As the longtime chief information security officer of Health Care Service Corp. (HCSC), Ray Biondo navigates the seemingly polar goals of managing risk and empowering the large customer-owned health insurer to tap new opportunities and technologies.
In a position known for turnover, Biondo is a rarity. He became CISO in 2005 and has seen CISO tenure decrease around him. Only 3% of supervisory IT security professionals remain with their organization for 10 or more years, according to a recent Ponemon Institute report.
"The secret to my success, because the lifespan of a CISO is probably about three years, is really taking the risk-based approach and making sure you engage the business and get their vote," Biondo said.
He's actually optimistic: Tenure is about 18 months, online data suggests. If a breach occurs, an organization typically scapegoats the CISO. Alternatively, an organization might well remove a CISO who controls security so tightly that the business cannot easily adopt mobile, Web-based, Internet of Things, or other technologies vital to its growth.
[Healthcare security tech lags behind the financial sector. Read more: FBI Warning Highlights Healthcare's Security Infancy.]
Recognizing the balancing act he faced, Biondo saw HCSC's CISO position morph into a risk-management role, he said in an interview. That required open communication and education.
"It evolved from guys setting up firewalls to more of a trusted advisor to the C suite and board of directors," said Biondo.
Within a healthcare organization, a CISO is critical, and never more so than today, when patients, clinicians, and employees access sensitive data remotely and via mobile devices, he said.
"We now have a different customer, a different client than we had in the large member organization," Biondo said. "How do we protect that data? How do we still enable customers' access to that data?"
HCSC processes between 700,000 to 1 million claims a day, he said. Biondo and his team are charged with protecting all that personal health information (PHI) as it travels internally and externally throughout the insurer, its business associates, and providers.
To determine whether a risk is acceptable, Biondo created a structured process that allows peers to review whether a new technology creates acceptable or unacceptable risk.
"In order for me to motivate the business or IT business overall to give me funding to alleviate this risk, I didn't want to use FUD [fear, uncertainty, doubt]. I wanted to present to them in business language, what the issue was," he said. "I'm educating the business about risk they never would have known about and also the IT executives, in some cases, wouldn't have known about."
Although Biondo usually abides by the council's consensus, he can appeal the decision by taking it to the Senior Risk Advisory Council, which consists of C-level executives. These meetings include minutes and they use an app to record votes, he said.
In addition to procedures and best practices, the department conducts self-audits and self-checks, said Biondo. But it was an evolutionary process, he recalled.
"I did a lot when I first came in because of HIPAA and I built in more of an understanding that, when we make decisions, you look at the risks associated with the decisions. There are always going to be risks from a technology standpoint. As technologists we always have to communicate that proposition to the business folks," he said. "In the beginning, to get to where we are today, HIPAA had some requirements. We didn't do well in some of the audits, internally or externally."
Biondo is helping HCSC safely adopt other technologies, such as cloud, that bring agility and other business benefits.
"The other thing I always have to keep in mind and I would assume -- and if they're not doing so I would tell [other CISOs] -- is you cannot inhibit the organization. Cloud can make a lot of difference to a lot of businesses," he said. "In our industry, we have to deal with so many external partners and so many other entities, the cloud is becoming more and more of an issue for us. There are different types of cloud -- public, private and hybrid. We're looking at all of them. We do have a private cloud in place right now for some of our solutions." HCSC is also considering hybrid cloud options, he said.
How does your organization balance risk against business demands? Let us know in the comments section below.
Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.