Healthcare // Leadership
News
4/29/2014
09:06 AM
Connect Directly
RSS
E-Mail
50%
50%

HCSC Security Chief's Secret To Longevity

Ray Biondo has served as chief information security officer for nine years at insurance giant Health Care Service Corp., something of a record. He credits users and execs willing to collaborate on risk management.

Easy-to-Mock ICD-10 Diagnosis Codes...
Easy-to-Mock ICD-10 Diagnosis Codes...
(Click image for larger view and slideshow.)

As the longtime chief information security officer of Health Care Service Corp. (HCSC), Ray Biondo navigates the seemingly polar goals of managing risk and empowering the large customer-owned health insurer to tap new opportunities and technologies.

In a position known for turnover, Biondo is a rarity. He became CISO in 2005 and has seen CISO tenure decrease around him. Only 3% of supervisory IT security professionals remain with their organization for 10 or more years, according to a recent Ponemon Institute report.

"The secret to my success, because the lifespan of a CISO is probably about three years, is really taking the risk-based approach and making sure you engage the business and get their vote," Biondo said.

He's actually optimistic: Tenure is about 18 months, online data suggests. If a breach occurs, an organization typically scapegoats the CISO. Alternatively, an organization might well remove a CISO who controls security so tightly that the business cannot easily adopt mobile, Web-based, Internet of Things, or other technologies vital to its growth.

[Healthcare security tech lags behind the financial sector. Read more: FBI Warning Highlights Healthcare's Security Infancy.]

Recognizing the balancing act he faced, Biondo saw HCSC's CISO position morph into a risk-management role, he said in an interview. That required open communication and education. 

"It evolved from guys setting up firewalls to more of a trusted advisor to the C suite and board of directors," said Biondo.

Within a healthcare organization, a CISO is critical, and never more so than today, when patients, clinicians, and employees access sensitive data remotely and via mobile devices, he said.

Ray Biondo, CISO of HCSC.

Ray Biondo, CISO of HCSC.

"We now have a different customer, a different client than we had in the large member organization," Biondo said. "How do we protect that data? How do we still enable customers' access to that data?"

HCSC processes between 700,000 to 1 million claims a day, he said. Biondo and his team are charged with protecting all that personal health information (PHI) as it travels internally and externally throughout the insurer, its business associates, and providers.

To determine whether a risk is acceptable, Biondo created a structured process that allows peers to review whether a new technology creates acceptable or unacceptable risk.

"In order for me to motivate the business or IT business overall to give me funding to alleviate this risk, I didn't want to use FUD [fear, uncertainty, doubt]. I wanted to present to them in business language, what the issue was," he said. "I'm educating the business about risk they never would have known about and also the IT executives, in some cases, wouldn't have known about."

Although Biondo usually abides by the council's consensus, he can appeal the decision by taking it to the Senior Risk Advisory Council, which consists of C-level executives. These meetings include minutes and they use an app to record votes, he said.

In addition to procedures and best practices, the department conducts self-audits and self-checks, said Biondo. But it was an evolutionary process, he recalled.

"I did a lot when I first came in because of HIPAA and I built in more of an understanding that, when we make decisions, you look at the risks associated with the decisions. There are always going to be risks from a technology standpoint. As technologists we always have to communicate that proposition to the business folks," he said. "In the beginning, to get to where we are today, HIPAA had some requirements. We didn't do well in some of the audits, internally or externally."

Biondo is helping HCSC safely adopt other technologies, such as cloud, that bring agility and other business benefits.

"The other thing I always have to keep in mind and I would assume -- and if they're not doing so I would tell [other CISOs] -- is you cannot inhibit the organization. Cloud can make a lot of difference to a lot of businesses," he said. "In our industry, we have to deal with so many external partners and so many other entities, the cloud is becoming more and more of an issue for us. There are different types of cloud -- public, private and hybrid. We're looking at all of them. We do have a private cloud in place right now for some of our solutions." HCSC is also considering hybrid cloud options, he said.

How does your organization balance risk against business demands? Let us know in the comments section below.

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
4/29/2014 | 4:29:05 PM
Biondo is on to something
Since the IT department has been the traditional whipping boy whenever anything has gone wrong -from a blip on the Dow of the company's stock, to clueless end users who have been trained but still ignore security issues nonetheless, it's nice to see a CISO with longevity.  
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.