BOSTON—A panel of CISOs shared their organizations’ IT security game plan during the 2015 Privacy and Security Forum, offering strategies that often parlayed off of past problems to ward off new threats.

Barry Caplin, CISO at Fairview Health Services, said his position was created as a result of a lost laptop. He called for IT security professionals to go back to basics with “simple stuff” such as conducting hardware and software inventory and reviewing devices in use.

Caplin said he is part of a group in the Minneapolis-St. Paul area committed to sharing information and details about security threats. “We are not competitors. We’re all in this together. We work on making each other stronger.”

University of Vermont Health Network is focused on leveraging the tools already in place and determining how to share information gathered, said CISO Heather Roszkowski.

Boston Children’s Hospital was the victim of a distributed denial of service (DDoS) attack two years ago which has dictated the organization’s strategy ever since, said CISO Paul Scheib. “We’ve been focusing on all the shortfalls experienced during that period.”

Darren Lacey, CISO of John Hopkins University, has been working to get senior leadership focused on data breach threats. All the breaches in healthcare have led to leadership being less tolerant of being hacked but also less tolerant of any kind of security problem, he said. “That has been remarkable. Seeing how vulnerable you are to big things makes people more concerned about the little things.”

Fairview is always measuring against its peers, said Caplin. When he started in his position two years ago, he wanted to set a baseline but found few tools.

Roszkowski brought in an outside firm to conduct a risk analysis. She also set to work changing the culture. “It grows quickly. When people see the possible detriment to patients, they see the value.”

Caplin admitted that healthcare has been late to the security game. “HIPAA drove things forward.” However, the proliferation of apps and devices means that every doctor has his or her own special software. And, EHRs moved problems from paper to electronic. “Authentication itself is not the solution. Lots of people come and go working on different organizations’ networks so we have to figure out where the biggest problems are going to be. A lot of issues come back to the products.”

Hiring someone to conduct an assessment is an option but organizations need someone on staff who really understands the results of that assessment so the organization can prioritize its security efforts, said Roszkowski.

Caplin recommended that security chiefs get out on the frontlines and understand how everyone does their business. “Get out of the office and talk to people so you know how your decisions influence people and affect clinicians trying to care for patients.”

He also noted that innovation never stops and it’s never okay to say no. So, “figure out a way to allow innovation in the door and take an appropriate risk approach.”

“Our job in security is to, as best we can, influence the wider organization but principally the IT organization which does a lot of work on preventive controls will be influenced by us if we’re doing our jobs correctly” said Lacey. He said CISOs also need to recognize that demands that are difficult for IT staffers to achieve will be paid for in some way down the line.

Most security departments are very small, noted Schieb. “Real security happens throughout the whole organization so unless you can affect that you don’t have much of a chance.” His organization has been working to have security goals included as part of all employees’ annual review. Security “is a team sport,” he said. “You can’t get there unless you have everyone going in the same direction.”