In our last post, the CIO put the search for a new security architect in motion. The next day he got a short email from the General Counsel.
Hi xxx:
Given the grave situation we’re in, I did a little research on a list of must-haves for this new Security architect of yours.
1. Ransomware Experience
2. RACF experience
3. AI scanning techniques
4. ………
If we are to redeem ourselves with the board, we need to pull off a home run of a security talent asset.
The General Counsel
The CIO replied via email
Dear xxx:
Thanks for the helpful suggestions. I will give your recommendations due consideration during the search. HR needs to blend these with the approval from your team so that we can search for this talent.
BTW (that means By the Way), the CEO mentioned an issue with records retention rules. I’m wondering if you could provide a fuller and more objectively achievable record retention policy statement. I need something concrete enough for me to produce new rules and procedures to meet it. As of today, it’s too open to interpretation for it to be of much use.
Aside from the search, I am creating a new plan for the department to address deficiencies and to then meet and exceed industry standards for cybersecurity. I need to rely on you for guidance concerning meeting the legal standards for records retention, affected party notice timing.
The General Counsel replied via email:
Hey…
There are layers of Regulations, Guidelines, and Formal Statutes, you don’t know, that need to be taken into account as you revise your internal practices.
Not only do you not know them, but I also don’t know them in detail either. I’m in the process of choosing a specialty law firm for a consultation.
I’ve included some short legal magazine articles to give you a few ideas, but we will need to revisit once I’ve retained specialized help.
--GC
The CIO signed heavily after reading the email.
Unwanted and unneeded suggestions were the least of the CIO’s and the hospital’s problems.
Next Up – The Media Speaks Up
Comments