The healthcare industry was the number one target for cyber-attacks in 2015, the number of attacks even surpassing those directed at financial organizations. With the number of attacks on healthcare predicted to rise even more, the role of security leaders in the industry, particularly that of the CMIO, has come under the spotlight.
Traditionally tasked with helping hospitals support the adoption and implementation of health technologies, CMIOs (and/or CIOs, CTOs and CISOs) these days are required to be internet security (IS) experts as well as medical professionals.
Let’s take a look at the role of security leaders in healthcare today. We’ll touch on the cybercrime wave against healthcare organizations in recent years and posit some reasons the industry has been singled out by criminals, including failed leadership, lack of education and awareness, and vulnerable networks.
What Does a CMIO do?
A CMIO is usually a practicing physician with a core understanding of, if not formal training in, technology / informatics. According to the U.S. Department of Health and Human Services (HSS), “Because the field of health informatics is still developing, a CMIO’s duties may vary from one organization to the next. However, most CMIO’s are practicing physicians or IT professionals with specialized training, and their responsibilities reflect their dual areas of expertise.” The CMIO’s duties are to:
- evaluate an organization’s IT systems;
- design and apply EMR/EHR software and applications;
- convert and analyze medical and health data;
- ensure quality of care across multiple information systems;
- leverage medical and health data to improve services and daily operations;
- train physicians and other medical professionals in IT systems and applications, especially EMR/EHR and computerized physician order entry (CPOE); and
- conduct data analytics for research purposes and report findings to executives, government, or scholarly institutions.
A quick search of CMIO jobs advertised on the Internet shows that a suitably qualified CMIO has many hats, but expertise in cybercrime is not one of them. IT security commentator, Mansur Hasib, in an article on the InformationWeek website, commented that “the problem [that results in data breaches] is that too many healthcare and other organizations implement cyber-security at the end of the development cycle, not at the beginning; they do not bake cyber-security into all their business and development processes. They also tend to view the cost of cyber-security as an unnecessary evil instead of a vital component of their business strategy. It is a failure of corporate leadership and governance—not technology. ”
It could be argued that healthcare organizations employing medical information officers should insist that applicants have demonstrable experience and/ or knowledge of cybercrime, and not learn about it on the job.
Healthcare Security Leaders’ Salaries
According to PayScale, a CMO earns an average salary of $277,803 per year. Pay for this job does not change much by experience, with the most experienced earning only a bit more. The website lists the most popular skills required by recruiters and organizations wanting to hire a CMO and what each skill has on pay. The list below is an indicator of how a particular skill may affect an applicant’s salary:
- Physician (median salary: $250,000),
- Internal medicine (median salary: $265,000),
- Leadership (median salary: $298,000),
- IT Management (median salary: $314,000), and
- People management (median salary: $352,000).
Job Titles and the Changing Role of the CMIO
A CMIO essentially serves as the bridge between medical and IT departments at a health care organization.
Some interesting figures are revealed by SSi-Search, an executive recruitment firm for the healthcare industry, about whom a CMIO should report to. From a survey done by SSi-Search, half of the respondents said that a CMIO should report to the CMO or the CEO, but half of the CIOs queried, believed a CMIO should report to them.
Why does this matter? Are these respondents just jostling for leadership? Who should the CMIO report to for best results with regard to internet security in healthcare?
Samantha Burch, senior director of congressional affairs at Healthcare Information and Management Systems Society (HIMSS), says studies show that organizations in which the CISO reported to the CIO experienced 14 percent more downtime due to cyber-security incidents than those organizations in which the CISO reported to the CEO. And, organizations in which the CISO reported to the CIO reported financial losses 46 percent higher than when the CISO reported to the CEO.
John D. Halamka, MD, MS, is the CIO of Beth Israel Deaconess Medical Center. Although his business cards describe him as a CIO, in 1998 he was given the title CMIO. In reality, he works as a CIO, CISO, CMIO and CTO.
“Whom should the CMIO report to? Choices include the CIO, the CMO, the COO, the CEO, or some governance group, i.e., the Medical Executive Committee. Every organization is different and the reporting relationship should be a function of where the CMIO can have the greatest impact, visibility, and support.”
Researchers at the US National Library of Medicine say the CCIO role has not been well defined nor has the role been derived from a clear set of expectations, skill sets, or educational standards. Their research found the operational role of the CCIO was heterogeneous, with individuals deriving from a variety of clinical settings and backgrounds. They found that, in the real world, the title encompassed the more commonly used terms of CMIO, chief nursing informatics officer (CNIO), chief pharmacy informatics officer (CPIO) and chief dental informatics officer (CDIO). The term CHIO was sometimes used synonymously with the term CCIO who might also report to a CHIO for overall supervision.
The title for the job role of medical information office is often seen to change in line with new business strategies. When building its Center for Informatics and Analytics, the University of Mississippi Medical Center reinvented itself as a knowledge-driven health system. One of the changes it made was to the title of John Showalter, MD, from CMIO to chief health information officer (CHIO). “The CHIO position here is really much more focused on analytics and driving institutional return on investment from our clinical IT. When I was the CMIO, I was much more focused on adoption and usability for the clinicians.”
Aligning Business and Security Needs
Collaboration between leaders may be the first step in securing healthcare networks and protecting patients’ confidential medical records. Paul Connelly, CISO of Hospital Corporation of America and Dave Levin, M.D., chief medical officer at Sansoro Health and previously CMIO for the Cleveland Clinic Health System, emphasize the need for collaboration between healthcare leaders to meet the needs of the business and mitigate cyber-attacks.
