After more than a quarter century with the organization, John Houston knows how to find his way around UPMC. And when it comes to being an effective security leader, that not only helps him move complex issues along, but also ensures everyone else knows who to come to for any security-related concerns. His guiding mantra? Reduce risks as much as possible without becoming an impediment to business. It’s as much art as science, if not more so. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Houston covers these areas and much more.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

TOC

* The Relationship Between Security & Data Governance

* Third-Party Risk Management

* Security is More than Technology

* Security Frameworks

* High on HITRUST

* Third-Party Risk Management II

* The Nexus of Security & Application Rationalization

* No Saying No

Anthony: Welcome to healthsystemCIO interview with John Houston, vice president of information security and privacy and associate counsel with UPMC. I’m Anthony Guerra, founder and editor-in-chief. John, thanks for joining me.

John: Good morning. Thank you.

Anthony: Alright, very good. John. Please tell me a little bit about your organization and your role.

John: UPMC is a very large integrated delivery system based out of Pittsburgh, Pennsylvania of over 40 hospitals. I forgot the exact revenue, but it’s somewhere around I think $27 billion. We also have a large health plan as part of UPMC. So we cover, I believe, all of Pennsylvania and maybe parts of few other states.

The Relationship Between Security & Data Governance

My role is I’m responsible for information security. And frankly, what we found is that security and privacy are becoming more and more merged. And so I’m also responsible for privacy, and you can’t really do either without really being responsible as well for data governance which is a big part of my job too. I think if you look back a few years when the office of Civil Rights was doing their audits, one of the things they found was that a lot of organizations weren’t doing an adequate risk assessment. The reason why they weren’t doing adequate risk assessments is because they didn’t know where their data was at. So when people ask why do I do data governance, it’s because of that. You have to know where your data assets are in order to be able to appropriately secure them and then overlay appropriate privacy principles as well. So it’s really a merged function that is together just because of that.

Anthony: Very good. Now John, are you essentially the CISO or is there a CISO I’m not aware of?

John: I am the CISO. I guess, I’m bucking the trend in titles.

Anthony: You don’t want to just add it on, throw little acronym in there? (laughing)

John: I guess I could but to me, the title works for me. If you think about it at the end of the day, if something bad happens they know who to come to anyway, regardless of the title.

Anthony: But I did see, if I’m not incorrect, the health plan has a CISO, is that correct?

John: Yes, the health plan has somebody that does mostly application-level security. I don’t want to misstate his responsibilities,