The HITRUST 2017 event was another huge success, with over 400 attendees collaborating and learning from each other as experts from nearly all areas of the healthcare industry came together to discuss risk management, information exchange, security controls and compliance.
As noted in the threat catalogue panel on Wednesday, security breaches typically don’t happen because of an issue with security; rather, it’s almost always an issue of quality. With this in mind, the one big take-away from the conference is a three-fold message:
- Focus on the areas where you know you can succeed and are within the scope that matters to your business
- Recognize that your program won’t be perfect
- And, whatever you do, do it well
Below are a few key findings from some of the event’s sessions, each of which fits into the theme of proper scoping and quality.
Getting started with HITRUST CSF certification
There was a lot of discussion about getting started – both by the presenters/panelists during their sessions and by the attendees during the various networking breaks they enjoyed throughout the week. These are some of the highlights that were geared toward helping organizations take their first steps to implementing the HITRUST framework and seeking out their HITRUST CSF certification:
- Leverage the momentum in the industry and from your peers (and perhaps those at the executive and board level) to discuss the value of the HITRUST framework. Get the conversation going.
- Scoping is both critical and up to you: understand the drivers behind your program and define the scope in line with what you want to (or need to) achieve. Don’t cut it too thin such that it doesn’t provide value in return and don’t do so much that you are “boiling the ocean” and never realize the value.
- If possible, leverage an assessor to help walk through the process; the good ones have a ton of experience with scoping, defining, implementing and assessing.
- It’s better to approach the program with an understanding that there could be corrective action plans (CAPs) when you submit your certifications results. It’s not the end of the world; just address them per the certification guidelines.
Third-party risk assurance
Most organizations presenting at the conference seemed to consider themselves both a covered entity and a business associate. Every company finds themselves offering services and using services offered as part of the massive healthcare ecosystem.
From the covered entity (CE) perspective, organizations can save money by not asking the same vendor the same questions that 99 other CEs are asking that same vendor. They can then use the monies saved and apply them to their security program as opposed to dedicating staff and other resources toward managing a bunch of ineffective third-party questionnaires and inefficient on-site assessments.
From the third-party vendor perspective, similar value can be found, but from the completely opposite viewpoint: organizations can invest once in the implementation of their HITRUST framework and then can assess once, and report to the many CEs that regularly ask for a view into their risk maturity level.
A number of panelists throughout the week suggested that organizations treat their HITRUST framework implementation and HITRUST CSF certification as investments that will realize significant benefits down the road:
- auditing, reporting and compliance cost savings
- reduced risk
- increased security posture
- better brand position in the market
- better cyber insurance coverage and reduced cyber insurance premiums
Of course, to realize the benefits, the organization must get started on the HITRUST path. Tied to these conversations around getting started with HITRUST, many in attendance had similar thoughts with respect to implementing a third-party assurance program: how and where to begin.
To address these questions, panelists throughout the week shared some advice designed to help people get started, suggesting that, just because your risk management framework/program doesn’t look perfect, doesn’t mean that it won’t prove valuable. In short, don’t shut it down. Be confident to begin the process knowing you will first get from ‘bad to good’ and then move from ‘good to great’ as things progress.
This doesn’t just apply to the implementation of the framework and the associated CSF certification; the same holds true for your third-party assurance program and for the business partners you work with. You shouldn’t have to convince them that it is perfect, either– just show them that it is better than the (ineffective/inefficient) way they are handling risk reporting to each and every one of their business partners.
From both perspectives, Michael Parisi of HITRUST summed it up quite nicely during his panel discussion on Thursday morning: “Continue the education. Don’t give up just because someone asks the question ‘what is a HITRUST certification?’. We’re in this together… together we can drive this forward.”
Threat Intelligence and Information Sharing
With each passing day, it’s becoming more difficult to keep up with the latest threat, let alone figuring out which ones affect your organization. One way to get ahead of the curve in this regard is through the investment, contribution to, and ingestion of threat intelligence. Here are some key points from some of the sessions where threat intelligence and information sharing were core topics:
- You need to contribute in order for the program to provide value to you and the others in it. As Elie Nasrallah and Chris Albery from HITRUST described in their Thursday morning session, not contributing is akin to only 5% of people at a potluck bringing food – there’s a good chance that up to 95% of the others at the potluck will go home hungry.
- There’s much more to a threat intel feed than the technical data; be sure to consider the data that will help you understand the tactics, techniques and procedures that bad actors could be taking against your environment. While certainly technology driven, there are humans behind these attacks at some point. Understanding their motives and the contact of their malicious activity will help you better understand how to respond.
- Ultimately, it’s all about being able to consume and analyze the data in a way that can be applied to the controls and the analysis of the information must be actionable. Just having a feed will not generate the results you are looking to achieve (unless it’s simply to check the box).
- HITRUST and Trend Micro hold a Cyber Threat Exchange call every two weeks where organizations can bring the human element to the table. This can play a big role in making the information actionable.
This is one recap of a few to come. Stay tuned for more detailed reports on how to get started, the value of assess once and report many (including the NIST CsF and SOC2), and how to make the most of your threat intelligence and information exchange program.