Even with the increased visibility of cybersecurity efforts at U.S. health systems – driven, of course, by the increased vulnerability of those organizations to increasingly brazen cybercriminals – information security is often still considered to be an adjunct concern when compared to the main mission of healthcare delivery.

But that's not the right mindset, as two chief information officers will explain at HIMSS23 in Chicago next month.

In their panel discussion, "Cybersecurity as an Imperative to Achieve Your Organization’s Strategic Goals," Bill Hudson, CIO at Integris Health, and Sonney Sapra, CIO at Samaritan Health Services, will make the case that, even with cybersecurity budgets on the rise, too many IT leaders still fail to see how infosec maturity is key to achieving strategic goals.

"Leaving cybersecurity out of the discussions to plan for and execute transformative initiatives increases operational risk by missed opportunities to support foundational operational elements such as performance, assurance, compliance and resilience," they say in describing the session, which aims to explore why the strategic importance of security is so often overlooked, and explain how to integrating it into strategic plans, from the board on down.

We spoke with Hudson recently about how to approach cybersecurity as a fundamental, enterprise-wide must-have.

Q. So this will be a talk about the wider strategic value of cybersecurity, told from the CIO's perspective, rather than the CISO's? What are some keys to understanding that imperative?

A. There's a lot of technical things you can do around security. There's a lot of operational issues around security. But I think a lot of times we don't spend as much time as we need bridging to the rest of the organization, to help them understand the "why" of it.

A lot of our security teams tend to be pretty technical. And there's nothing wrong with that. But I think helping the organization understand the importance of cybersecurity and adherence, and understanding the reasoning of the process, really helps rest the organization, helps encourage practices and standards to ensure that we stay safe and secure.

"If you think about security from the beginning, it makes a huge difference in terms of how you're able to support it."

Bill Hudson, Integris Health

Q. You note that, especially since the pandemic, health systems are rolling out more and more digital tools by the day. How important is it to build security in from the ground up as you're deploying these disparate technologies?

A. You need to have a design from the beginning. I think we've operated in a bolt-on manner the past few years. And as risks evolve, I think we're always going to have to continue to bolt on things to the framework. But as much as possible, from a design standpoint, making sure that whatever thing you do and build the design doesn't just include the security team, but the infrastructure team, the operational team, in terms of how a tool is going to be used, how it's going to be accessed. If you think about security from the beginning, it makes a huge difference in terms of how you're able to support it.

There's a lot of tools we've brought into the environment over the past several years, increasing risk. Some of those are web-based tools or cloud-based tools that help on prem. But the very nature of a cloud-based tool does introduce a certain amount of risk.

So having that foundation, making sure that you design for security from the beginning, and understanding what operational needs you need to meet, helps you basically craft it in a way that when you do at some point have to add some additional thing into the environment, you're able to do that in a secure framework.

Q. You suggest that treating cybersecurity as an afterthought increases strategic risk by "missed opportunities" to support "performance, assurance, compliance and resilience." Could you explain a bit more?

A. In the past, I think we have treated this in a lot of ways as something the security team has to focus on. But increasingly, because of the work around compliance and federal regulations, the work we have to do to make sure we're compliant with our payer agreements, the federal government has changed the rules. This is less about something that one team can do and more about something that has to be approached as an organization as a whole.

When I sit in our compliance meetings, there are representatives from human resources as well as legal and the compliance team, in our security conversations. Even a few years ago, you wouldn't have had someone from HR, you wouldn't have anybody from strategy in that mix. The very nature of how security is being generated in operations is necessitating a different set of people at the table. It's become more of a team sport.

Q. How do you work with your CISO? I know it varies at different organizations. Sometimes they report to the CIO, sometimes they're colleagues. What's the structure at Integris Health, and how often are you guys putting your heads together and comparing notes?

A. The CISO reports to me in this case. This is someone I've worked with for a number of years, and she's got a very strong background. My role is kind of helping make sure that she and her team understand the strategic and operational direction of the organization.

Obviously she keeps me apprised of the risks we need to worry about. We're going to present the audit committee here just next week around cybersecurity as an education for the board, as well as an update on our cybersecurity plan, because that's something the board is definitely interested in.

But it's really a partnership. Regardless of whether she reports to me, it's really about making sure that I'm able to help her have her voice and get connected to the rest of the organization and aware of the direction that we're going so she can plan for it.

That includes acquisitions and strategic alliances, that's partnerships, and her role to a) make sure that we're secure, but also making sure that I'm actually planning for and adapting towards budgetary and personnel constraints, and making sure we're going to be able to adapt to the current threats.

So it's very much a partnership. This is something that we have to do together to make sure it gets done in the best way possible.

Q. Obviously, Integris is forward-thinking when it comes to getting buy-in from across the enterprise – but not every health system is. What are some keys, as IT leaders, to enlisting other stakeholders in the larger goal of cybersecurity?

A. There have been a few national CISA alerts out in the past weeks around the threats to healthcare. But I don't want to sound sensational, like the sky is falling. There's the chance that the organization becomes inured to it.

I think it's important to have a conversation, in operational language and human language, and say things like, "We are going to have a bad day at some point in time. I'm never going to be able to spend enough money to make sure we're 100% risk-protected. Our job is to minimize that risk as much as possible, and this is how we're going to do that and have that conversation about a partnership."

When we talk about the things that are emerging as a risk, it's more like, "Hey, we want you to be a little bit extra careful this week. We want you to be aware, we want you, during a huddle, share this with your teams. These are things we're concerned about."

When you have that conversation in a very calm way – these are risks, this is how we're going to mitigate them, this is how I'm going to work with you and how I'm going to keep you informed of what's going on – it changes the tone.

Hudson and Sapra will offer more perspective in their panel discussion, "Cybersecurity as an Imperative to Achieve Your Organization’s Strategic Goals." It's scheduled for Tuesday, April 18, from 1:30-2:30 p.m. in South Building, Level 4, in room S406 B.