Craig Kobren, CISO of The Christ Hospital Health Network, speaks with Michael Sutter, CEO of Enlivened Tech, in a video interview about navigating cybersecurity challenges in healthcare, distinctions between healthcare and other sectors, building a mission-driven team to succeed in healthcare security, and the patient-centered role of security teams.

Navigating cybersecurity in healthcare: Industry-specific challenges

Reflecting on the unique challenges Kobren has faced in his career, he acknowledges that it is interesting to be in healthcare after being in other industries. “It’s still a high-stakes game,” he says, adding that with the growing need for information, there has been an increase in attacks against hospitals.

Among the most striking differences, Kobren observes is the culture of information sharing in healthcare, which is not typically seen in other high-security environments such as banking.

He further highlights how patient care requires seamless information exchange, even across state lines: “You might come to the Christ Hospital for care, but you might be on vacation in California when you go watch the Bengals win the Super Bowl, and maybe something happens that you end up in a hospital, and your history is very important.”

Kobren also points to the mobility of healthcare providers as another operational challenge: “Our physicians can move between different hospitals where they have rights at multiple places.” These scenarios contrast sharply with the more siloed nature of financial institutions. “In banking, we didn’t share much information with anybody,” he says.

Despite these differences, Kobren emphasizes a common thread that ties all industries together — threat actors with malicious intent.

From cyber threats to strategic resilience in healthcare

Moving forward, Kobren draws from a wealth of experience across various industries, including banking and government, to shape his approach to cybersecurity in healthcare. He notes that, historically, hospitals were often spared by cybercriminals, once benefiting from a sort of unspoken code of conduct.

Delving further, he describes how his past experiences have helped shape current decisions. These insights have allowed Kobren and his team to be more deliberate and strategic when designing systems for The Christ Hospital.

A critical distinction he highlights is the operational difference between healthcare and other sectors. While banks and even some government functions can temporarily shut down in times of crisis, hospitals do not have that luxury: “We could have people in an operating room; we could have patients in rooms. We can’t just say, ‘Sorry, can you go home and come back?’ Caring for people has to be top of mind in everything we do.”

Building a mission-driven team in a rapidly evolving landscape

For Kobren, success in healthcare security starts with people and purpose. “First you have to have a great team. I have a phenomenal team of people that do this stuff, and they live and breathe it.”

He stresses that the job demands more than technical skills; it requires passion and deep alignment with the mission. “It has to be part of your core because it’s ever-changing.

Further, Kobren believes those who choose this field must do so with a full understanding of what’s at stake. Security, he explains, is not just about protecting data; it is also about ensuring clinical continuity and patient trust.

“We’re providing a safe environment for our clinicians to take care of our patients. Your patients can feel comfortable because their information’s not getting compromised, and the systems are available,” says Kobren.

Additionally, Kobren points out that while ransomware attacks often draw attention to data breaches, the greater threat lies in system unavailability. “If you look at a ransomware attack, everybody focuses on your data being stolen, but if the computers don’t work, it’s hard to provide healthcare. We want to make sure that the procedures are safe too.”

Security with purpose: Enabling care through a patient-centered lens

From the outset, Kobren and his team have established a clear set of guiding principles to shape their work. “Our job is to make sure that we enable the business securely,” says Kobren, highlighting the core of the guiding principles.

Kobren maintains that the security team’s role extends beyond protecting systems; it directly supports clinical outcomes. This mindset drives the team to consistently consider how their work affects both patients and providers.

“We try to keep the patient at the top and center of everything we do. And for every decision we make, we are thinking about the impact on them as well as the people that are providing the care for them,” he adds.

Thereafter, Kobren believes that maintaining a user-centered mindset is essential. Recalling personal experience as a patient, he emphasizes how critical it is for clinical workflows and systems to function seamlessly.

In conclusion, Kobren warns that technology issues such as unavailable systems or missing patient information can lead to serious consequences.

CDO Magazine appreciates Craig Kobren for sharing his insights with our global community.