Written by HITRUST Independent Security Journalist Sean Martin.
With the persistence of cyber-related threats, healthcare organizations of all sizes are striving not just to enhance and improve their information risk management, regulatory compliance and cyber resilience programs—but do so in an efficient and effective manner. As part of the HITRUST commitment to support and engage with organizations to help them adopt and leverage various resources, the organization has launched a Community Extension Program to promote education and collaboration. These interactive events will be held across the U.S., hosted by organizations within the community and facilitated by HITRUST CSF Assessors. Within this article, we highlight some of the key points that will be discussed at these sessions and what attendees can expect to take away.
We live in digital times, with personal devices constantly connected to the Internet and employees working from home and on the road. In many cases, we often hold meetings, exchange ideas, and solve problems over the phone and through collaboration services. But sometimes, it’s important to get in the same room with your peers, have a good chat about some of the challenges you face, and together, find a path to success.
This is exactly what the team at HITRUST is looking to accomplish with their new Community Extension Program. The interactive series of community events is scheduled to take place throughout a number of major cities across the United States.
“Security is a non-competitive exercise,” says Taylor Lehmann, the Chief Information Security Officer at Tufts Medical Center and the New England Quality Care Alliance, which is hosting the Boston event. “We benefit from the strengths of the community, but in many places, we’re not tapping into each other or engaging properly. This is our chance to come together to make a difference, and my wish for every participant, including myself, is to leave with a better sense of the gifts and talent our community has to offer and agreement on how we can engage to make our lives easier.”
Beginning with the Boston event—scheduled for Sept. 14—this series of free events is designed to bring the community together to promote community education and community development. The events are meant to be intimate and promote knowledge-sharing in a safe environment where colleagues and peers can discuss the challenges and risks they face. It’s also expected that these events will get down to the nitty-gritty, helping the community identify and leverage the tools available to them so they can satisfy the stakeholder requirements as they move through their risk management programs.
“As far as risk topics, I think there are some really interesting things with respect to risk analytics—such as FAIR and VERIS—that more CISOs should be using to connect the value of a security program to the business they’re in. Also adoption of HITRUST and the NIST CSF for community benchmarking purposes can help us all,” adds Lehmann.
The discussions held during each of the Community Extension Program events will likely include a range of topics. Here’s a sampling:
- How the cybersecurity landscape has changed and will continue to change.
- How cyber risk fits within the overall enterprise risk umbrella.
- What organizations are doing and not doing to evaluate and address their risk: What approaches are used? What works? What doesn’t work?
- How does the size and maturity of an organization impact the risk management program?
- What processes have organizations found to work to help ensure the accuracy and efficacy of their program?
- What tools are available to help streamline processes and drive efficiency into risk management programs?
“We all have risk, regardless of the industry,” says Michael Parisi, the Vice President of Assurance Strategy and Community Development at HITRUST. “It’s important that we all put our heads together to tackle this challenge. Together we are better able to address the risk our companies face on a daily basis.”
With this Community Extension Program, HITRUST is holding true to its education and information-based roots, continuing its efforts to help the community understand the value of embracing a risk-based approach to managing their internal and third-party vendor cybersecurity posture across their organization and throughout the healthcare ecosystem.
To be clear, this is not a vendor pitch. Rather, it is a chance for organizations from within communities throughout the US to meet with their peers, understand what’s working, and identify gaps so that together, they can address the gap.
“HITRUST is making a significant investment in these community discussions and roundtables,” says Parisi. “Our goal is to Invest in the community to help them identify ways to drive down the costs of compliance.”
With this in mind, a key element of the program is that the hosting organization will take some time to review its risk management story with the audience. For them, it’s about giving back too. Some of the points they will cover could include the following:
- What pitfalls did they experience? Were they able to overcome them?
- What challenges still exist that could not be addressed?
- What mix of people, process and technology did they find valuable? (including and beyond what HITRUST offers)
- How and where did they spend their time and money?
- What various approaches were taken? What were the lessons learned?
- What help could they use from those in attendance?
- How can the community work together even better?
It’s important to note that each session will be much more than a presentation. The host and facilitator will open the conversation to the full audience to ask questions, making this an interactive and engaging event.
“Having spent the last 15 years in health and information security, there’s a real gap in how CISOs and their Directors understand and can direct their security programs to achieve Board-relevant outcomes,” adds Lehmann. “There are amazing capabilities in our community that can help security professionals get there. Exposing those capabilities—and lessons learned—helps our community accomplish its collective mission. These events will provide a safe environment for just that. Connecting with each other to learn and advance our practices fits with the mission of the Tufts Medical Center and Wellforce, our parent—and we are thrilled to be facilitating.”
The Boston event will kick off the nationwide program, with Lehmann’s Tufts Medical Center hosting the session. Joining Lehmann as the facilitator, attendees will have a chance to meet and exchange information with Adrian Christie, the Director of Cybersecurity & Privacy at PwC. Together, Lehmann and Christie will take a cyber risk pulse of the local community and share their insights based on their own experiences. They will discuss where the community sits in the context of the threat landscape and the risks they face.
OPEN TO ALL INDUSTRIES
Of course, cyber risk extends well beyond the healthcare industry, and therefore, the Community Extension Program is not limited to companies operating in the healthcare space. In fact, the team is very open to any organization: business associates, covered entities, third-party vendors, and any other associations that have an interest in learning about what it takes to implement a risk management program. While the invitation is open to companies from all industries, the events are limited to CIO, CISO, CRO, COO, CFO and other C-level executives as well as information security and risk management practitioners. Please, no consultants and no assessors looking for leads—this isn’t the place for that.
Adds Parisi, “With 50 community development discussions being held across the country, the chances of one being near you is high. If not, HITRUST is very open to exploring the possibility of holding the program in even more locations. If you want to host or facilitate an event, we would be happy to discuss this opportunity with you as well.”
BENEFITS OF ATTENDING
It’s important that an investment of time made by the community deliver value to each participant that joins one of these HITRUST sessions. Here are a few ways the group will benefit:
- An exchange of more data from more players to raise the risk management bar across the industry.
- Together, the community can explore ways to leverage the adoption of a risk management standard that is more effective and efficient.
- The community can exchange ideas to help drive down the cost of compliance that results in better delivery of care in the healthcare industry, and better service in general across multiple industries.
- Risk management stories with a unique perspective—from the facilitator and host.
- Feedback from peer thought leaders located within your own geographic region.
- Attendees can effectively become thought leaders themselves by sharing their own unique experiences with their peers.
“We believe in what we do and that our efforts are making a difference as we work to reduce the cost of compliance to provide better care and service delivery,” says Parisi. “I am excited to see that HITRUST continues to make investments like this and am even more excited to meet people from across the country as we engage in this community development program. Giving back to the community in these efforts feels amazing…this is what I am excited about.”
When asked about the one thing he believed the attendees will be able to walk away with as a tangible action item by joining their peers at this event, Lehmann responded with a clear message: “A list of actions on how to begin implementing an efficient risk management program that leverages the tools and processes that are available today.”
Seems pretty straight forward: Lots of valuable information on risk management and community-driven advice!
Additional details for the Community Extension Program, including the current schedule of events, can be found at https://hitrustalliance.net/community-extension-program/