Click here to close now.


News Feed Item

The New Healthcare Vulnerability: Closing the Cybersecurity Leadership Gap

HITRUST, in partnership with Southern Methodist University’s (SMU) Cox School of Business, today announced the first Healthcare Information Security and Technology Risk Management Graduate Certificate Program. This new program was founded to address the evolving role of Chief Information Security Officers (CISOs) and Chief Technology Risk Officers (CTROs) within healthcare organizations by providing security and risk professionals the industry-specific skills and competencies lacking today and needed to advance into these senior leadership positions. With the rise of digital risks throughout healthcare organizations, these gaps in talent are proving more troubling than technical gaps.

A high-profile faculty of professors from SMU’s Cox School of Business and Lyle School of Engineering will lead and govern the new program, as well as selected adjunct professors representing CISOs, CIOs and other senior-level executives from leading healthcare companies. Please see details regarding program leaders and oversight committee members below.

The exploding volume of sensitive electronic information in the healthcare industry, coupled with the need for instant access to information across devices and geographies, has magnified cybersecurity threats to these organizations. In fact a privacy breach on the scale of retailer Target’s is anticipated, according to health information security experts. At the same time, regulatory compliance scrutiny and fines as well as competitive pressures to innovate in a fast-paced digital economy are increasing. This risk environment is evolving at a much faster pace than security teams can keep up. As a result healthcare organizations are being forced to redefine and expand and structure of the CISO and CTRO role and the demand being placed on those executives who occupy the position, creating a gap between the demands of the job and the skills by those holding the positions. Yet the resources and formal programs available to help mature and enhance the skills have not been available.

This trend parallels predictions by security industry analysts. In fact, By 2017, 1/3 of large enterprises engaging in digital business will have a Digital Risk Officer or equivalent according to Gartner1.

"Digital risk officers (DROs) will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for appropriately addressing digital business risk," wrote Paul Proctor et al., vice president and distinguished analyst at Gartner. "Many traditional security officers will change their titles to digital risk and security officers, but without material change in their scope, mandate, and skills they will not fulfill this role as we are defining it."

The Healthcare Information Security and Technology Risk Management Graduate Certificate Program addresses the major lack of relevant curriculum to develop these complex roles as well as a lack of relevant credentials that prospective employers can use to identify candidates. Unlike other certificates and courses today that are primarily basic or technical, the program addresses the gap for healthcare-specific information security technology, leadership and business-level management paths. Individuals passing the exam will receive a certificate in Healthcare Information Security and Technology Risk Management (CHISTRM).

The curriculum will span a range of topics including:

  • Information technology and security challenges in a healthcare environment
  • How to create a culture of security and privacy
  • IT leadership and dealing with privacy and ethics issues
  • Impact of industry, state and national regulations and policies
  • Economics of information security and risk management
  • IT security within business processes, and the IT infrastructure
  • Project management
  • Risk assessment and management methodology

Classes will be held quarterly at SMU starting in October 2014. Admission to the fellowship program will be based on nomination by the applicant’s senior management (CIO, CISO, etc.). Individuals interested in participating will also have to complete an application, meet the minimum education and experience requirements in information security and IT management and computer science. For more information on the program or the application process please visit:

Program Leaders

Amit Basu Ph.D. Professor, Carr P Collins Chair in MIS, ITOM Dept
Chair and Fred Chang, Director, of SMU Lyle’s Darwin Deason Institute for Cyber Security
Bobby B. Lyle Centennial Distinguished Chair in Cyber Security Professor

Program Oversight Committee

Sharon Finney, Corporate Data Security Officer, Adventist Health System
Erick Rudiak, vice president and CISO, Express Scripts
Robert Booker, vice president and CISO, United Health Group
Jon Moore, vice president and CISO, Humana
Roy Mellinger, vice president and CISO, WellPoint
Michael Wilson, vice president and CISO, McKesson
David Muntz, senior vice president and CIO, GetWellNetwork
Pamela Arora, senior vice president and CIO, Children’s Medical Center
Patrick Joyce, vice president, Global IT, Chief Security and Privacy Officer, Medtronic
Jorge D. DeCesare, vice president and Chief Information Security Officer, Dignity Health

