Is the Sky Falling?
Day three moved into sessions with a common theme of lessons learned. The day was kicked off with a discussion led by Robert Booker, Senior Vice President & Chief Information Security Officer at UnitedHealth Group, titled The Evolving Information Security Organization: Strategies, Challenges and Successes.
While there is tremendous power in using an industry breach for “the sky is falling” educational purposes to engage leadership, be clear about your point of view when having these discussions to avoid the risk of becoming shrill. To answer the inevitable question “are we doing enough?” it is important to align with business priorities; do your risk and opportunity assessment; and lay out the landscape and what you are going to do and how you are going to monitor it. If you use the crisis to take action while avoiding fear mongering, leaders will appreciate it.
Additional tips from the session:
- The Healthcare Continuum. Yours, Mine, or Ours?: While the patient is the ultimate stakeholder, it can be hard to keep that in context when we get into debates about the supply chain. We are in this together.. providers, payers and partners. Insulation and isolation are impractical. Everyone is responsible and transparency is key. It is all about trust. There needs to be a common vocabulary and a shared focus on threats and risk. We need to deal with these events together; and while it is never easy from a legal perspective, we need to spend less time checking each other and more time sharing business processes, measuring and helping each other for better security outcomes.
- Clinical and Medical Devices. I was IoT before IoT was Cool: Do we need new processes and science or do we apply our existing ones to a new landscape? The key will be building partnerships with both suppliers and regulators and shared accountability.
- I passed, so I’m good: With different levels of system maturity it is tough to answer the question of whether compliance is enough and is that where we should stop. If you look at compliance as the floor and not the ceiling, we can get away from check-box thinking and move into a “Compliance PLUS Security Outcomes” mentality. Think of it as a continuum and maturity management versus pass or fail.
- Risk Analysis and Management. Focus and Prioritization: Ultimately this is about more than compliance. It is about informing priorities and making it practical and living. Toward this end it is important to have healthy conversations, with the cost vs. benefit, and move the needle.
In conclusion, it is important to recognize that we need a foundational approach. Towards this, having a risk management framework is important.
HITRUST certification is a journey, not a checklist. George Macrelli (HMS), Brad Carvellas (HM Health Solutions), Travis Good, (Catalyze), Andrew Hicks (Coalfire) and Cliff Baker, (Meditology) shared their experiences, best practices and the common pitfalls to avoid along the way.
Perhaps the number one common tip among all presenters was that executive buy-in and commitment as well as clear accountability is key. Other top lessons:
From the Business Associate and Covered Entity perspective:
- Technology, people and process are all needed to sustain compliance and build maturity
- Project management of the team, timeline, demand and capacity, and metrics; plan for periodic review of in-scope controls
- Consider making an internal resource a HITRUST Subject Matter Expert (SME)
- Estimate efforts, costs and timeline.. then double it
- Changing the corporate culture requires long-term engagement with stakeholders at all levels of the organization
From the Assessor Perspective:
- You need a trusted partner, not an auditor; institutional knowledge is critical
- It’s an investment and will impact resource workload
- It not a checklist or compliance project
- Don’t overlook need for technical writing skills—HITRUST requires some documentation
As stated by Macrelli, “Being CSF certified is hard work, but with a high ROI!”
Kirk Nahra, Wiley Rein LLP, started with “inside HIPAA” issues, moved to “partial HIPAA” issues and concluded with issues “next to HIPAA.” He also touched on breaches, de-identification and Business Associates. With many recent concrete examples on the criminal and civil front, this session commanded a large audience.
Nahra also offered these insights regarding HIPAA OCR enforcement changes:
- Despite press reports every time there is a new case, no meaningful increase to date
- Investigations are more thorough and more burdensome
- Increasing pressure to do more on both audits and investigations
- Still generally very reasonable
What’s next? The debate about non-HIPAA healthcare data is not going away. Therefore Nahra predicted three options as to what we will see:
- Something specific for non-HIPAA health care data
- Something that covers all health care data (a general HIPAA)
- A broader overall privacy law (with or without a HIPAA carve-out)
The bottom line: to manage these issues you need a good framework of governance controls.
2015 CyberRX: Lessons Learned from Cyber Preparedness and Response Exercises
Dennis Palmer (HITRUST) and Pete Renneker (Deloitte) shared lessons learned from the 2015 CyberRX preparedness exercises, which featured 12 health plans represented by 250 individual participants. The big takeaway? This is not technical issue, this is a business issue and needs to be approached that way.
When you look at the dollar impact of a cyber event and try to quantify it, you find that the technical impacts are the tip of the iceberg. Brand damage, loss of customers, loss of vendors who no longer want to do business with you, etc… these are often the long-term impact of a cyber event. The role of the security organization is to be an advocate for strong crisis management because the impact is so big. It is about more than how many records did we lose. It is a conversation about what does this mean to the business, brand, customers and patients and how are we managing this as an enterprise incident response capability as opposed to a technical problem?
InfoSec needs to be the voice that pushes for a more holistic enterprise incident response capability. The CyberRX Playbook is available on the HITRUST website.
What is on the Federal Government’s Agenda for Information Privacy and Security?
The day ended with rare inside view on many of the policy initiatives surrounding security and privacy at the state and federal level and attempted to address many of the myths that policy makers sometimes have about the resources and efforts that healthcare is devoting to privacy and security. The panel featured experts Anne Kimbol (Texas Health Services Authority), Amber Manko (America’s Health Insurance Plans or AHIP) and Kirk Nahra (Wiley Rein), and was led by Carl Anderson (HITRUST).
Many interesting points were raised about how difficult the areas of information sharing, infrastructure protection and health information privacy can be to navigate for policymakers as they develop policy solutions. Observations from the federal perspective confirmed that cybersecurity, data breaches and encryption have emerged on the agenda this year. There are currently thirty-seven different rules impacting data breaches! From the state perspective, the prediction is for more state breaches. At some point everyone will realize the state system is a “treasure trove.” The challenge is for local health exchanges to cooperate when each has its own privacy and consent model.
On the discussion of myths, Anderson added, “Would IOCs have prevented the last breaches? Probably not but they might prevent the next one. We have not yet had a bell weather event in the U.S. such as that in the Ukraine where hackers shut down the grid for hours. This is where the national attention on cybersecurity will focus lawmakers attention if there is an event like that here in America.”
Questions from the crowd focused on federal data breach requirements, amending HIPAA and possibly mandating some kind of data standards.
How government will balance the competing goals of transparency and patient engagements with so many security and privacy challenges remains to be seen.
Day 3 was a content-packed day driving many side discussions. Stay Tuned for a recap on Day 4, which will conclude the conference with hands-on strategies and tactics for deploying the HITRUST CSF within your organization.