Our Experts

CIOs and CISOs must devote their effort to over-communicate in the upcoming weeks on the security announcements, emphasizing organizational vigilance. ChristianaCare, CISO with Anahi Santiago, worked profusely on sending out multiple enterprise communications focused on situational awareness and calls of action for IT and hospital operations. She has also partnered extensively with her enterprise storage vendor on preparedness and response.

If you’re still waiting for your stimulus check, you’re not alone. And you’re especially vulnerable to getting scammed in a cyberattack, as the federal payments are one of the latest forms of bait used by cybercriminals during the COVID-19 crisis, says Anahi Santiago, ChristianaCare’s chief information security officer. In March, when the coronavirus was declared a pandemic and U.S. states started ordering lockdowns, Atas VPN analyzed the Google data and found that the number of phishing websites spiked 350% compared to January 2020.

When Malcolm Gladwell first introduced the concept of the tipping point in his debut book, it was defined as “that magic moment when an idea, trend, or social behavior crosses a threshold, tips, and spreads like wildfire.” And while healthcare IT has had its share of tipping points throughout the years, few have been quite as powerful as the dramatic rise of telemedicine. It has fundamentally changed the way in which patients seek care and communicate with providers, and has enabled organizations to stay afloat during a devastating situation. However, telehealth’s unprecedented growth hasn’t come without risks, particularly from a security perspective. “It’s a challenge, but one we have to accept,” said Anahi Santiago, CISO at ChristianaCare. “We have to work with our stakeholders in clinical, business and technology to up our security game.” According to Santiago, who addressed the topic during a panel discussion with Sri Bharadwaj (VP of Digital Innovation with Franciscan Health) and Jonathan Langer (Co-Founder & CEO, Medigate), it’s going to require conversations around risk management and treatment, partnerships with technology providers, and a willingness to embed security processes throughout the entire life cycle of the supply chain. And it doesn’t stop there. “We need to make sure everyone is doing what they’ve contractually agreed to do, and that as the threat landscape changes, we’re circling back and making sure we’re not introducing new risks to the technology we’ve brought on board.”

“Ten years ago, cloud technology was still in its infancy,” said Anahi Santiago, CISO at Newark, Delaware-based ChristianaCare Health System. “Most industries, including healthcare, were still trying to wrap their arms around what the cloud entailed and potential risks associated with moving toward the technology. Lack of visibility, standards and transparency were of primary concern, as were issues of privacy, security and overall compliance.”

When I spoke with Anahi Santiago, CISO of Delaware-based ChristianaCare Health System, at the HIMSS Healthcare Security Forum 2018 in San Francisco, she cut right to the chase.

"I remember the days when we used to worry about spring break, because that's when the bored college kids would write the viruses," said Anahi Santiago, CISO at Wilmington, Del.-based ChristianaCare Health System. "It has changed significantly from what it was even 10 to 15 years ago."

We lock our doors when we leave home, and we password protect our devices. This sense of security is baked into our daily lives. Data security in health care is particularly complex. Consider all of the information that you share with your doctor and your health care team—and then think about all of the high-tech devices and software programs that collect and share information about you. Every lab test, CT scan and prescription involves sensitive data that must be handled and stored securely.

Whether it's protecting against ransomware attacks, managing insider threats, implementing device management policies or convincing the C-suite to open its purse-strings, the role of a chief information security officer is a complex one.