Written by HITRUST Independent Security Journalist Sean Martin.
On the first day at HITRUST 2016, attendees were treated to a fantastic opening keynote from Gregory Touhill, Retired Air Force Brigadier General and Deputy Assistant Secretary of Cybersecurity and Communications for the Department of Homeland Security. Touhill addressed the audience straight away by calling on them to stay focused on their role in cybersecurity.
“The healthcare system represents a major component of the nation’s critical infrastructure,” said Touhill. “It’s constantly under attack with people doing reconnaissance on a daily basis. Meetings like this—and your role as a cybersecurity professional in the healthcare industry—are critical.”
Touhill called this the “summer of ransomware,” where access to medical information is being blocked as a means to extract ransom payments from healthcare organizations. Next summer, anticipates Touhill, will likely be the “summer of attacks on data integrity,” where people’s health and safety hostage with their data potentially being compromised and changed.
Organizations don’t need to feel overwhelmed though; there is hope. And Touhill provided the audience with two sets of tips to take home with them.
Strategic Recommendations from Touhill:
- Keep cybersecurity on your agenda: Cybersecurity is a boardroom issue, a lunch room issue, a class room issue, and a living room issue.
- Do your math homework: Cybersecurity is all about risk, and risk is based on the value that the information and systems represent to the business. Be sure to factor in the cost to your brand and reputation; it is sure to be more valuable than the ransom itself!
- Have a plan and exercise it: Everyone needs to play—it’s not an IT exercise, it’s a business exercise.
- Train, train, train—and then train some more: Practice makes perfect…but if you practice the wrong things or practice incompletely, you can’t respond correctly. Practice regularly so you can get closer and closer to perfect.
- Continue to share information: Join the “cyber neighborhood watch.”
The rest of the day was filled with a number of sessions, ranging from building out and running a security operations center to preparing for the pending Phase 2 OCR Audits. Here are a few highlights from some of the other sessions that I attended today:
Dr. Khaled El Emam, CEO of Privacy Analytics, and Kimberly Gray, J.D., Global CPO of IMS Health, explained to their packed audience that there’s tremendous value to be found in today’s digital health data sets. For example, health data sets could be used to identify people that are likely to contract cancer in the next five years; this knowledge could be used to get people treatment that would have otherwise gone undetected.
Of course, uncovering these benefits during the analysis can’t come at the expense of patient privacy; private information must be kept private. When used properly, de-identification is one of the most important, useful and effective means to protect personal privacy. It promotes accountability, enabling organizations to innovate with the data sets they have while safeguarding patient privacy. The trick is to modify the data just enough to make a claim that the risk of identity exposure is small while maintaining enough detail in the data to drive value from the analysis being performed.
Advice from El Emam is to first determine what the acceptable risk is and then set appropriate risk thresholds. If the resulting risk is small, coming in under the defined threshold, this is the de-identified data to share. If the risk is too high, coming in above the defined threshold, the the organization must re-define the de-ID process until it comes in under the acceptable threshold.
As with most things related to data, things are dynamic. This holds true for de-ID. If the target data set changes dramatically, the de-identification model needs to be adjusted to match the risk-acceptance threshold.
Preparing for OCR Phase 2 Audits
Michael Parisi, a Director for PwC (PricewaterhouseCoopers), shared some tremendous information regarding the pending OCR Phase 2 Audits. Feedback from the audience was that the level of detail presented by Parisi is exactly what they needed to take action.
These are the 10 tips the audience got a chance to capture:
- Tip 1 – Know the scope of the phase 2 audits
- Tip 2 – Understand the logistics and mechanics of the process
- Tip 3 – Start preparing your questionnaire and supporting documentation
- Tip 4 – Be proactive and define what a “comprehensive assessment” means
- Tip 5 – Adhere to the encryption requirements
- Tip 6 – Get your BA listing and agreements in order
- Tip 7 – Don’t skimp on your BA due diligence
- Tip 8 – You can’t hide
- Tip 9 – Put your best foot forward; it’s all about your behavior
- Tip 10 – Take advantage of this opportunity
Day one was a great start to a great conference. I’m looking forward to hearing and seeing more. On this note, these are some of the sessions in which I plan to participate:
- Health Technology Management: Biomedical Device Insecurity
- Cybersecurity: How to Successfully Engage Executives and the Board
- Leveraging a CSF Assessment for Better Insurance Coverage and Premiums
- Breach Detection and Cyber Forensics Can’t Be an Afterthought
Of course, there’s the Cyber Simulation Workshop scheduled toward the end the day on Tuesday. This special session should prove to be both exciting and educational.