Cooperation and communication between risk functions has never been more critical than in today’s fast-paced, technology-driven environment. And with cyber-threats growing and companies collecting more and more data on customers and employees, perhaps no two departments need to work as closely as compliance and information security.

This is especially true in the highly regulated healthcare industry, which has to store and protect medical records and other highly sensitive patient data. Compliance Week recently caught up with two senior-level executives—one in compliance, one in information security—at LifePoint Health, which employs nearly 60,000 people and operates community hospitals, regional health systems, physician practices, and outpatient centers across 29 states.

Our Q&A with the recently hired Ellen Hunt, the company’s VP for compliance program operations and chief privacy officer (and a compliance veteran of more than 15 years), and Andy Heins, VP and chief information security officer (CISO), centered on how compliance and cyber-security work together at LifePoint, why a holistic approach to risk management makes for a more agile organization, and much more.

Q: Can you each describe your roles in simple terms?

Ellen Hunt

Ellen Hunt, LifePoint Health VP for Compliance Program Operations and Chief Privacy Officer

Hunt: The role of compliance is to enhance and protect the reputation of the organization by identifying and mitigating risk. At its core, compliance’s mission is to help the organization, and the people in it, make the best ethical decisions.

Heins: The role of information security is very similar to what Ellen outlined as far as protecting the company around the confidentiality, integrity, and availability of our systems at a high level and making sure we’re protecting our patients’ information through that process. We’re continuously monitoring our environments to ensure we’re providing the best services we can and positive outcomes for our patients.

Q: What is the through-line (the connecting theme) between cyber-security and compliance within an organization?

Hunt: It’s trust—not only that your stakeholders put in you and the organization, but trust with one another. We live in a very complex world, and silence and silos will sink you. So the through-line is coordination, trust, and working together.

Andy Heins

Andy Heins, LifePoint Health VP and Chief Information Security Officer (CISO)

Heins: I would concur on that. Our environment is very complex. The healthcare ecosystem is complex, and there’s not one person who knows everything. And so we’re reliant on other leaders within the organization, from a compliance or regulatory standpoint, from a technical standpoint—what bad actors are doing—and from a legal standpoint as well. When it comes to collaboration, we need to be able to work with one another quickly. One thing that’s probably a silver lining in the COVID-19 era, when more team members are remote, is that we’re able to quickly collaborate without having to find out someone is in a meeting and isn’t available, for example.

Q: Who owns cyber-risk management within the organization? Is it a shared responsibility?

Heins: I am a leader for cyber-risk oversight. We have multiple steering committees and executive oversight committees where cyber-risks are shared and communicated.

Hunt: One of the themes that is evolving is that none of us can do this all by ourselves. Sometimes the compliance team may have information that informs the IT security team on where some of those vulnerabilities might lie and where we might have an opportunity to shore up some systems and processes and vice versa. Getting the message out and making sure that people know what they’re supposed to do and when they’re supposed to do it is definitely part of compliance obligations. So, we support one another.

Q: You mention the two functions support each other. How does that work in practice?

Heins: As things come up in an organization—if it’s a privacy-related issue or something that’s a compliance trigger that might roll over to my area or vice versa—we typically need to communicate more often to keep everyone in the loop and share essential facts related to the matter at hand: who, what, when, where, why. The other thing that marries our departments together is our company mission of “Making Communities Healthier.”

Hunt: I think it’s hand in glove, or two cogs as part of a big wheel. Nobody can do it by themselves, because we don’t all have the same information. And the more you collaborate, the more you communicate, and the better we’ll all be at protecting the organization. It’s really about sharing that information, sharing expertise, and sharing your best ideas to make policies and procedures better, to make processes better, and to communicate to the organization as a whole better. I don’t know how an organization survives if these two critical functions aren’t working very closely together.

Q: Traditionally, have the CCO and CISO worked closely together at companies, or is this a more recent phenomenon?

