Apex sat down with Tim Swope, Chief Information Security Officer at Catholic Health Services of Long Island to discuss his role and experience as a CISO. With extensive experience in the industry, Tim shares his advice and the value of an IT Risk Management Program being the cornerstone for all cyber security work.
Q: What is IT security doing to support innovation in the enterprise?
A: In addition to training the IT Security Staff, we all attend many seminars outlining new and innovative technologies and with our Proactive Risk Management model we are able to determine what GAPS those technologies will close in our organizations.
Q: What is the single most important thing CISOs should be focusing on today?
A: While many security leaders focus on the technical side of cybersecurity, a key focus of mine is risk management. Risk management is the overriding element for successful cybersecurity programs. We need to know what cyber risks and 3rd party vendor risk that my affect our organizations, assign a risk level and then focus our remediation and management on the top tier risks first.
Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?
A: The CIO and I work very closely together on the overall information strategy for the organizations. That being said, while the CIO might push for technology solutions that will make access to information easier…..I ensure that we can effectively manage and monitor that technology. In the Healthcare space, innovation has moved faster than our ability to secure it. I remind the CIO we are FIRST in the patient privacy and safety business..not the convenience business!!
Q: How have you searched for and found the best vendors for your organization?
A: We have a very strict due diligence process for our vendors, especially those that will be working with PHI. However, we are constantly looking and evaluating vendors that may be able to save us cost, have greater automation and solve our needs better.
Q: What is the biggest challenge for a CISO today?
A: In the Healthcare industry, changing regulations, the need to expose patient data to outside entities and ensuring that the same IT security posture remains in place in the face of this change.
Q: What advice would you give an early stage CISO joining an enterprise organization?
A: When coming into a new organization as a CISO leader, I strongly believe in conducting an internal assessment to get an understanding of what controls and technologies are in place. While some CISOs may rely on an outside firm to conduct these, I choose to do an initial assessment myself, putting myself in an outside auditor’s shoes. Rather than looking at somebody else to do it for me, I’ll do it myself and I think that’s the key thing a CISO should do, is understand his or her landscape and do their own personal assessment and only then can you see what you really have.
Q: What is the importance of an IT risk Management Program in today’s cyber security landscape?
A: In order to deliver value to our customers, patients, employees, communities and shareholders, we at Catholic Health Services and other Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations. As part of the overall IT risk management process Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.
The “Framework” that encompasses their Risk Management Program has the primary functions to:
- Determine categorization of IT risks
- Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
- Define accountability for IT risk management
- Determine the governance and oversight of IT risk management activities
Internal and external events affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.
Throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. Additionally, the various risk management functions scan the external environment for risk indicators through analysis of applicable business intelligence, including trends in external health authority and other government inspections and enforcement, legislative changes, and shifts in market, payer and consumer models, as well as relationships with external subject matter experts.
Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome, to determine how they should be managed.
If we can take a way one lesson from the need for a risk management program it is the following:
Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!
We don’t accept Risk, we continually Manage it!
Catholic Health Services of LI
|Mr. Timothy Swope is currently the CISO of Catholic Health Services, an 18,000 employee hospital group in Long Island, NY. He is an Information Security and IT Risk Management professional who partners with Chief Information Security Officers and IT Governance, Risk and Compliance executives to assess and deliver IT Security and Risk Management programs to Health Care and Insurance, Pharmaceutical and government agencies. After spending over 2 decades assisting clients implement secure enterprise BI, EHR, Meaningful Use and other data science systems, Tim knows and understands the requirements and components that create a secure information security posture. A key area of his expertise centers around interpreting and applying Federal, State and Industry regulations such as: DSRIP, HITRUST, HIPAA, NIST SP 800-53, 21 CFR Part 11, Health Insurance Reform: Security Standards, FISMA (Federal Information Security Management Act) and locally the Zadroga Act to name a few.
He also supported cyber security requirements for Medicaid’s Delivery System Reform Incentive Payment (DSRIP) Program at 2 of New York’s largest PPS’s (Performing Provider Systems) Northwell Health and NYC Health and Hospitals.
He has supported the IT Risk Management and IS Security initiatives of organizations that include Excellus BCBS, Medimmune/ Astra Zeneca, MERCK, ENDO Pharmaceuticals, Novo Nordisk, Daiichi-Sankyo Solutions, Johnson and Johnson, District of Columbia Government office of the Chief Financial Officer, District of Columbia Water and Sewer Authority, City of Richmond, Virginia Department of Public Utilities.