Why Healthcare Needs to Shift Its Cybersecurity FocusMac McMillan, CEO Emeritus of CynergisTek, on Addressing Risk
Despite progress in improving cybersecurity, the healthcare sector still needs to change its focus from compliance to risk, says Mac McMillan, co-founder and CEO emeritus of security consulting firm CynergisTek.
"We need to stop talking about compliance ... and grades. We need to talk about threats and risk - and about how what we're doing is addressing the risk to the organization's ... systems, data and patients," McMillan says in an interview with Information Security Media Group.
"The threat profile we have today - the risks to patients, data, operations, intellectual property, research - and even the risk to national security with a lot of the information in healthcare - is at an all-time high," he says. "We need to have leadership in hospitals talking about cybersecurity and cyber risk and threats."
Executives must develop a far better understanding of cyberthreats and the risks they pose so that they can "start making better decisions with respect to security investments - and start to understand truly what it will take to be effective at protecting what we do in this industry that's so critically important to our society," he says.
In the interview (see audio link below photo), McMillan also discusses:
- Mentoring the next generation of potential cybersecurity professionals and his top advice to healthcare CISOs;
- How the cybersecurity postures of the healthcare and government sectors compare;
- His recent retirement as CEO of the security consulting firm and his current projects.
McMillan is co-founder, board member and CEO emeritus of CynergisTek Inc., an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has about 40 years of security and risk management experience, including 20 years at the Department of Defense and its Defense Threat Reduction Agency. He is also former chair of the Healthcare Information and Management Systems Society's privacy and security task force.