Profile: Arthur Ream, CISO, Cambridge Health Alliance

BALANCING MULTIPLE RESPONSIBILITIES

“Most moderate to mid-sized healthcare organizations have yet to commit to a full-time CISO,” said Arthur Ream, the CISO and Director of Applications for Cambridge Health Alliance (CHA), an innovative health system serving more than 140,000 patients in Cambridge, Boston and surrounding communities. “In fact, most managers, not just the CISOs in a healthcare organization of our size, have multiple responsibilities.”

To be clear, Ream is not complaining. “I enjoy the fast-paced nature of the CISO role. In security, we always have to be planning for the future and reacting to the changing landscape. There is always something to learn and, a new issue to prepare for, or address. In my role as Director of Applications, things are a bit more methodical.”

While Ream’s dual position may be the rule and not the exception, in the healthcare industry today it still poses specific challenges. The biggest challenge for Ream’s team is time and resource management as they balance application and information security demands.

“With a non-dedicated staff we are challenged to manage volume. We must be focused to ensure we are safeguarding our patients, our assets and our integrity within our budget and with the resources we have available,” said Ream.

Ream addresses this challenge through education and discussion with senior management and the Board. He said, “I try to engage the leadership in security and help them understand where our security program is today and where we need it to go.”

As a mid-sized organization, Ream has become more creative and adaptable when creating his security program. Without the resources of a larger healthcare organization, he focuses less on following the details of specific standards. “We use NIST and ISO. We don’t report against the frameworks. We work to the intent of the standard,” said Ream.

For similar reasons, Ream is holding off on embracing any specific certifications. “We have to constantly weight the value versus the cost, and I am still watching to see exactly where the industry will fall in terms of which certifications are industry standard. The certifications do have value, but often times experience is what matters most. I am a big fan of on the job training.”

BUILDING A HEALTHY COMMUNITY

One of Ream’s favorite aspects of working at CHA is his dual roles and his team’s flexibility. He commented, “We get exposure to so many things, no one is pigeon-holed.”

Ream also appreciates the impact CHA has on the community, something that truly motivates him and his team. “Cambridge Health Alliance is the organization of the public health commission for the city of Cambridge and a teaching hospital for Harvard Medical School. Our mission is to improve the healthcare of the community we serve, which includes a large behavioral health population. My teams value and me as the CISO is to wrap appropriate policy and technology around the assets to safeguard our patients and our corporate integrity.”

Recently, CHA rolled out a program for e-prescribing controlled substances via Bluetooth. Doctors may now send prescriptions straight to the pharmacy, helping limit prescription fraud and curtail the city’s opioid epidemic, but also to help patients. Ream remarked, “Many of our patients might have needed to take time off work to pick up a paper-based prescription before. Now the prescription is waiting for them at the pharmacy. This type of program has a direct impact on the city and our patient’s lives.” Ream’s team played a key role in ensuring the integrity and security of the applications and systems supporting the program.

PRACTICE AND EDUCATION AT THE EXECUTIVE LEVEL

Beyond working on application specific security efforts like eScripts, Ream and his team regularly work with other senior managers to ensure the organization is doing its best to protect critical assets.

In addition to occasional presentations to the Board, Ream regularly meets with senior leadership. “On a monthly basis I run a committee meeting that oversees the overall security of Cambridge Health Alliance,” said Ream. Participants in the committee include the General Counsel, Chief Compliance Officer, Chief Privacy Officer, CIO, HIM Director and Senior Director of Technology. “This groups reviews new applications in our environment, current threats, HIPAA requirements, policy updates and our security plan.”

Ream and his team also participate in quarterly breach drills with the CEO, marketing and other senior managers. “All of the drills are based on scenarios that could really happen at Cambridge Health Alliance. A private contractor who knows our environment creates the scenarios for the drill – no one on our team knows about it in advance. For the next several hours we run through the logistics of the breach, practicing policy roll out, communication skills, action and remediation. We receive a report and feedback based on how we performed. As a result of these drills we have been able to improve policy, open better communication channels and make our overall efforts more effective.”

Ream sees more involvement with the CEO and senior business leaders in his future, and in the future of CISOs in general. “There will be a transformation in information security at healthcare organizations. I think we will see CISOs evolve to a position similar to how the Chief Compliance Officer is currently positioned. CISOs and their teams will roll up directly to the CEO. But, there will always be a tight and integrated relationship with the CIO, working collaboratively at a peer level.” To get there, Ream pointed out that CISOs need to be comfortable speaking the language of business and translating technology into relatable stories. He expects more CISOs to come in with MBAs in the future.