No Matter the Industry Janet Heins Communicates and Listens

Throughout her career, Janet Heins has been chief information security officer for several companies in a variety of industries, like biotech, manufacturing, travel and leisure, and media and entertainment. In 2023 she added healthcare to that long list when she became CISO at ChenMed. No matter the industry, no matter the company, Heins believes her first duty as CISO is to learn the business’s mission and develop an aligned Information Security roadmap.

Heins views herself as both communicator and listener. As a communicator, she shares her security strategy with leadership, clearly stating how the initiatives on her roadmap reduce risks and improve the Company’s security posture. “I need to be able to describe this in a way that matters to them,” Heins explains. As a listener, she asks relevant questions of leadership to understand their goals and to find out what “keeps them up at night.”

She connects not only with individuals in ChenMed’s C-suite, but also with its frontline workers. ChenMed operates 111 medical centers in 12 states, at which several physicians are meeting and consulting with their patients to keep them healthy. Heins and her team protect physicians by providing resilience, preventing unauthorized access to ChenMed’s systems and data, and keeping those systems running.

Heins’s security department’s mission is to protect all ChenMed’s systems and data, most of which contain information regulated by HIPAA and other US privacy laws. The department is comprised of five teams, each of which has a unique function assisting ChenMed in providing health care to seniors in underserved communities. The first of those five functions is Incident Response. “That’s the proactive and, unfortunately sometimes, the reactive follow-up response to anomalies in our systems and our data,” Heins says. An incident can be reported by a ChenMed employee, by the technology department, and often coming from her security tools and telemetry.

The second function of her security department is engineering and operations, which Heins says is standing up and running the various security tools. The third function Heins refers to as “the keys to the kingdom,” but is known in Information security vernacular as Identity & Access Management. This function ensures that ChenMed employees have authorized access to the systems and data that allow them to do their jobs. “This team works directly with employees across the company,” Heins says. “They’re frontline facing because everybody needs access to something, so whenever a new system comes on board or new roles, that role-based access has to be defined. We have to have single sign-on, multi-factor authentication set up for all apps.”

Advertisement

Governance, risk, and compliance is the fourth function of her security department. This team covers more of the non-technical aspect of security. “This is the process and people part. They provide employee security awareness and training for our employees,” Heins explains. “They write policies and keep our policies up to date and they perform risk assessments of our third parties.”

The fifth team in her security department is security architecture. This team is responsible for ensuring the security tools and all the other tools meet security requirements. “They make sure we have a good, secure architecture for how our systems are set up,” Heins says. They are also providing expertise on ChenMed’s path to adopting AI.

“Cyera is proud to collaborate with Janet at ChenMed, a leader driving transformative data protection in healthcare” says Brian Bagwell, Account Executive at Cyera. “Her strategic vision and commitment to compliance and innovation empower a resilient, patient-centric security program that exemplifies best practices and sets the pace for modern healthcare data security.”

Heins calls her leadership style “adaptable,” tailoring it to whom and what she’s dealing with. When the entire team is together, her focus is strategic. “This is when I like to be more visionary, collaborating on where we’re trying to get to, and how we’re going to get there. Laying that pavement down in front of the team so they can see the path ahead,” the CISO says. In one-on-one situations, Heins is intentional about delegating, allowing team members the opportunity to grow. “By letting go of things, by handing them off to someone else to be responsible, it gives them an opportunity to stretch into something they haven’t done before,” she says.

The dynamic nature of information security guarantees that Heins’s security department is always in flux. She says at any given time they have several initiatives in flight. Her department is always looking for opportunities to fully utilize existing security tools to ensure she’s getting full benefit from what’s been paid for, or creating or modifying security processes to strengthen her department’s security maturity.

Looking back on her career in information security, Heins thinks about and values the connections she’s made with her fellow CISOs. “There’s a lot of us in the CISO role in healthcare, and we stay connected,” Heins shares. These connections help her and other security leaders maintain a forward-thinking environment. “We feed off each other and we assist each other. We have a community where we can pop in and help each other out.” Heins continues, “I feel having cross-industry exposure gives you that. By knowing what’s the same across industry and what’s different across industry, makes it easier to tease out the true uniqueness and the true competitive advantage, and ultimately the ability to properly protect what is valuable.”