Written by HITRUST Independent Security Journalist Sean Martin.
HITRUST recently launched the Community Extension Program, a collection of meetings held throughout the U.S. designed to bring together information security and risk management executives and leaders from around the healthcare industry such that they could have the open dialog and information sharing necessary to help them raise the security posture of both their organization and that of the industry as whole. With the first event in the series complete, here’s a recap of what was discussed along with some of the key learnings shared during the session.
Thank you Boston!
For our first-ever Community Extension Program meeting, we had over 30 people in attendance. We had some deep conversations, some detailed use case presentations, and accomplished the goals we set out as we put this program together:
- Bring the community together
- Share and discuss ideas, challenges, and best practices
- Understand how HITRUST programs can address common risk management challenges
- Establish a culture of collaboration and commit to continuing the discussion on an ongoing basis
The group, which was hosted by Taylor Lehmann, the Chief Information Security Officer at Tufts Medical Center and facilitated by Adrian Christie and Aaron Shapiro, both Directors of Cybersecurity and Privacy at PwC along with Michael Parisi, Vice President of Assurance Strategy and Community Development at HITRUST, definitely covered a lot of ground, as was expected:
- How the cybersecurity landscape has changed and will continue to change.
- How cyber risk fits within the overall enterprise risk umbrella.
- What organizations are doing and not doing to evaluate and address their risk: What approaches are used? What works? What doesn’t work?
- How does the size and maturity of an organization impact the risk management program?
- What processes have organizations found to work to help ensure the accuracy and efficacy of their program?
- What tools are available to help streamline processes and drive efficiency into risk management programs?
- How can HITRUST better support the community at large through its programs and tools?
In particular, below are some of the highlights captured from the session.
For each HITRUST CEP, the facilitator and host organizations get to choose a proprietary session to work on together. Tufts and PwC chose to hold a cyber forum. Here are some key points coming out of the group’s discussion:
- Review of findings derived from a recent global survey named the Global State of Information Security commissioned by PwC, prompted a lot of discussion around connected medical devices across the CISO community in attendance.
- There was a lot of interest in how peer organizations and fellow CISOs identified and managed high-risk assets.
- There was also some discussion around how to manage third-party vendor risk at scale.
- The group also found it interesting that paper protected health information (PHI) remains a low concern even with the availability of electronic PHI (ePHI).
- The group had a common focus on environmental threats – threats that extend beyond just the technical threats such as flooding, hurricanes, earthquakes, and fires. These are all risks that could put patient information – and care – in harm’s way.
“One of the main goals of the forum was to bring together a community of practitioners in this area to get to know one another, build relationships, and create a community of practitioners who could leverage each other’s skills and capabilities to be more resilient at their own organizations,” Lehmann told HealthITSecurity.com in an interview following the session.
Suffice to say, the main goal was met – and then some – as, overall, the Cyber Forum provided for an open dialogue amongst everyone in attendance, each sharing their own experiences. Christie and Lehman really wanted the group to engage and share with each other, even if the topics on their mind weren’t part of the formal prepared agenda.
A View into Tufts Medical Center Risk Management
The CEP also allocates some time for the host to share their experiences for how they manage security and risk within their organization. With this, Lehman provided a view into the tools he uses at Tufts and also at roles prior to Tufts. He also provided a future vision for Tufts.
Three key points captured from Lehman’s talk include:
- Familiarize yourself with the tools that HITRST has to offer, especially the free threat intelligence platforms, risk management framework resources, and control framework available to build out and strengthen your information security posture; HITRUST isn’t just for large organizations.
- Staying connected and communicating with your peers as a CISO community in the Healthcare industry is critical to ensuring a strong information security posture for the industry and the organizations responsible for providing the care.
- Recognize the value of cyber threat hunting and make sure you have good threat hunting resources in your organization.
At the end of the day, organizations should not be viewing information security as a competitive function, but rather a common interest that we should all be taking part and sharing in.
From a Strategic Perspective
The group was very keen to look at things from a strategic perspective as well. Here are some of the topics they discussed in that vein:
Industry agnostic adoption: Organizations recognize the value of the HITRUST CSF within the healthcare space and as part of regulations related to the healthcare industry but are also very interested in how it could be applied in an industry agnostic fashion – looking at financial services, payment industry and even additional government standards to help continue to broadly manage risk throughout the entire supply chain.
The group discussed how HITRUST could not only benefit organizations with the Healthcare industry, but also those operating within other industries as they look to implement a more effective and efficient risk management approach similar to what health care organizations have already done. To this point, HITRUST was recognized as a framework that can benefit those organizations already leveraging HITRUST or operating in the Healthcare industry to extend their risk management practices to other industries they operate in where they are being asked to become compliant with other industry standards and regulations; the financial services industry was the most common for this group.
More than compliance: A couple CISOs brought up that HITRUST is a great framework for compliance, but wanted to point out to the group that, when looking at risk and threats, organizations need to look beyond compliance. So many risks are not associated with compliance and standards and they are looking to leverage the HITRUST CSF and supporting programs to help move beyond compliance assessments and industry certifications to manage risk on a broader scale. Ultimately, they want to drive better communications around risk with their teams, their executive staff, and the board. The HITRUST CSF and CSF Assurance Program were designed to be risk management programs at large that help to ensure compliance with different regulations at the same time.
Cyber Insurance: Cybersecurity insurance was another hot topic. One of the attendees pointed out that their HITRUST certification helped them increase their coverage levels by 50% and while dropping their rates by 15%. This is very much in line with what Pamela Arora from Children’s Health was hoping to see in connection to the program Zurich North America is offering.
All-in-all, the session was a huge success. So much so that one of the attendees thanked HITRUST, PwC, and Tufts for bringing the group together, stating that “the greatest thing about this session is that it got all of us together in the community – it was great to sit with fellow CISOs from the largest hospitals in the area, talking about the things that matter to us, regardless of the topic. We should continue these types of discussions in the future as an Information Security group within the community and I would be happy to host the next discussion.”
With the first one under our belt, we are excited to see what the next sessions bring. This is certainly an opportunity for representatives from organizations within the same community to get together to focus on what’s important to them – not what’s important to an event organizer or a software vendor sponsoring the event.
One final note worth mentioning before we wrap up here… the group wanted to remove any internal competiveness from the session. They recognized that they are all in this together, and it is together that they can overcome the challenges and risks associated with the dynamic cyber threat landscape.
We’ve only just begun. We have 50 CEP sessions planned and may do more if the demand is there. The next one is in Seattle. So, if you’re in the area, we hope to see you there next week.
If Seattle doesn’t suit, be sure to check the CEP schedule to see if your town is listed. If not, you can always request your town be added to the list – or, better yet, you could offer to host a session in your town.