ranking person in charge of information security matters at their organizations, McCulloch says. That could include leaders who oversee both security and privacy matters at smaller organizations.
Those who apply for AEHIS membership before Dec. 31, 2014, will be recognized as founding members and will receive a one-year free membership, McCulloch says. After that, annual membership will cost $99. "We're not looking at this as a money-making operation," Branzell says. "We want to help people by filling a gap."
Christopher Paidhrin, manager of information security technology at the information security division at PeaceHealth, a healthcare delivery system in the Pacific Northwest, says he's already signed up to join AEHIS.
"Healthcare has multiple regulatory interests - including HIPAA and the HITECH Act ... that are not common to all CISOs," he explains. "I routinely network in my local northwest community, and there is great value in this. But the number of CISOs are too small a sampling for a number of topics. A national representative group could make healthcare-centric information security collaboration much easier. Additionally, a national group would alleviate the local competition issues that, at times, stymies peer collaboration."