CHIME’s National Cybersecurity Advisor on Building True Healthcare Cyber Resilience

By Jessica Davis

Lisa A. Gallagher, BSEE, CISM, CPHIMS, joined CHIME as its National Cybersecurity Advisor in July 2024 with a mission to serve and support members with identifying and addressing longstanding cyber and IT challenges.

“Returning to work in the healthcare provider sector has been a blessing,” said Gallagher. “Of course, we are all patients, as are our loved ones. People say cybersecurity equals patient safety. I like to say that taking care of a patient’s data is taking care of the patient.”

“The challenges in this area are endless because the threats are ever changing. So, it is equal parts challenging and rewarding,” she continued.

One of this year’s Baldrige Foundation Award Winner for Leadership Excellence in Cybersecurity, Lisa has dedicated her 35-year career to supporting the healthcare industry with understanding the key technology and cybersecurity requirements necessary for safely implementing and enhancing digital innovation to improve care delivery and patient safety.

Lisa has served in a range of high-profile and highly impactful roles, including the Senior Director of Privacy and Security for HIMSS and as a task member of the Department of Health and Human Services (HHS) Office of the National Coordinator (ONC) Standards Committee’s Privacy and Security Work Group and the Patient Matching Power Team.

But it was her six years as Managing Director in the PwC cyber practice that empowered Lisa with the greatest growth and lessons learned. She’d always worked as a cybersecurity consultant. But at PwC, she took on the role of interim CISO twice, which most informed her understanding of the challenges and stresses facing cybersecurity practitioners on a daily basis.

In one role, Lisa took the role as CISO for a large financial services firm as they pursued compliance with the NY DFS cyber regulation requirements. She was responsible for developing a compliance plan that included the cybersecurity third-party risk assessment requirements, as well as a plan to risk-rank and assess over 3,000 third-party vendors.

And in her first interim CISO role, Lisa served in the position after a large provider organization experienced a widespread cyberattack and breach.

“Being CISO after a major breach called on skills that I didn’t know I had,” said Gallagher. “I had to work with the IT Team, Executives, the Board of Directors, the lawyers/litigators, the cybersecurity insurance underwriters, etc.”

Lisa’s experience as a former CISO and healthcare cyber leader has given her a unique perspective on what’s needed to enact true cyber resilience in the age of digital health. As she pursues this mission at CHIME, she hopes to continue her support of provider organizations and tech leaders tasked with driving real change in enterprise cybersecurity - particularly with resilience in the current cyber threat environment.

For Lisa, it’s clear that to achieve cyber resilience in healthcare, cyber and tech leaders will need to take an “all-of-organization” approach.

“Resilience is really about recovery and keeping the business running. For healthcare provider organizations, this means being able to treat patients, prescribe medications, keep medical devices running, etc. It also means being able to process pre-authorizations and payments,” said Gallagher.

“We need everyone involved across the spectrum of the detect, respond and recover phases of cyber attack or breach,” she continued. For example, “a clinician may be the first to notice something out of the ordinary in an IT system. The response will require a fully tested incident response plan including all stakeholders, and recovery will require a thorough understanding of all critical workflows.”

But organizations must first develop, validate, and mature their governance of cyber risk - for some, this may mean creating a formal process to “govern” cyber risk. Lisa explained that this program is separate from the traditional view and use of risk management typically owned by the cyber and IT asset teams.

Governance is more formalized process and involves multi-stakeholder oversight and decision making rooted in risk disposition, she explained. “This can reduce the incidence of unmanaged risk or risk that is accepted without proper oversight.”

“Investing in a governance framework is a key cyber risk reduction strategy,” said Gallagher.

“As I interact with our members who work on cyber challenges, one common theme I see is the need to interact with peers to identify cyber challenges and learn about successful approaches and solutions that have worked for others,” she continued. “CHIME is committed to providing not only educations and resources – but also, that community so that folks can network and collaborate actively. Come join us at CHIME as we work together to address cyber challenges!”