What, in your view, are the greatest threats facing the healthcare sector in cybersecurity?
First, the wrong executives such as Chief Financial Officers are in charge of IT and cybersecurity strategy in half US healthcare organisations. One third have no cybersecurity executive on staff. In too many organisations qualified cybersecurity executives are not empowered to do the right thing. For example, even though strong, yet simple, authentication systems have been around for a while, too many healthcare organisations continue to rely on userid/password based systems – the weakest form of authentication. Authentication systems need to be easy and should not make life difficult for users. The second challenge is that governance and executive accountability is lacking. In the absence of due diligence, healthcare organisations are falling increasingly victim to ransomware and other similar attacks. Finally, new technology, including medical devices with weak security continue to be implemented without proper vetting – thus increasing the number of attack vectors and risks dramatically.
What can healthcare leaders do today to start addressing these threats?
Organisations must accept digital strategy as integral to organisational strategy. They need to hire qualified digital strategists, put them in charge at the highest levels of organisations to implement continuous innovation, data governance, and digital risk strategies. Importantly, leaders have to incentivise and engage the entire organisational workforce toward the solution. Cybersecurity is not a one-brain sport.
In your book Cybersecurity Leadership, you describe what you call ‘ethical leadership’. Can you define this?
Ethical leadership is the principle of sharing the fruits of innovation and productivity with the very people producing this. This is also the very foundation of capitalism. Cybersecurity is essentially perpetual innovation. People innovate – machines do not. People will not innovate if they do not have an incentive to do so. Ethical leadership inspires a cybersecurity culture through higher levels of engagement, loyalty, and innovation. In this manner, a people-focused cybersecurity strategy becomes a powerful innovation, revenue, and profit driver for any organisation.
What is the biggest mistake healthcare CEOs are making when it comes to implementing effective cybersecurity?
CEO s have ignored people and focused on buying technology. They treat people as the “weakest link” and force them to go through meaningless cybersecurity awareness training based on an outdated information security model. Instead, people can be our greatest strength. Training should focus on proper usage of all the technology and data that each person uses. In terms of staffing, organisations have been penny-wise and pound-foolish. They are looking for purple squirrels at mouse pay. Instead of setting compensation at market, they are trying to hire based on artificial budget numbers. Hence they have created an artificial “skills gap”. Companies have also been reluctant to develop internal talent with known organisational loyalties. Organisations need to implement strong talent development and retention programmes tied to the concept of ethical leadership.
Can you describe what is unique about the graduate cybersecurity technology programme at the University of Maryland University College (UMUC), and why you think its principles could work for present healthcare executives?
The main problem in executive education is that business schools do not teach cybersecurity and digital strategy and most cybersecurity education focuses on technology and ignores business concepts. Executives are taught to think of people as expenses. Of course this kills innovation, productivity and loyalty. As a result, people become a major source of internal threats – both accidental and intentional. Many academic cybersecurity programmes are really computer science or engineering programmes or teach a small aspect of cybersecurity. At UMUC we are holistic and transparent in our approach and deal with all aspects of cybersecurity.
We understand that cybersecurity is a vast interdisciplinary field with people, policy, and technology aspects. To cover this range, we have four Masters Degree tracks providing clarity in career possibilities: Cybersecurity Management and Policy, Cybersecurity Technology, Digital Forensics and Cybersecurity Investigations, and Cybersecurity Operations and Information Assurance. However all students go through cybersecurity leadership, decision-making, and analytics. As an open university we believe education should be available to anyone. Therefore we leverage technology to offer our programmes to 93,000 students worldwide with 12,000 students in our graduate and undergraduate cybersecurity tracks. In most programmes we accept people from a wide range of disciplines because we believe in an interdisciplinary business approach to digital strategy. Our students are mostly working professionals and they apply what they learned by completing projects in their courses. Professors, with deep real world experiences, teach and mentor our students. We feel we are producing the next generation of business executives at UMUC.
Is there anyone leading the way in healthcare cybersecurity?
Healthcare organisations, which embraced digital strategy as a business driver, have done well. These organisations have very strong CEO /CIO partnerships going back decades. Technology, data, and analytics have been powering the mission of Kaiser Permanente for a long time. They have used digital strategy to make better decisions, improve healthcare, reduce errors, and engage partners and patients.
You have a particularly strong stance against CEOs and CFOs who do not engage with IT or CIOs/ CISOs – and vice versa. Do think this may be harsh?
I have been more vocal lately since my earlier polite advice has been largely ignored. In the meantime, three organisations with the wrong executives in charge have breached my own personal information and offered very little protection or remediation. I have seen and heard of executives in profitable companies lay off thousands of people just to increase their annual bonus. They have even fired CIO s and CISO s for pointing out issues instead of doing the right thing. I am disturbed that executives are not learning from incidents. For example breaches like Community Health Systems and later Anthem should never have happened. These were all failures in leadership and governance. In the meantime, the digital identities of half the US population have already been compromised and the rampage continues unabated. Offering to monitor credit for a year or two is an irresponsible response. A large number of victims are children who will face problems several years from now. I am particularly disturbed that money drives healthcare organisational strategy instead of strategy driving money. Having a CFO drive IT and cybersecurity strategy makes no sense. They do not believe technology is core to their mission. CFOs also tend to view technology as an office automation function. Since they feel inadequate managing this function, many of them have completely outsourced IT – resulting in even higher costs and perpetual stagnation. When IT got outsourced, internal IT talent and innovation also vanished with it. Outsourced IT will only do what you tell them to do.
The industry appears to believe in the myth that CFOs “save” money by controlling IT and cybersecurity costs. Yet I see countless examples of CFOs wasting money on inappropriate technology at “discount” prices or leaving critical positions unfilled in their efforts to “save” money. Most often they do not invest in continuous improvement to avoid problems. They spend money after a problem occurs – often on inappropriate technology and solutions – just to show that they did something.
If you had to write a job description for the ideal healthcare leader, what would it look like?
The modern healthcare executive needs to understand the new world of electronic health records, health information exchanges, health insurance exchanges, digital patient identities, patient and partner engagement through technology, integration of medical instruments and the entire spectrum of patient care, data analytics and business intelligence and data driven decision making – all while maintaining confidentiality, integrity, and availability of data and systems using a balanced mix of people, policy, and technology, while perennially improving over time. In order words they have to be a true healthcare digital strategist. We also need ethical leaders who understand that ethical leadership is not only profitable for business, it is the only way to achieve perpetual innovation and long term success in any organisation.
Dr. Mansur Hasib is the author of Cybersecurity Leadership where he shares a unique cybersecurity governance and culture model based on his research and 12 years experience as a Chief Information Officer. This book was cited in a US Senate hearing and is used by universities and government and private cybersecurity leadership programs.
Dr. Hasib serves as Programme Chair, Cybersecurity Technology in the Graduate School at University of Maryland University College (UMUC) and has a Doctor of Science in Cybersecurity. He also holds the prestigious CISSP , PMP, and CPHI MS certifications. With 30 years experience in healthcare, biotechnology, education, and energy, Dr. Hasib is a frequent speaker at conferences. Dr. Hasib developed a holistic graduate academic programme, which blends business, information technology and cybersecurity. In 2013, Dr. Hasib conducted a national study in US healthcare cybersecurity and published the book Impact of Security Culture on Security Compliance in Healthcare in the U.S..
- Digital strategy is the same as organisational
strategy today. Yet education of executives is focused on finance, marketing,
- Cybersecurity is perennial innovation.
- People innovate.
- Cybersecurity leadership is critical for long-term
success of organisations.