Embed Size (px)
Citation preview
1
HOW TO BE AN EFFECTIVE CYBERSECURITY LEADER IN HEALTHCARESession
CYB1, March 5, 2018
Karl J. West, CISO & AVP Intermountain Healthcare
Erik Decker, CPSO The University of Chicago Medicine
2
Karl J. West
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
Erik Decker
Has no real or apparent conflicts of interest to report.
Conflict of Interest
4
Learning Objectives• Describe the characteristics of an effective security leader and when
an organization should have a security leader to lead its cybersecurity program
• Identify the key ingredients for effectively governing an organization’s cybersecurity program from a security leader’s perspective
• Explain best practices for overseeing an organization’s cybersecurity program in the role of a security leader
• Demonstrate how a security leader can effectively communicate with other executives and other management about the organization’s cybersecurity program, initiatives, and security incidents
5
Karl J. West, CISO & AVPKarl is the Chief Information Security Officer and AVP of
Information Systems at Intermountain Healthcare, an integrated
delivery network of 22 hospitals and 185 clinics. Karl is a well-
respected speaker and security expert who is often sought after
by other organizations that want to embed his holistic solutions in
their security strategies.
At Intermountain, Karl is responsible for all aspects of the
organization’s security strategy. Karl’s leadership—throughout the
planning, development, implementation, and maintenance of an
excellent security program—has earned Intermountain national
recognition as a leader in health information security.
Headquartered in
Salt Lake CityCreated in
1975when
LDS Church donated its 15 hospitals
to the communities they served
39,000employees
470volunteers
governing trustees on 32 boards
Integrated Health SystemServing Utah and Southern Idaho
22hospitals
with 2,769 licensed
beds
1,600employed
physicians and caregivers at
more than
180clinics
SelectHealth
insurance
plans
with
850,000members
TeleHealth
Homecare & Hospice
InstaCare
Connect Care
Life Flight
Precision Genomics
Strong Bond Agency Ratings
S&P: AA+ Moody’s: Aa1$419 million in charity care
during 2016 (249,000 cases)
Quick Facts about Intermountain Healthcare
7
Intermountain Cybersecurity Governance
Central Compliance
Committee
Executive Privacy
and Security
Committee
Privacy and
Security Working
Group
Chief
Information
Officer
Chief
Compliance
Officer
Chief Security
Officer
Chief Privacy
Officer
Governance of Information Risk Reporting & Funding Authority
8
Erik Decker, CSPO
Erik Decker is the Chief Security and Privacy Officer for the
University of Chicago Medicine, and is responsible for its Cyber
Security, Identity and Access Management and HIPAA Privacy
Programs. Erik has 18 years of experience within Information
Technology, with 12 years focused on Information Security. The
majority of his career has been focused on Academic Medical
Centers; establishing two information security programs and an
identity and access management program.
Erik is the current Chair of the AEHIS Board, and joined AEHIS in
2015. This association focuses on educating the CISO and
providing cybersecurity resources within the Healthcare sector.
9
Quick Facts about The University of Chicago
Medicine1000Beds with
recent
acquisition of
Ingalls
Headquartered in
Chicago
Created in
192712Nobel
Prize
Winners
500,000
Outpatient
Visits Annually
Journeying toward being an Integrated Delivery
Network
On track to become a Clinically
Integrated Network
10
UCM Cybersecurity Governance
Executive Cyber
Risk CommitteeChair: CEO
Staff: CISO
Executive Corporate
Compliance
CommitteeChair: CEO
Staff: CCO & Privacy Officer
Privacy and Security
Steering CommitteesChair: Security & Privacy Officer
Staff: GRC, Privacy
Chief
Compliance
Officer
Security &
Privacy Officer
Governance of Information Risk Reporting & Funding Authority
Chief
Information
Officer
11Source: Microsoft Ignite
12
What my mom thinks I do. What my friends think I do. What my wife thinks I do.
What I think I do. What I REALLY do.
13
Not a BarrierSecurity is an Enabler
Think Frictionless!
14
• Technical
• Communication
• Presentation
• Collaboration
• Leader of Leaders
• Understanding Healthcare Process & issues
• Financial Accumen
• Business Leadership Capital
And, occasionally walking on
water!
The Characteristics of an Effective Security Leader
15
16
TRUST PEOPLE
TAKE FEEDBACK
GIVE FEEDBACK
AFFIRM POTENTIAL
INSPIRE ACTION
ESTABLISH VISION
Taking the Necessary Steps
17
• Consider the size of the organization (e.g. system vs. single hospital)
• All organizations need a privacy and security function regardless of size
Do you Need a CISO?
18
Key Ingredients for Effective Governance
19
Security Operations
20
CEO
CFO CMO CNO
… and their main business units.
Facility
CEOsCMIO CNIO
LEGALCOMPLIANCE
PRIVACY
Key Relationships to Nurture …
21
• Risk Assessment & Management
• Patch & Vulnerability Management
• Data Inventory
• Data Classification
• Identity Management
• Third-Party Assessment
Oversight Best-Practices
22
GOVERNANCE & RISK MANAGEMENT
Policy
Procedure
SecOps/Incident Response
Sec Architecture
Education
Awareness
GRC & Shared Services
Oversight Best-Practices
23
Effectively Communicate Your Program
24
• Instill and “bake in” common metrics
• Monthly 1:1 meetings (key stakeholders)
• Participate in other governance to assist in “drawing the line”
Effectively Communicate Your Program
25
@Intermountain@UChicago
26
Questions
• Karl J. West, Intermountain Healthcare
@intermountain
• Eric Decker, The University of Chicago Medicine
@uchicago
