Option Care’s Jill Rhodes on Uniting Legal Expertise and Cybersecurity in Healthcare

Jill Rhodes, SVP & CISO at Option Care Health, shares her unconventional journey from international development lawyer stationed in Bolivia and Moscow to healthcare leader, where she built the security program from the ground up as the organization's first CISO. Jill outlines for David how a transformative assignment at an intelligence agency sparked her cybersecurity passion before she helped build cloud environments for the intelligence community. 

Now, she's leveraging this background to develop what she calls the rainbow of security — a visual security model for board communications — while building a security culture so pervasive that employees discuss security without her team present. Her approach, balancing legal analytical thinking with strategic security vision, demonstrates how healthcare CISOs can navigate a complex regulatory landscape of HIPAA plus 50 different state laws while maintaining the essential visibility needed for comprehensive threat intelligence.

Topics discussed:

• Transforming organizational behavior through the Ambassador Program that deploys 100+ non-technical employees as security advocates.
• Conducting pre-meeting content reviews with non-technical audiences including family members and business partners to ensure security concepts are translated from technical language into business value propositions.
• Navigating the complex healthcare regulatory landscape that requires simultaneous compliance with federal HIPAA requirements and 50 distinct state privacy laws versus the unified security framework of intelligence agencies.
• Implementing the rainbow of security visualization framework that maps security controls from perimeter to internal systems, making complex security architecture understandable to board members while facilitating threat intelligence integration.
• Building security teams through maturity-based prioritization by conducting comprehensive security maturity assessments before hiring, then strategically filling gaps starting with technical experts to complement leadership's strategic orientation.
• Measuring security program effectiveness through cultural integration metrics rather than technical KPIs by tracking whether security considerations arise organically in conversations when security personnel aren't present.
• Applying intelligence community verification methodology to threat intelligence by requiring multiple non-derivative data sources to validate information, particularly crucial as healthcare-specific threat intelligence accessibility has declined.

Key Takeaways: 

• Implement a security ambassador program by recruiting non-technical employees across your organization to meet monthly, discuss security topics relevant to both work and personal life, and serve as security advocates within their departments.
• Translate technical security concepts for board presentations by testing your content on non-technical family members and business partners first — if they don't understand it, executives won't either.
• Construct your security team strategically by first conducting a comprehensive security maturity assessment to identify gaps, then hiring for skills that complement leadership's background rather than duplicating existing expertise.
• Develop a visual security framework that maps controls from perimeter to internal systems, making complex architecture understandable to executives while providing structure for threat intelligence integration.
• Measure security program effectiveness through cultural indicators rather than just technical metrics, specifically tracking whether security considerations arise organically in conversations when security personnel aren't present.
• Validate threat intelligence using the intelligence community verification methodology by requiring multiple non-derivative data sources before acting on information, especially important as healthcare-specific intelligence becomes less accessible.
• Navigate complex healthcare regulations by partnering closely with privacy, compliance, and business teams to create a collaborative approach to security rather than viewing it as a balance between competing priorities.
• Build security partnerships across departments, especially with finance, privacy, and compliance teams, to frame security risks in business language rather than technical terms and strengthen organizational buy-in.
• Transform security behaviors by comparing security adoption to the evolution of seatbelt use — initially resisted but eventually becoming automatic — to normalize security practices throughout the organization.
• Apply intelligence community analytical thinking to private sector security challenges by focusing on asking the right questions rather than having all the technical answers, particularly valuable for CISOs with non-technical backgrounds.