Healthcare CISOs must secure more than what’s regulated

In this Help Net Security interview, Henry Jiang, CISO at Ensora Health, discusses what it really takes to make DevSecOps work in healthcare. He explains how balancing speed and security isn’t easy and why aligning with regulations is key. Jiang also shares tips on working with engineering teams and how automation helps in DevSecOps.

In a heavily regulated industry like healthcare, what specific challenges do CISOs encounter when integrating security into DevOps workflows?

In healthcare, integrating security into DevOps, commonly referred to as DevSecOps, presents a unique set of challenges due to the high-stakes nature of the data and the complexity of regulatory requirements. One of the core issues is the inherent tension between delivering product features quickly and embedding robust security measures. Security initiatives often compete with business-driven outcomes such as user experience, speed to market, and feature velocity.

Other challenge is the completeness of the security coverage from product design to deployment. Regulations like HIPAA, which governs the protection of electronic Protected Health Information (ePHI), provide a framework for compliance. However, not all security practices are explicitly mandated by regulation. This means that security teams must go beyond compliance to ensure true risk reduction. An effective DevSecOps strategy in healthcare must be comprehensive, starting from secure product design and engineering practices to maintaining cloud infrastructure security, vulnerability management, and a mature incident response capability.

Security must be embedded early and consistently throughout the development lifecycle, and that requires cross-functional alignment and leadership support. Without an understanding of how regulations translate into practical, actionable security controls, CISOs can struggle to achieve traction within fast-paced development environments.

What advice would you give to CISOs looking to get buy-in from engineering and product teams? What metrics or KPIs do you use to measure the success of your DevSecOps initiatives?

To gain buy-in from engineering and product teams, CISOs must speak the same language and understand the unique planning methodologies these teams use. For example, product teams may follow Program Increment (PI) planning cycles with quarterly objectives, while engineering teams work in shorter sprint-based release cycles. Security objectives should be mapped to these respective cycles—addressing tactical issues like vulnerability remediation during sprints, while using PI planning cycles to address larger technical and security debt.

It’s also critical to position security as an enabler of business continuity and trust, rather than a blocker. Embedding security into existing workflows rather than bolting it on later builds goodwill and ensures more sustainable adoption.

As for metrics, Key Risk Indicators (KRIs) are particularly valuable. A practical one is the say/do ratio—the comparison of committed versus delivered security tasks—which reflects both intent and execution. Other meaningful KRIs include:

• Time to remediate vulnerabilities based on severity
• Number of unresolved critical/high issues in production or infrastructure
• Percentage of security backlog addressed per PI or sprint cycle

What role does automation play in your DevSecOps practice, and where has it had the most impact?

Automation plays a foundational role in our DevSecOps strategy. It enhances both security and efficiency by reducing manual errors and improving consistency across development workflows. Automated code analysis tools, often enriched with AI capabilities, help detect vulnerabilities early in the CI/CD pipeline. These tools can flag issues aligned with frameworks like OWASP Top 10, helping developers catch problems before they reach production.

From an incident response standpoint, automation has also brought major improvements. AI-driven tools can shorten investigation and containment timelines by isolating compromised systems, resetting credentials, or removing infected assets from the network autonomously. These actions reduce dwell time and minimize potential damage.

How do you handle tool sprawl and ensure your DevSecOps toolchain remains effective and manageable?

Tool sprawl is a common challenge in DevSecOps environments. While specialized tools serve specific purposes, an uncoordinated approach can lead to inefficiencies, overlapping functionalities, and poor adoption.

The key is intentional consolidation. We prioritize tools that serve multiple use cases and are extensible across both DevOps and security functions. For example, choosing solutions that can support infrastructure-as-code security scanning, cloud posture management, and application vulnerability detection within the same ecosystem.

Standardizing tools across development and operations not only reduces overhead but also makes it easier to train teams, integrate workflows, and gain unified visibility into risk.

What do you see as the next frontier or biggest gap in DevSecOps, especially for healthcare CISOs?

One of the most pressing gaps for healthcare CISOs is the lack of defined and enforceable data protection standards at the state and federal levels. Unlike financial services, where strong controls like mandatory MFA and encryption standards are well-established, healthcare regulations often leave too much room for interpretation.

This regulatory ambiguity makes it difficult to enforce baseline security measures across the board. While HIPAA provides foundational guidance, it doesn’t mandate specific modern controls, which makes it harder for CISOs to justify and implement stricter safeguards without explicit backing from policy or customers. As threats continue to evolve and patient data becomes more valuable, regulators must catch up to ensure consistent protection across the healthcare ecosystem.