Taking Security Seriously

As CIO of Spok, I count security as one of my top responsibilities; the same is true for CIOs and CISOs of hospitals and health systems everywhere. Although it’s only one piece of the pie, it’s certainly a significant one that we must take seriously. Healthcare records for one in three Americans were breached last year, with records of nearly 112 million people affected. More than any other industry, healthcare has a target on its back because patient records contain a wealth of information that is highly valuable to cybercriminals. According to a study by the Ponemon Institute, healthcare has emerged as the industry with the highest cost per stolen record, with the average cost for organizations reaching as high as $363/record, versus an average of $154/record across all industries.

I take security seriously not only for Spok internally, but also for Spok’s customers. I earned the Certified Information Systems Security Professional (CISSP®) credential in 2014 in support of the increased focus both Spok and our customers are placing on preventing data breaches. A vendor-neutral certification, the CISSP was the first credential in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024—and it is globally recognized. To obtain CISSP, information security professionals with at least five years of experience must pass a strenuous, six-hour exam that tests their knowledge across eight domains covering all aspects of security frameworks. It also has to be renewed every three years with continuing education requirements like attending industry courses and conferences.

I like to describe the CISSP credential as a mile-wide, inch-deep credential. You may not be a subject matter expert within each domain, but it validates your ability to see the wider view—oversight of all eight domains and an understanding of how each one relates to the others. For example, a CIO or CISO with CISSP might not be getting into the nitty gritty detail of firewall configuration, but they will understand how the configuration relates to network routing security and data protection policies, and can lead their teams accordingly.

The CISSP credential is valuable in many ways, but the one that matters most to me is that it illustrates to our customers that Spok takes security incredibly seriously; our customers can count on us to help them protect their data. I regularly interact with security and risk management staff at the hospitals and health systems Spok partners with, and we’re on the same page. We fully understand our obligations for HIPAA compliance and protected health information (PHI), and I’ve found it gives the folks I work with a comfort level that we take security as seriously as they do.

While becoming a CISSP isn’t for everyone—there are other security credentials out there and not every information security professional feels the need to obtain certifications—it’s strengthened my focus on our security protocols in conjunction with the changing landscape around HIPAA and the international laws of data protection. I can prove to our customers that I have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices, and we can work side by side to protect their patients’ privacy and security.