Topics
More on Risk Management

Cybersecurity needs to be put in business terms

IT security is a legacy word, says Brian Selfridge: "This isn't cybersecurity, this is risk."

Susan Morse, Executive Editor

From left: Anahi Santiago of Christiana Care Health System, Omar Khawaja of HM Health Solutions, Denise Anderson of H-ISAC and Brian Selfridge of Meditology Services discuss risk management at the Healthcare Security Forum in Boston.

BOSTON, Mass. - A cultural and communication shift is needed to get cybersecurity specialists out of the technology basement and around the hospital's leadership table, according to risk management specialists speaking during HIMSS' Healthcare Security Forum here on Dec. 9.

"We need to put cybersecurity in business terms," said Brian Selfridge, a partner with Meditology Services, which does healthcare privacy and security consulting.

Cybersecurity, as part of a system's total enterprise risk, means looking at the need for protection in terms of how much money a hospital stands to lose.

IT security has become a legacy word, Selfridge said.

"This isn't cybersecurity, this is risk," he said.

"A lot of it has to do with understanding an organization's culture," said Anahi Santiago, chief information security officer at Christiana Care Health System.

Where the chief information security officer in a system may be looked at as a naysayer, looking at cybersecurity in terms of the broader picture of risk turns the conversation from technology to finance, according to Denise Anderson, president and CEO of H-ISAC.

"Being able to bridge those gaps is huge," Anderson said. "Cybersecurity should be business enablers."

Hospitals have chief risk officers, hired as part of the finance department, who are including cybersecurity as part of the system's overall risk, Anderson said.

"Fundamentally, it's a communication problem," Anderson said.

Security people can be horrible communicators, said Omar Khawaja, vice president and chief information security officer for HM Health Solutions.

The system needs to realize the business value of what technology is installed, he said. It's only useful when it's used as part of the larger system of mitigating risk.

"We love shiny objects," Khawaja said. "The moment we install technology, we realize zero value."

"It's not about the tech," said Khawaja, who said he uses Excel, Tableau and PowerPoint and also the Factor Analysis Information Risk (FAIR) model, which is not so complex that a PhD is needed to run it.

FAIR is a risk management framework that looks at a taxonomy of factors that contribute to risk and how they affect each other.

"All models are wrong, some are useful," Khawaja said. "If use your own, someone will come in and tell you something is wrong with it."

Ultimately, it's the leadership that has to define risk tolerance.

"What is the tolerance level of the leadership team?" Khawaja said. "What is the perception and where does it need to be? I'm a custodian. I don't define the risk tolerance."

Twitter: @SusanJMorse
Email the writer: susan.morse@himssmedia.com