Hunt: We’re seeing across all kinds of industries a real convergence between risk functions. There’s the emergence of the chief risk officer, who may have information security, compliance, internal audit services, and enterprise risk management functions reporting to them so that the organization gets a more holistic view of risk. Organizations that will be successful in the future are going to be those that can transform to collaborative organizations that see risk more holistically because the response has to be rapid and thorough. And if you continue to operate in silos, you simply won’t be servicing your stakeholders in ways that they increasingly expect.

We used to say that change is constant. I think transformation is constant now. Anybody who isn’t looking at how things are today with the viewpoint of how they need to be for tomorrow—that future-looking viewpoint—is missing huge opportunities. In the past, sometimes we did audits that looked at things that happened a year ago or two years ago. And that’s just not our world anymore. You’ve got to be forward-looking and looking through the windshield, not the rearview mirror.

Q: What is compliance’s role in cyber-incident response?

Heins: Compliance is involved in our core event response team that we support internally. The compliance and privacy operations team leads and supports investigations and provides strategic guidance for subject matter topics around compliance and privacy laws. Compliance is definitely front and center and a strategic teammate in our incident response processes.

Hunt: We may have an incident that really impacts Andy, and he may have one that really impacts us, so it gets back to communication as well. Our company is very large, with 88 hospitals across 29 states. As you can imagine, it’s really important to look and see whether we have systemic issues or one-off issues and to engage in risk assessments so that we are continually and proactively getting better and not just simply taking care of issues in isolation. The data analytics piece is huge.

Q:  At Compliance Week’s recent cyber-risk virtual conference, a speaker said cyber-security is about people, processes, and technology. Do you agree with that?

Heins: I’d agree with that. People typically try to fix a problem with technology first, which isn’t always the right thing to do. I would probably focus on technology being the last component, because whatever the technology is, it’s not going run by itself; you need to hardwire things around it. A company can buy a bunch of shiny cyber-security tools, but if we don’t have the right people and processes in place, those technologies aren’t going to be very successful.

Hunt: I’ll focus just on the people aspect. Whenever you have people, you have risk, and every organization has people. Sometimes we design things based on our own subject matter expertise without putting the user at the center, and that’s where things fall apart. You can have the prettiest policies and procedures and then the shiniest systems, as Andy says, and if you haven’t spent time figuring out what this does for the user and how they’re going to use it, it just may not matter. Your people are front and center. What do they need, and what’s the system supposed to do for them? If you’re asking them to take 10 steps when they could do one, they’re not going to take the 10. It’s just human nature.

Q: What technical skills are necessary for a CISO or a CCO?

Heins: Being able to communicate, collaborate, and having a high sense of urgency are keys to being a successful CISO. Having a technical background isn’t a requirement, but it will help a CISO navigate technical topics. Being able to communicate and explain technical topics to non-technical audiences is a great skill to have.

Hunt: I think it’s just as Andy says, you have to be able to explain things in ways that people understand. Do you have to have technical expertise to be a CISO? Not so much, but it helps. Do you have to be a lawyer to be a compliance officer or an auditor? No, but it helps. We need to be that bridge between the very technical and have the ability to break it down so people know why it’s important and what they need to do and how they need to get it done.

Q: What’s a common reporting structure for CCOs and CISOs? Do they commonly report up to the CEO or the board?

Heins: I think you see a little bit of everything. It really depends on the culture of the organization and how, internally, you can communicate risk and the risk tolerance of the organization. I’ve seen CISOs report to the CEO, and I’ve seen them report to the CFO. I’ve seen them report to the compliance officer, and I’ve seen them obviously report to the CIO. And I think all of it comes down to the relationships and the culture within the organization as to what makes the most sense.

Hunt: There isn’t necessarily one ideal, perfect reporting structure, because I think some of that is dictated by the industry—how regulated it is or how unregulated it might be. But it also boils down to where are you going to get the support you need for the investments and the resources, and also, frankly, the political cachet you need to get things done in the organization. That could be a chief risk officer, or it could be a CEO, who could be maybe even a champion on the board or a combination of all of those. I think the key is, no matter what your reporting structure is, you build your relationships as widely as you can within the organization so that people understand what you do and why it matters.