Considerations for Building Successful Security GovernanceKaiser Permanente's Eric Liederman and Steven Frank on Balancing Business Needs
Effective security governance in a healthcare entity is a balancing act that requires sponsorship by top leadership and careful consideration of the concerns of clinicians and others in the organization, according to Eric Liederman and deputy CISO Steven Frank of Kaiser Permanente.
"In our case, we have an executive sponsors group and also people closer to the ground with a broad array of perspectives - HR, compliance, medical informaticists, IT, privacy and technology - that are part of security governance," said Liederman in an interview with Information Security Media Group on Tuesday during the 2023 Healthcare Information Management and Systems Society Global Health Conference and Exhibition in Chicago.
That same model is used for other types of governance in Kaiser Permanente, as well, Liederman said. "If you don't protect [technology], you may as well not have it.
As a deputy CISO, Frank said he is strongly driven by technology matters, but that's just one part of the equation. "I come in every day thinking about technical risk and all the nuances around vulnerabilities and threats," Frank said. "But I want to make sure that the solutions that I'm recommending aren't going to be adding unnecessary friction in the business - and in care delivery in particular. I don't want to be the friction point.
"So how do we do that? We need a governance structure that can help us ensure that the decisions that we make have been well thought through," Frank said.
In this interview with Information Security Media Group (click audio link below photo), Liederman and Frank also discuss:
- How to build and implement an effective healthcare IT security governance program;
- Top considerations in balancing the technical needs of clinicians with the cybersecurity priorities of the organization;
- Vendor risk management challenges.
Liederman, an internal medicine physician, is the national leader of privacy, security and IT infrastructure for The Permanente Federation. He is accountable for privacy and security, IT investment, large program governance and IT infrastructure delivery and resilience.
Frank is responsible for cybersecurity at Kaiser Permanente, which provides healthcare and not-for-profit health plans to 12.2 million members across eight states and the District of Columbia. He joined the company in 2021 after 15 years of federal service supporting the U.S. intelligence community.