Why Empowering the CISO is Important for Healthcare Information Security Risk Management

Posted by Gerry Blass

With the security of healthcare organizations under constant attack from internal and external threats, it is more important than ever to have a dedicated executive in charge of overseeing the organization’s information security and risk management programs. That executive is typically known as the Chief Information Security Officer (CISO).

We are starting to see CISOs reporting outside of Information Technology (IT). This makes sense because the CISO needs to be able to audit  IT controls and give an unbiased report to senior management. Other areas to consider for the CISO to participate with or at least report to include operations, compliance, legal, audit and risk.

Checks and Balances

Healthcare organizations would not allow an internal financial auditor to report directly to the Chief Financial Officer (CFO). The concept of “checks and balances” has been known for many years. It applies to any situation where there could be potential conflicts of interest or undue political pressure to whitewash actual audit results. This concept supports the theory that a CISO should not report to IT.

Dysfunctional Audits and Plans – A Real Threat

Over the years we have seen information disaster recovery / business continuity (DRBC) plans that were not operationally functional in an actual disaster. Leadership was not aware of this problem, and as a result, their organization was at high risk in the event of a disaster.

The CISO may have known of the risk, but may have also felt pressure to be politically correct and to protect IT instead of the organization. Even if that was not the case, it is clearly more appropriate for the CISO to be empowered to report issues freely without political pressures.

Responsibilities of the CISO

A CISO has the responsibility to accurately understand the current information privacy and security profile of their organization and to identify risk and recommend a mitigation roadmap. Their basic job is to know what the current threats are to confidential data in transit and at rest.

The drill down is extensive to include considerations for administrative, physical , technical and organizational controls that should be in place to reduce the chance that threats could overtake potential vulnerabilities, resulting in unauthorized access to protected health information (PHI) and business confidential information.

A single breach, as most of us know, can and has resulted in extensive harm to organizational reputation and finances.

Risk Management Examples

For CISOs  to take charge of risk management they need to be able to view the organization as a whole. Here are a few examples. CISOs will need to know how employees are using their mobile devices, and what security measures are in place. They’ll need to know what software is being used and whether it’s up to date. They’ll need to know which employees are supposed to have access to patient data and how they’re accessing it. Then CISOs can recommend changes to policies when needed, or if tools such as user behavior analytics should be implemented to prevent snooping or other human based risks.

This type of risk analysis must be applied to all of the standards of the HIPAA rules and / or other frameworks and guidance (e.g. National Institute for Standards in Technology – NIST).


The CISO’s role cannot be understated in protecting their organization’s identifiable health, financial, and business confidential information. A CISO who is empowered by the C-suite, and who is free to accurately report audit results without undue political influence can be more effective and make the best recommendations for their organization.

About ComplyAssistant

ComplyAssistant provides healthcare compliance software and healthcare cybersecurity services. The software is a compliance management cloud portal that provides guidance, organization, collaboration alerts, and notifications for more effective management  and documentation of healthcare compliance activities.

Information Security Risk Analysis, Information Security Risk Management