Healthcare Perspectives


The Wide Range of Information/Cybersecurity Responsibilities

Aug 07, 2017
By: Rick Ensenbach

It’s a tough job, but somebody has to do it.

In many health care organizations, an information security officer position is responsible for facilitating the development, implementation, and oversight of all information/cybersecurity activities. This position goes by many different names: Chief Information Security Officer (CISO), Information Security Officer (ISO), or Chief Security Officer (CSO), to name a few.

Yet they all represent the same thing—the thing that matters to providers both big and small—and that is, it’s important to have a knowledgeable leader in charge of all aspects of security and risk management.

That leader’s responsibilities make up a long and critical list (below). Is anything missing from your information/cybersecurity leader’s list? Here are some of the key responsibilities* that should be on it:

  • Oversee, verify compliance, and enforce all activities necessary to comply with the regulatory requirements and the organization’s policies and procedures.
  • Create and maintain formal organizational and operational information security policies and procedures.
  • Manage the information security risk management program and proactively evaluate the effectiveness of the program, making changes as needed on an ongoing basis (compliance and vulnerability management).
  • Ensure plans for workforce security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency with the risk management strategy and response priorities.
  • Perform or oversee technical and non-technical evaluations (i.e. assessments) to validate compliance with information security policies and procedures.
  • Document all activities and assessments completed to comply with the regulatory requirements and retain applicable documentation in accordance with federal and state record retention requirements.
  • Ensure security activities (e.g., implementing controls, correcting nonconformities) are coordinated in advance and communicated across the entire organization.
  • Annually and as necessary, review and update security program documentation.
  • Manage an ongoing workforce improvement program that provides initial, recurring, and annual security training to all workforce members.
  • Manage the security incident/breach response team.
  • Ensure that all systems undergo an annual security review or when changes occur that could impact system security.
  • Ensure that new systems undergo a thorough security review, prior to being put into production, to ensure that the confidentiality, availability and integrity of ePHI is properly maintained.
  • Assist human resources when necessary on matters pertaining to workforce background investigations and disciplinary action for non-compliance with security policies and procedures.
  • Work with the Privacy Officer on security matters that relate to patient privacy.
  • Ensure that all business associates, service providers, contractors, consultants, etc., have undergone a security evaluation prior to conducting business with them.
  • Assist in the administration and oversight of business associate agreements.
  • Provide annual “State of the Information Security Program” briefings to senior leadership and the board of directors/trustees on the overall posture of the security program to include areas of risk that require attention and incidents that occurred during the calendar year and what actions were taken to prevent reoccurrence.
  • Participate as a member of the incident management, crisis management, business continuity and disaster recovery teams.
  • Work with and advise facility management on matters pertaining to the physical and environmental security.
  • Ensure security requirements for information systems are identified in mission/business processes and resources allocated as part capital planning and investment control processes.
  • Provide clear direction and visible management support for security initiatives.
  • Obtain and maintain resources needed for information security.
  • Oversee security measures needed to avoid cases of identity theft targeted at patients, employees and third parties.
  • Ensure that the implementation of information security controls is coordinated across the organization.
  • Manage information security specialists or coordinators at geographically separated sites.

*Based on numerous industry standards.


Director, Risk Advisory Services
View Profile
Healthcare Perspectives blog
Subscribe to Healthcare Perspectives