[ISN] A healthcare CISO’s primary customer: The clinician

http://healthitsecurity.com/2013/10/22/a-healthcare-ciso%E2%80%99s-primary-customer-the-clinician/ By Dom Nicastro HealthITSecurity.com October 22, 2013 It’s clear by now CISOs should work closely with the CMIO and physician leaders responsible for clinical care and clinical systems. They can start by attending and presenting at medical staff meetings, department meetings, grand rounds, etc. on topics of interest to the clinical staff. “The CISO/ISO should reach out to physicians to ask for advice and support in developing and enhancing safeguards for information security,” Phyllis A. Patrick, president of Phyllis A. Patrick & Associates in Purchase, N.Y. said. “The CISO/ISO should promote an ‘open door’ with clinicians, working to find effective solutions to help them treat patients and educate others while maintaining security. The response should always be, ‘Let’s see how we can help you do this securely.’ The CMIO/CISO partnership is key.” CISO’s must also remember to leverage resources where they can, as IT can carry out the technical functions. Compliance and internal audit departments can assist with some of the functions related to training, auditing and monitoring, risk analysis and risk management and vendor selection. Human Resources should also work on functions related to policies for sanctions, training, assignment and termination of rights to systems and other activities. Biomedical personnel can ensure that biomedical devices are consistent with requirements for safeguards related to patient information, proper disposal of equipment, etc… Purchasing can alert the CISO to possible changes in vendors for office equipment (copiers, fax machines, etc.) that require security safeguards. Legal should review all security policies and provide advice regarding compliance with federal and state regulations and new requirements as they develop. […]