CISO Workshop Overview – The MBA Student PerspectiveJune 5th, 2018
In March, the Center for Digital Strategies (CDS) at the Tuck School of Business at Dartmouth and the Owen Graduate School of Management convened a workshop focused on information security in the healthcare industry. The health ecosystem represents diverse participants from large corporations to individual practices: Care providers, outsourced service providers, pharmacies, pharmaceuticals, claims processors, payers, device manufacturers, and other suppliers/vendors. Arguably more than any other value chain/network in any industry, these healthcare players must be able to share information and provide services securely in a world undergoing digital transformation. Intelligent adversaries exploiting vulnerabilities in any part of this ecosystem create incidents that rapidly propagate to unsuspecting members. Hospitals, suppliers and payers alike face risks ranging from theft of private information, hold-ups, denial of service attacks, and fraud. Providers and device manufacturers face risks from device compromise. Individuals face risks ranging from privacy violations to medical identity theft and personal harm. In the increasingly connected health delivery system, innovative solutions are required to ensure uninterrupted communications, service availability, and protection of critical individual, corporate or government data and information. Here are the key learnings from two of our MBA Associates, Jenna Romeo T’19 and Molly Tyler T’19. For further reading, you can read the executive overview here.
“We hand out as much data as we protect”
After Target’s notorious data breach, organizations have become hyper-aware of prioritizing the security of their data and information – especially within the fast-changing healthcare landscape. As the continuum of healthcare expands beyond hospitals and doctor’s offices into patient homes, there is an increasing number of entry points for data threats. Medical devices specifically are a cause of growing concern from healthcare CISOs. Medical devices generate a huge amount of data but are easily hackable, have limited regulations and security, and become outdated quickly. When medical devices connect to individual patient networks, the number of endpoints to protect becomes enormous.
CISOs are struggling with how to secure data in world where healthcare consumers want the ability to link all of their devices and data to one another. When healthcare companies “hand out” data, they need to determine where their data liability ends and begins within the organization. If consumers want the ability to link their FitBit data to their EMRs, which company is liable is patient data is compromised? The consequences of security breaches in healthcare are significant. A bad actor could potentially hack a health system or EMR to change patient data, risking an error that could put a patient in grave danger. Given these constant threats to data security, healthcare CISOs need to think of the optimal ways to keep their data and their people safe as the landscape of healthcare changes.
“The solution to a technology problem isn’t always technology”
CISOs are passionate about staying on top of the newest security tool trends. However, we quickly learned that although an organization can put an unlimited amount of resources into building out top-notch security features, the organization’s employees are still one of the largest vulnerabilities. We though phishing scams were a thing of the past, with broken English and misspelled words. CISOs today wish for the ‘olden days’ of simple phishing. Today, phishing emails are extremely complex and realistic – some CISOs admitted they even they had a hard time discerning some realistic phishing emails. Phishers today will pull personal information from social media, LinkedIn, and even local newspapers to impersonate an email that the reader would be drawn to click on. As we become more connected and personal online, phishing schemes become a larger threat at organizations, we need to think of the impact of what we share can have not only on our personal lives, but also our organizations. Instead of introducing more technology to protect against employee vulnerabilities, managers must also think about how to engage employees and train them to be more cautious.
As security threats grow in number each day, leaders are forced to become more reactive than proactive. In healthcare, aging infrastructure and untrained employees are just a few factors that add to the threat of organization data security. In addition, where does the responsibility for data security lie? Are employees accountable, or is it the manager’s duty to educate their employees? As MBA students and future general managers in a digitally-shifting world, we need to grapple with these questions that CISOs are dealing with daily. We need to remember that training employees and generating security buy-in is just as important as the technological tools used protect your systems.
“Security is everyone’s job”
In every organization, the CISO is a change agent, and therefore needs to create security buy-in from all parts of the company. Although many of the CISOs at the workshop reported to various teams within their organizations (IT, Finance, CEO, etc.), they all agreed that it was crucial to incentivize the organization to care about security. Failing to create a shared security ownership within an organization could result in more data breaches and mis-allocation of resources. We learned about successful initiatives that CISOs implemented to create organizational buy-in, from assigning “risk owners” to varying security initiatives so that team members felt ownership, to creating “risk committees” with people from across the organization that rank top security concerns and allocate resources.
Security doesn’t just rely on IT functions such as firewalls and endpoint protection. In the healthcare space, it is crucial that doctors and healthcare providers become well versed in the digital security risks of patient data. As MBA students, we will need to consider how our future organizations should weigh the ease of sharing data quickly at the expense of privacy or security. Even if we can acknowledge that security is everyone’s job, we will need to turn organizational awareness into engagement in order to truly create digitally protected organizations.