Q&A with Health-ISAC President Denise Anderson: “Sharing Cyber Incidents Makes Us All Stronger”

Though sharing information with other health systems may not be a priority for leadership teams working through a breach, it is, ironically, one of the most important actions organizations can take for their peers, according to Denise Anderson, President of Health ISAC. That’s because, as she puts it, “one person’s defense will become everyone else’s offense.” But even with copious sharing, organizations will go down, and that’s why business continuity planning is so important. Anderson, who has worked as a firefighter/EMT, knows first-hand the importance of being ready to handle a disaster. She recommends CISOs liaise with emergency management and train copiously, so muscle memory kicks in when things go south. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Anderson covers these issues and many more.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

It goes back to enterprise risk management and looking at what are the crown jewels of what I do and what does it take for me to continue to produce or do those crown jewels, and for how long.

that probably is what keeps me up at night. Imagine that a threat actor goes in and says I’ve changed some records in your organization on blood type, randomly 100 records of your patients. Somebody who is B+ is now an A-. Imagine what that would do.

I do consider myself to be an evangelist for information sharing – that we should be sharing information with each other, and shame on us for not doing it. There’s various reasons why people don’t do it but it’s so easy to do. It’s so beneficial.

Anthony: Welcome to healthsystemCIO’s interview with Denise Anderson, President of Health ISAC. I’m Anthony Guerra, Founder and Editor-in-Chief. Denise, thanks for joining me.

Denise: Thanks for having me, Anthony.

Anthony: Very good. Denise, you want to tell me a little bit about your organization and your role?

Denise: I’m Denise Anderson. I’m President and CEO of the Health ISAC which stands for Information Sharing and Analysis Center. Just a little bit of background on ISACs, the Information Sharing and Analysis Centers were formed under a presidential directive from President Bill Clinton in 1998.

The concern at that time was Y2K, to get industry to share with each other amongst the critical infrastructure sectors and with government and so the ISACs were formed and were paired along critical infrastructure sectors. The US has defined 16 and we are in the health sector.

The Health ISAC formed in 2010. I came on board in 2015 after a stint at the Financial Services ISAC which was one of the first ones to start. Basically, what we do is we’re a trusted community of organizations that touch the patient really in healthcare, and we’re focused on cybersecurity and physical security so that patients can receive care and get it safely.

Our membership is composed of various subsectors within the sector, such as labs and pharmaceuticals, medical device manufacturers, pharmaceutical manufacturers, of course hospitals and healthcare delivery organizations, anything from a large hospital system to a small clinic and then insurance companies, basically anyone that touches the patient can be a member of ours.

Anthony: Very good. I like to start with an open-ended question. What are some of the trends you’re looking at, some of the main things that you’re watching, that you feel like your members want content around and direction and things li...