Healthcare I would assume has a low risk profile as it is an organisation focused on wellbeing and good health. Is this a naïve assumption and in fact your organisation is targeted as much as others?
This is very naïve assumption but unfortunately prevalent not only in general public, but also within healthcare IT and senior management. This is especially visible with small healthcare providers that don’t have enough resources to dedicate to security and risk management. And risks are huge; there are privacy issues related to patients data, governmental restrictions and standards required for holding and processing patients data and sovereignty issues if the organisation is multi-national where each nation has different rules and regulations.
I’m interested in understanding how you engage with the business folks in healthcare? Assuming many of them are doctors and administrators do they understand the importance of cyber security?
Most of them support security initiatives, but when it comes to execution there is not enough will and determination to invest in security. However the same people hit the quite high hurdle when they start to negotiate with government organisations and customers that require certain levels of security posture.
On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?
Obviously it should be 5, simply because most of healthcare organisations are significantly lagging behind security requirements and regulations, so they will need to catch up in order to survive.
Could you describe your average day as CISO? Do you have a particular routine for the start and end of day??
Every day is different, but I usually start working at 6 AM so I’m well prepared for the next day. I don’t like surprises so my first activity is to check security news and statuses.
How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
You need to create your long, medium and short term plans and then you work on them. Then you need to create your priorities and make decision where are you going to channel your energy in that moment. It all depends on priorities.
I’ve heard that “information that healthcare organisations his anywhere from 50 to 250 times more valuable than other personal information”
So if I was a hacker, then there is some really interesting personal information that would be stored by Atlantis Health. How do you secure these ‘crown jewels’?
I can’t put the monetary value on personal information. If breached it could mean big reputational hit to an organisation and even the end of that organisation. The governmental organisations are very strict and conservative when it comes to personal information leakage and breaches usually end up on TV news with health minister having several microphones under his(hers) nose.
To protect private information you need to make sure you follow all the health standards, rules and regulations in the first place, then you need to assess your specific risks and devise countermeasures to eliminate them.
What percentage of your records are digitized and how much are scanned documents? Do you apply the same security framework to both media?
Most of records are in digitized form, only the small proportion of records are in physical form. Security of the information in the physical form is also under the realm of CISOs and sometimes it is easier to explain security issues of physical documentation then electronic documentation. You simply cannot allow the situations like the one where private documents were floating down the road just because nobody expected flooding risk.
For Best Practices where do you look to understand this in both general terms and more specifically around your own domain?
For me best practices are for general type of organisations like textile factory, forestry etc. Healthcare is under strict regulation from the government and has to satisfy the same requirements as the other governmental organisations (internal affairs, police, military).
Are you more concerned about the internal technology vulnerabilities or of rogue insiders?
These days if you say that you are concerned about rogue employees you will probably be on the aim of internal politically correct watch keepers. So you don’t say it. You run security awareness programs where each presentation starts with the slide that specifies the percentage of internal breaches in other organisations.
When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent?
Personally I look at the completely opposite attributes than typical HR and the rest of CxO team. I look at the quality, expertise and similar categories. Everything else is less relevant.
How do you keep up to date with developments in Cyber Security? I heard another CISO who ensures that his staff are all accredited to be able to ‘hack’, thus they understand vulnerabilities and can ‘defend’
Personally, I like to work on several fronts simultaneously. You need to be member of professional bodies and follow their activities, you need to follow industry developments and you need to follow academic developments and research. If possible you should do academic research by yourself.
Finally, what keeps you awake at night?
A good sports event or movie.