“The view of the CMIO is to find a way to maximize the value of clinical IT at a time when medical systems and data are in the crosshairs,” Levin said.
“The CISO view is to look at this from the perspective of how to keep systems safe to protect your patients when there are organizations with many non-secure legacy systems and threats and the access and dissemination of data is growing exponentially,” Connelly said.
Do Healthcare Organizations Need Dedicated Security Leaders?
Healthcare is particularly lucrative for cybercriminals because it presents an opportunity to steal multiple types of sensitive information, including personal, medical, and financial, in one attack. Credit card and Social Security numbers sell on the black market for about $1 each; medical records can fetch up to $75 each.
The sector is also an appealing target for cybercriminals because the industry’s approach to cyber-security is often behind the times. A Sophos survey of National Health Service (NHS) organizations in the UK found that encryption was “well established” in just 10 percent of them. In another survey across multiple industries in six countries, Sophos found that the healthcare sector had one of the lowest rates of data encryption, with only 31 percent of healthcare organizations reporting extensive use of encryption, while 20 percent said they don’t use encryption at all. Legacy systems are particularly vulnerable and, once again, the problem may well lie with leaders who don’t understand quite how tech-savvy the modern criminal is in cyberspace.
The future might see the emergence of a new role: Chief Medical Security Information Officer (CMSIO).
The Failure of Leadership in IS (Internet Security)
A 2015 Guardian roundtable initiative in the UK invited cyber-security experts to discuss how best to protect the UK’s critical networks and businesses from cyber-attacks. “Many leaders probably started their careers when their business was paper-based, and in their minds that’s how the business still works. They don’t realize how IT has transformed their business … Therefore, when chief executives make decisions on whether to invest in cyber-security, they have no instinct for it,” commented one of the panel members. In addition, as healthcare organizations are run as businesses, security is seen by old-school leadership as an unnecessary cost that eats into profits.
The leadership problem was again highlighted during a U.S. House Energy and Commerce Subcommittee on Health hearing where healthcare leaders and security experts testified in support of proposed legislation to empower the CISO at HHS. Mac McMillan, a healthcare IT security expert and CEO of CynergisTek Consulting, said, “What most healthcare organizations suffer from most today is a lack of leadership.” He proposed that the best way to address the situation would be by creating a cyber-security leadership post and to do that by elevating the CISO position.
How can healthcare security leaders mitigate cyber-attacks?
The new breed of dedicated IS leaders in healthcare, like CISOs and CMIOs, can ward of attacks in a number of ways:
- CISOs can get ahead of many cyber-attacks by proactively searching for and mitigating online activities that target the institution. They can look for domains that mimic the real domain of the organization and check out user groups that (falsely) purport to represent the company. CISOs need to keep an eye on social media sites and online medical forums where phishers lurk, and root out fake profiles.
- CISOs must take responsibility for ensuring that all employees are aware of the threat of cyber-attacks. A security-educated user is less likely to be conned by phishing emails and malicious links.
- Healthcare leaders can join other professionals on cyber-security forums to share their knowledge and learn more about what they can do to protect the hospitals and medical practices they work for. One such organization, the HIMSS Healthcare Cyber-security Community, provides a monthly forum for thought leaders (from government, the private sector, and academia) and healthcare constituents to discuss and learn about advancing the state of cyber-security in healthcare.
- IS leaders must ensure that basic safeguards are in place. These include: regularly patched firewalls, up-to-date software security, processes that ensure password protection and instigate regular password changes, updated firmware and network security, e.g., load balancing, full backups, and a fallback plan in place to deal with failed systems.
- 2015 saw the first-ever government warning that a medical device was vulnerable to hacking. Healthcare security leaders will be part of the process of debating future security legislation with government, which will require a whole new set of skills.
- Using vendors providing security solutions but not being held accountable for breaches means that the cyber-insurance market will increase, putting even more pressure on medical executives to cut costs.
- Compliance (and the financial bottom line) is a major concern for any healthcare organization, which makes many of them hesitant to update or switch to new security systems. Security leaders will need to take on the responsibility of convincing stakeholders to invest in new systems.
- Data breaches are sometimes inside jobs (and not always intentional). Security leaders of the future thus have the unenviable task of policing colleagues. Responsibility for security and awareness training, and monitoring access to sensitive data could in the future fall on the shoulders of CMIOs and CMOs because that’s where the buck stops.
- The proliferation of smartphones and tablets and other connected devices in healthcare centers has increased the risk of endpoint security breaches, another potential security loophole that will become healthcare executives’ responsibility to plug.
- Healthcare leaders will need to step up data security to avoid Health Insurance Portability and Accountability Act (HIPAA) violations.
- Bill Nesbitt, President, Security Management Services International, Inc., says that security professionals are turning to social media such as LinkedIn forums for an exchange of ideas among security professionals.
You can make a start on improving awareness for company employees (and leaders) by signing up with InfoSec Institute for their employee awareness training program: https://www.infosecinstitute.com/aware-ed.
Recent Security Leaders in Healthcare Articles and Updates
- Security Leaders in Healthcare
- 10 Best Practices for Healthcare Security
- Top Cyber Security Risks in Healthcare [Updated 2020]
- Healthcare's many cybersecurity challenges
- Breach Notification Requirements for Healthcare Providers
- Does History Need to Repeat Itself? Lessons Learned From WannaCry
- HIPAA Security Rule
- The Healthcare IT Stack
- Security Technologies in Healthcare
- Healthcare Attack Statistics and Case Studies
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare