Get Help Now



The HIPAA Journal – Interview with Security Strategist/vCISO Rachel Sheley 

Sheley recently discussed her career in the healthcare industry and her experiences with HIPAA compliance. Read the full interview below.

Posted October 5, 2023

Interview with Steve Adler, editor-in-chief of HIPAA Journal, posted on September 28, 2023

Tell the readers about your career in the healthcare industry

My career in the healthcare industry has been centered around ensuring the confidentiality, integrity, and availability of healthcare data while navigating the complex landscape of healthcare regulations. My expertise in information security, risk management, and compliance is crucial in safeguarding patient information and maintaining the trust of healthcare organizations and their patients.

Obtaining the Healthcare Information Security & Privacy Practitioner (HCISPP) certification in 2019 indicates my knowledge of healthcare information security and privacy. This certification is highly relevant in the healthcare sector, as it demonstrates expertise in safeguarding sensitive healthcare data, complying with regulations like HIPAA, and managing security risks unique to healthcare organizations.

I am well-versed in navigating various regulatory frameworks, including HIPAA, HITECH, HITRUST, FDA, CMS, and state-specific regulations. My experience in this area enables me to guide any compliance-related challenges effectively. These frameworks are essential in the healthcare industry, where strict regulations protect patient privacy and data security.

I have advanced skills in cybersecurity, risk management, and security frameworks such as NIST CSF (Cybersecurity Framework). These competencies showcase my thorough comprehension of evaluating and handling security risks in healthcare environments.

In the healthcare industry, effective communication and collaboration are essential. Through my experience in working with cross-functional teams, coordinating security efforts, and delivering engaging presentations at conferences, I have developed the ability to connect security measures with organizational needs.

What is your current position?

As a Virtual Chief Information Security Officer at GreyCastle Security and former Information Security Officer for a healthcare organization, I’ve kept patient data safe and secure. This has involved creating and maintaining security programs, following regulations, managing risks from vendors, and implementing policies to protect sensitive healthcare information. It’s been an excellent opportunity for me to showcase my leadership skills and commitment to the critical work of safeguarding healthcare systems.

Adherence to standards like NIST 800-53 and involvement in New York State’s Delivery Reform Incentive Payment (DSRIP) program contributes to the broader goal of improving healthcare delivery and outcomes through secure information systems.

What are the main challenges in your position?

The healthcare sector is governed by various regulations such as HIPAA, HITECH, HITRUST, and others. It can be challenging to navigate this intricate regulatory landscape and ensure compliance. Finding the time to continuously keep up with the changes in regulations and adjust security measures accordingly to avoid any breaches can be difficult.

Tell the readers about any significant event in your career.

Being promoted to the role of Information Security Officer (ISO) at the previous organization where I was employed was a significant career event that involved taking on greater responsibilities and leadership in the field of information security.

When I was offered the Security Strategist/Virtual Chief Information Security Officer (vCISO) position at GreyCastle Security, it represented another significant and prestigious milestone in my career.

These positions signify that I have been entrusted with a leadership role in the cybersecurity domain. I am responsible for guiding and shaping the security strategies and initiatives for organizations across industries.

What products/services do you provide for the healthcare industry, and what is unique about them?

GreyCastle Security provides tailored services that cater to the specific needs of our clients. Our services are designed to enhance the security of various industries, including healthcare organizations. Our primary objective in the healthcare industry is to protect sensitive data and ensure compliance with regulations. Our services encompass security assessments, audits, strategic planning, regulatory compliance, incident response and management, vendor risk management, security awareness training, monitoring, threat detection, risk mitigation, remediation, governance, and reporting.

As a vCISO at GreyCastle Security, I strive to work closely with healthcare clients to comprehend their challenges and requirements thoroughly. I then work with internal team members to develop customized services to create a robust and compliant security program that safeguards patient data and guarantees the organization’s ability to withstand cyber threats.

When did you first get involved with HIPAA compliance?

Before 2017, through previous employment, there were requirements that staff were trained on HIPAA compliance annually; however, in 2017, when I joined Central New York Care Collaborative, I was responsible for delivering training and ensuring the organization followed HIPAA Privacy and Security Rules. I was responsible for ensuring control requirements were implemented, formally documented, working as intended, and evidence was available in the event of an audit.

What are your main challenges regarding HIPAA?

One challenge facing HIPAA compliance is the complex regulatory environment, often subject to updates and changes. Staying current with requirements and any amendments or new rules can take time and effort.

Another challenge is balancing the need to protect patient privacy and secure electronic records, which is essential to facilitate secure data sharing and interoperability between healthcare providers while maintaining patient privacy and can be complex.

There are also challenges with employee training and awareness, ensuring adequate training concerning HIPAA requirements and best practices are delivered. Another challenge is handling vendor or third-party risk management practices.

What do you think needs to be improved in the HIPAA regulations?

While HIPAA has made significant strides in safeguarding the privacy and security of protected health information (PHI) areas where potential improvements or refinements exist (for example enhancing guidance on emerging technologies, stricter enforcement, and penalties to deter non-compliance) more precise guidance on de-identification methods and standards could be beneficial. There is a need for greater emphasis on cybersecurity best practices, including specific requirements for encryption, threat detection, and incident response.

Do you have any predictions for the future of healthcare regulation?

Healthcare reimbursement models have moved toward value-based care. Future regulations will continue to promote these models and provide additional guidance on measuring and rewarding healthcare quality and outcomes.

Do you have any predictions for the future of HIPAA regulations?

There may be future updates to HIPAA regulations, which could make it easier for patients to access their PHI across the globe. While some healthcare organizations have already implemented this, others must catch up.

Do you have any predictions for the future of healthcare technology?

Artificial intelligence (AI) and machine learning will continue to lead the way in future developments of healthcare technologies.  The industry needs to ensure this technology’s safety, effectiveness, and ethical use are well understood before being implemented.

Do you have any predictions for the future of the healthcare industry?

Although the future is uncertain, AI and machine learning will likely have a significant impact in the healthcare industry. This will involve integrating digital health technologies like telemedicine, wearable devices, remote monitoring, and health apps. These advancements will improve patient engagement and make healthcare more accessible, especially in rural and underserved areas.  However, such advancements will also provide additional cybersecurity challenges which must be anticipated by institutions.


Let’s Discuss Your Cybersecurity Needs

Contact Us
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us