The key to cyber success is having team security on team patient safety, not the other way around, according to Martin Fisher, CISO at Northside Hospital in Georgia. Recently, Martin spoke with Anthony Guerra, Editor-in-Chief of healthsystemCIO.com, about the biggest challenges his team faces, his approach as an ‘outcomes-driven CISO,’ and the best way to say ‘no.’

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

The way I think about regulation is I have to follow it, but I am more of an outcomes-driven CISO – I ask myself, what is the regulation trying to get me to accomplish versus the prescriptive.

They think: confidentiality, integrity, availability, and they look at it in that order. When from us, it’s availability, integrity, confidentiality.

You also have to walk the talk, right? We’ve made decisions here that accept other risk because the alternative was a patient safety risk.

Are there times when we deploy things I’d rather not? Sure, happens all the time. But again, my job is not to tell people no. Our job is to sometimes say, ‘Not like that.’

Nothing helps a CISO more than having an outside third party validate what you’ve been saying for a long, long time.

Guerra: Hi Martin, thanks for joining me.

Fisher: Glad to be here today.

 

Guerra: Very good. Please tell me a little bit about your organization and your role.

Fisher: Northside Hospital, we’re in Atlanta. We’re a 5-hospital system. We have about 300 outpatient departments, about 200 practices that roll up. Probably the thing we’re best known for locally is about 35,000 babies are born in our women’s center here in Atlanta every year. Women services is a really big service line, the oncology, the cardiology.

I’ve been here about 8 years, building a security program from scratch over that time. Fantastic place to be.

 

Guerra: Very good. I always like to find out how CISOs wound up where they are. So let’s talk a little bit about your career journey. I saw that you came into healthcare in 2010 from Delta Airlines. That’s an interesting switch. Can you take me through your career?

Fisher: I ended up in security actually by accident. Prior to being in security, I worked a lot in release engineering. I was managing and owning the software source code repository at the airline when my boss got moved over to be the CISO at the airline and he needed someone to come in and help build the security operations side.

He asked me to come over, and Barry is fantastic and is one of the best bosses I’ve ever had, I’m like, “Absolutely, I’m going to jump at the opportunity to learn a new thing.” Got into security there and it was sort of like a duck takes to water. I really enjoyed it.

Like a lot of things, your time at a company ends, so I moved over into healthcare. A lot of people think commercial aviation and healthcare, they’re so radically different. They’re actually not and here’s why. Pilots and physicians are very similar personality types. Pilots, when they’re flying that aircraft, they have a couple hundred people on a stainless steel tube, miles above the earth and they’re responsible for the lives of everyone on that plane. Physicians, especially some of the surgery specialties, they have that person’s life, even the primary care docs, the health and welfare of that patient is in their hands.

Nurses and flight attendants also have very similar personalities to each other.