Option Care’s Jill Rhodes on Uniting Legal Expertise and Cybersecurity in Healthcare

Jill Rhodes, SVP & CISO at Option Care Health, shares her unconventional journey from international development lawyer stationed in Bolivia and Moscow to healthcare leader, where she built the security program from the ground up as the organization’s first CISO. Jill outlines for David how a transformative assignment at an intelligence agency sparked her cybersecurity passion before she helped build cloud environments for the intelligence community.  Now, she’s leveraging this background to develop what she calls the rainbow of security — a visual security model for board communications — while building a security culture so pervasive that employees discuss security without her team present. Her approach, balancing legal analytical thinking with strategic security vision, demonstrates how healthcare CISOs can navigate a complex regulatory landscape of HIPAA plus 50 different state laws while maintaining the essential visibility needed for comprehensive threat intelligence. Topics discussed: - Transforming organizational behavior through the Ambassador Program that deploys 100+ non-technical employees as security advocates. - Conducting pre-meeting content reviews with non-technical audiences including family members and business partners to ensure security concepts are translated from technical language into business value propositions. - Navigating the complex healthcare regulatory landscape that requires simultaneous compliance with federal HIPAA requirements and 50 distinct state privacy laws versus the unified security framework of intelligence agencies. - Implementing the rainbow of security visualization framework that maps security controls from perimeter to internal systems, making complex security architecture understandable to board members while facilitating threat intelligence integration. - Building security teams through maturity-based prioritization by conducting comprehensive security maturity assessments before hiring, then strategically filling gaps starting with technical experts to complement leadership’s strategic orientation. - Measuring security program effectiveness through cultural integration metrics rather than technical KPIs by tracking whether security considerations arise organically in conversations when security personnel aren’t present. - Applying intelligence community verification methodology to threat intelligence by requiring multiple non-derivative data sources to validate information, particularly crucial as healthcare-specific threat intelligence accessibility has declined. Key Takeaways:  - Implement a security ambassador program by recruiting non-technical employees across your organization to meet monthly, discuss security topics relevant to both work and personal life, and serve as security advocates within their departments. - Translate technical security concepts for board presentations by testing your content on non-technical family members and business partners first — if they don’t understand it, executives won’t either. - Construct your security team strategically by first conducting a comprehensive security maturity assessment to identify gaps, then hiring for skills that complement leadership’s background rather than duplicating existing expertise. - Develop a visual security framework that maps controls from perimeter to internal systems, making complex architecture understandable to executives while providing structure for threat intelligence integration. - Measure security program effectiveness through cultural indicators rather than just technical metrics, specifically tracking whether security considerations arise organically in conversations when security personnel aren’t present. - Validate threat intelligence using the intelligence community verification methodology by requiring multiple non-derivative data sources before acting on information, especially important as healthcare-specific intelligence becomes less accessible.