David Finn, a former healthcare CIO who's now health IT officer at security vendor Symantec, recently agreed to join a new Department of Health and Human Services cybersecurity task force because he supports its mission of involving representatives of all healthcare sectors in the effort to tackle challenges.
"In healthcare, one of our issues is silos - within providers, and certainly across providers - and then along the continuum of partners and business associates," Finn says in an interview with Information Security Media Group. "The point of the task force - and the thing that interested and intrigued me - is that we're not going to sit down with a group of providers and say, 'How do you fix security in the hospital or the clinical setting?' And we're not going to sit down with some clinical application vendors and say, 'You guys need to fix security.' And we're not going to sit down with some security vendors and say, 'You need to fix security in healthcare.' We're bringing all those groups together."
A shift toward more collaboration on securing healthcare data, especially as more of that information is electronically exchanged, is critical, Finn says. "And that's what the task force does ... and why I want to participate."
The task force will start by examining how other sectors "have implemented strategies and safeguards for addressing cybersecurity threats in those industries," he says. It will also examine the unique cybersecurity challenges faced by healthcare entities and the difficulties that HIPAA covered entities and business associates face in securing networked medical devices and other systems that connect to electronic health records, he says. Plus, it will devise recommendations for how the sector can improve preparedness and response to cyber threats.
The creation of the task force, which includes nearly two dozen representatives of the government, technology and healthcare sectors, was mandated by the Cybersecurity Information Sharing Act of 2015. Task force members were selected based on recommendations from a panel of subject matter experts from HHS, the Department of Homeland Security and the National Institute of Standards and Technology. The group is expected to report its findings to Congress and the public next year.
Support from the Top
One of the biggest issues in healthcare information security is the lack of support for cybersecurity from CEOs and other senior leaders, Finn contends.
"What I believe is really lacking is leadership around security issues outside of IT," he says. "So, the CIO ... and certainly the CISO understand the issues, but we're not seeing the CEOs, the CFOs, chief nursing officers engaged in ways that would allow the CISO or CIO to ... escalate this and get the priorities we'd expect to see."
Although board meetings often feature detailed reports about financial as well as quality-of-care issues, Finn says, "what I don't see are security reports, where [CISOs] are presenting to the board their risk assessment, the [security] events that have occurred, what they're doing to stop and manage those incidents, and how they're training the staff to deal with those things."
In this interview (see audio player below photo), Finn also discusses:
- Recent cyberattacks hitting the healthcare sector, including ransomware assaults;
- Cybersecurity threats facing networked medical devices;
- Other cybersecurity-related obstacles facing the healthcare sector.
Before joining Symantec, Finn was CIO and vice president of information services for Texas Children's Hospital, where he also previously served as the privacy and security officer. Earlier, Finn spent seven years as a healthcare consultant with Healthlink - formerly IMG - and PriceWaterhouseCoopers. Finn has more than 30 years of experience in the planning, management and control of IT and business processes.