Supporting Quotes

“Healthcare is a risk-sensitive, information-driven endeavor. The digitization of data across the healthcare continuum raises concerns about security and privacy. This new certificate program will provide an opportunity to share insights and experiences that will help those who have newer and broader responsibilities prepare the increasingly complex healthcare enterprise for the future.”
-David S. Muntz, CHCIO, FCHIME, LCHIME, FHIMSS, SVP & CIO, GetWellNetwork

“Successful healthcare industry CISOs in today’s connected digital economy need not only technical expertise but also business knowledge, to work effectively with CXOs on increasingly critical information security and risk management issues. That is the focus of the CHISTRM program.”
-Amit Basu Ph.D., Professor, Carr P Collins Chair in MIS, ITOM - Dept. Chair

“New regulations tied to the Affordable Care Act are now in effect regarding protected health information and electronic health records, which only underscores the need for data security to ensure privacy among patients. Cyberspace can be a pretty bad neighborhood, with too few barriers standing between hackers and their targets. Healthcare providers recognize that data security is of vital importance to their business.”
-Fred Chang, Director of Darwin Deason Institute for Cyber Security Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security at the Lyle School of Engineering, SMU

“HITRUST is engaged with all types and sizes of organizations in the industry and has substantial insights into their information protection practices and the impact a properly educated and trained information security leaders can have on the organization. The industry needs to invest in the CISOs and CTROs of the future to ensure the protection of vital information assets and systems, and maintain consumer confidence.”
-Daniel Nutkis, CEO, HITRUST

About SMU Cox

SMU's Cox School of Business, originally established in Dallas in 1920 and named in honor of benefactor Edwin L. Cox in 1978, offers a full range of undergraduate and graduate business education programs. Among them: BBA, Full-Time MBA, Professional MBA (PMBA), Executive MBA (EMBA), Master of Science in Accounting, Master of Science in Business Analytics, Master of Science in Entrepreneurship, Master of Science in Finance, Master of Science in Management, Master of Science in Sport Management, as well as Executive Education and multiple certificate programs. The SMU Cox international alumni network includes chapters in more than 20 countries.

About SMU

SMU is a nationally ranked private university in Dallas founded 100 years ago. Today, SMU enrolls nearly 11,000 students who benefit from the academic opportunities and international reach of seven degree-granting schools.


The Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information privacy, risk and security leaders, has established a number of programs to support any and all organizations that create, access, store or exchange personal health and financial information. HITRUST is supporting the industry through its framework, assurance program, cyber center, risk management tools, education and leadership. It is also driving the widespread confidence in the industry’s safeguarding of health information through awareness, education, advocacy and other outreach activities. For more information, visit

All product and company names herein may be trademarks of their respective owners.

1 Innovation Insight: Digital Business Innovation Risk Will Bring About the Rise of the Digital Risk Officer," Published: 18 June 2014, Analyst(s): Paul E. Proctor | Earl Perkins | Andrew Walls.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
I recently attended and was a speaker at the 4th International Internet of @ThingsExpo at the Santa Clara Convention Center. I also had the opportunity to attend this event last year and I wrote a blog from that show talking about how the “Enterprise Impact of IoT” was a key theme of last year’s show. I was curious to see if the same theme would still resonate 365 days later and what, if any, changes I would see in the content presented.
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data...
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
In his General Session at DevOps Summit, Asaf Yigal, Co-Founder & VP of Product at, explored the value of Kibana 4 for log analysis and provided a hands-on tutorial on how to set up Kibana 4 and get the most out of Apache log files. He examined three use cases: IT operations, business intelligence, and security and compliance. Asaf Yigal is co-founder and VP of Product at log analytics software company In the past, he was co-founder of social-trading platform Currensee, which...
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Su...
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningf...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new da...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
In recent years, at least 40% of companies using cloud applications have experienced data loss. One of the best prevention against cloud data loss is backing up your cloud data. In his General Session at 17th Cloud Expo, Sam McIntyre, Partner Enablement Specialist at eFolder, presented how organizations can use eFolder Cloudfinder to automate backups of cloud application data. He also demonstrated how easy it is to search and restore cloud application data using Cloudfinder.
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, exploreed the current state of IoT connectivity and review key trends and t...