"How Did You Let This Happen?"
From one healthcare CIO to another

Drex DeFord, longtime veteran CIO, is answering some familiar questions. And, he wants you to join his new InfoSec club.

I’ve been a CIO for (literally) most of my life. There’s always been one constant: the battle for information security.

It’s never been about liking or not liking cybersecurity. The reality is that the IT security responsibilities are the one thing that can kill your career if handled poorly. Whether it’s an analyst who fat-fingers a file location exposing patient info, a financial analyst who clicks on a nasty link in an email, or a technology partner who didn’t hold up their end of a business associate agreement – when there’s a security problem, the trail always leads back to the CIO, and the inevitable question: “How’d you let this happen?”

The blame-game is real. And the buck stops with you.

The most tender of my “blame” scars came from a healthcare organization I’d recently joined. Near the end of my first couple of months on the job, the compliance leader and the CFO came to me and told me they’d contracted with an external company to see how far they could get into the network, and results weren’t good. During the briefing of the approximately 300 findings from the white-hats, the CFO turned to me and asked, only half-jokingly, “How’d you let this happen?”  It didn’t matter that I’d documented a multitude of security shortcomings within weeks of my arrival, or that I’d requested funding to start a comprehensive remediation effort. It didn’t matter that the team had already put a major security program rebuild in progress. Whether this was actually my fault or not didn’t matter. The buck stopped with me.


Why do security breakdowns happen?

CIOs, and our partners in this non-stop war, the CISOs, spend thousands of hours per year shoring up defenses, improving information services processes, and training front-line staff and business associates to be information security martial artists.

Yet, the chain of defense seems to break down regularly. And It’s not because you have teammates who intentionally sabotage your security plans.

Slip-Ups for a Good Cause

As we all know, healthcare providers, and those who support them, face huge daily pressure to operate quickly. They are driven to get the job done, to take care of patients, and to take care of families. And that drive sometimes inadvertently causes a security slip-up.

Changing IT Environment

The environment we work in also changes quickly.  We’re constantly patching applications and operating systems and finding compensating controls to manage the plethora of apps and devices we can’t patch due to mission requirements.

Staffing Pressure

At the same time, information security leaders, including the CIO and CISO, face a lot of daily pressure to find, train, and retain great staff. We need information security warriors to fight the battle daily. Unfortunately, those highly skilled individuals are hard to find, and harder to keep.

Tool Trouble

Add to that the plethora of great (and sometimes not so great) tools and services available to help fight the war. I’ve made information security investments I couldn’t sleep without; and some that made me lose sleep.


Enlist Trusted Peers and Partners to Help

My best advice? Don’t try to do this alone. Enlist your peers for help. Find professional security partners that turn products into services, making it easier for your organization to predict and manage. Find partners who understand the stress associated with running a healthcare operation. Find partners who understand that THEIR job is to have YOUR back. Good partners will free you and your staff up from daily grind of security operations, so you can focus on the most important part of your mission: supporting patients and families.


Join the Club

I am working on getting some likeminded folks together to talk about how to find those trusted peers and partners. We are going to look at the different security solutions available to patient-focused organizations so we can all get better together. And, we’ll all get better at answering the question, “how did you let this happen?”

If you’re interested, fill out the form on this page and I’ll get back to you with details.


Drex DeFord

Healthcare Executive Strategist, CI Security

Drex DeFord is a recovering CIO with a career spanning both coasts and the military. Drex was Chief Information Officer (CIO) at Steward Healthcare in Boston, Senior Vice President and CIO at Seattle Children's Health System and Research Institute, and Corporate VP and CIO at Scripps Health in San Diego.  Before joining Scripps, Drex spent 20 years in the US Air Force, where he served as a regional CIO, a medical center CIO, and Chief Technology Officer for the USAF Health System's World-Wide Operations in Washington, DC.  He’s the Past-Chair of CHIME’s Board of Trustees and has served on the HIMSS National Board. Drex now spends his time as an independent consultant, bringing together trusted health systems, payers, associations, vendors, and investors to solve healthcare's toughest problems.