Written by HITRUST Independent Security Journalist Sean Martin.
With Microsoft hosting the event and Coalfire facilitating the event, the HITRUST Community Extension Program (CEP) session held in Seattle drew a great turnout comprised of a wide variety of organizations: from startups in the healthcare space to established medical device manufacturers; and from early-stage companies dedicated to connecting devices to electronic health record (EHR) systems to a number of mature health plans of various sizes. Seattle had a very strong mix of organizations coming together for some in-depth, meaningful conversations; not just covered entities.
Here are a few of the main topics discussed during the session.
A View into Statutory Entity Roadmaps
Given the recent announcement delivered by the New York eHealth Collaborative (NYeC) and the New York State Department of Health where they presented a roadmap for the Statewide Health Information Network for New-York (SHIN-NY) – a program that intends to require HITRUST certification for all qualified entities (QEs) and NYeC by the end of 2018 – the CEP attendees were very keen to learn more about this program. More specifically, the group wanted to learn what other statutory entities are doing in this regard. And, even more pointedly, they wanted to know what the State of Washington thought of this movement and what they may be willing to consider in terms of accepting a HITRUST assessment in place of other requirements. Fortunately, the State was represented in the session to engage in the conversation.
The group at large also stated that a lot of the covered entities are already heading down this path, but would prefer to band together to do this and would like Department of Health to follow suit; essentially taking a leaf out of NY’s pamphlet.
Making Sense of Indicators of Compromise
Another topic of the discussion touched on how best to identify a breach in progress or an attack looming in the wings. Some entities shared the reality that they don’t understand indicators of compromise – or “IoCs.”
- What does it mean to get indicators in?
- What are the sources of those indicators?
- How do you handle them once you spot them?
The positive side to this conversation coming up during the CEP was that the room was filled with a variety of roles: risk managers, internal audit, statutory entities and CISOs. That is the point of the CEP program, bringing together a group of people that can help each other out across the board; extending way beyond just a group of CISOs and security people talking about the same old thing. Security posture and threats have become both a department agnostic challenge and concern to extend well beyond the responsibility of the information security office. These are business issues that the entire organization must understand and address together.
Engaging with the Board
Another topic the group spent a lot of time discussing was how best to handle both the day-to-day updates and the sometimes more difficult conversations between senior management and the board. The group landed on the idea that HITRUST scoring and the HITRUST risk scorecards come in very handy with this particular challenge. The biggest benefit is the ability to link the scorecards back to the threat catalog to help drive the conversation.
“Generally speaking, it’s challenging to have conversations with executives around threats,” said one of the attendees, noting that not all executives understand what the threats mean and, conversely, the IT security staff don’t always know how to accurately communicate the risk to the business. The group agreed that senior management knows that threats exist, but have a difficult time understanding what the top threats are and how to address them as an organization. Even harder are those threats that are essentially the unknown unknowns; how can the organization manage their internal analysis such that they can get a view into what could be impacting the business even if it isn’t visible to the rest of the world yet.
Linking Threats to Risk
A very connected conversation to that of the conversations between IT security and the senior management team was the topic of the HITRUST threat catalog. The discussion was very dynamic as the group realized they could link threats to risk … and then further link the risk to controls that the organization can implement … and then further link their assessments to how well the controls are working to demonstrate that what the organization is doing to mitigate and manage risk – related to the threats they are facing – is working. This can also help to clearly articulate where additional investments may be needed to increase the security posture of the organization in order to specifically address the threats and risks identified. Bringing it back to the previous discussion point, this further supports the ability for the IT security and risk management teams to work together and to jointly help educate their senior management team on the best methods and correlating investments to make to appropriately address the risks they face.
Getting a Handle on Scope
The group also shared a common desire to seek some help in getting a handle on scoping out their risk management program. There was even a suggestion to do a live walk-through for what a scoping exercise would like for an organization that was going to undergo an assessment in the near future. The goal behind the suggestion was to walk through the process using an attending organization’s perspective and see the scoping process performed live, in real time.
While there is some misconception in the field that HITRUST is an all-or-nothing program, this group recognized that the scope can be adjusted to meet the needs of the organization; the walk-through confirmed this understanding. They just need some initial guidance on setting expectations relative to the scope such that they could define the desired scope and then execute against what the organization would expect it to cover.
The topic of scoping in the context of third-party risk was also an important part of the conversation in Seattle. Some of the attending cover entities stated that their third-party vendors often reply to their requests for their third-party risk assessments only for the entities to find that the scope set by the vendor is both small and inadequate when compared to what the entities were expecting to receive. Therefore, this scoping piece becomes a critical topic on both ends of the spectrum.
Note: During the Denver CEP session that followed, the HITRUST team put this scoping walkthrough request into action. Be sure to read that CEP recap for more details.
This session marks another win for the CEP program. With the healthiest mix of companies and roles to date, it’s clear the desire to bring the community together is one shared by many in the communities HITRUST is visiting.
One final note worth mentioning before we wrap up here, Hector Rodriguez, WW Health Chief Information Security Officer at Microsoft, extended an invitation to keep the dialog going well after this event completed. Rodriguez suggested that the group get together on a regular basis to discuss challenges they all face managing their security posture.
One of the hospital systems in attendance also echoed this suggestion, offering that they already have a CISO security forum in the greater Seattle area where they look to bring new topics in for the group to discuss. There was interest in having HITRUST attend one or more of these CISO sessions to continue the conversation with a deeper dive into the HITRUST programs. This group extends beyond the healthcare space and they believe that the HITRUST programs would be a welcome addition as organizations look to tackle meeting a variety of standards and regulations as part of the larger industry’s compliance requirements, not just for the healthcare specifics. There was also an offer by HITRUST to engage the State of Washington in discussions around considering the acceptance of a HITRUST assessment in place of any proprietary information security questionnaires or requirements. This discussion will be happening within the upcoming weeks.
Even though we have a few under our belt now, we’ve only just begun. We have over 30 CEP sessions planned and will consider adding more if the demand is there. The next CEP session is in Irvine, CA on Dec 7, followed by Princeton, NJ on January 26. So, if you’re in the area, we hope to see you there.
Be sure to check out the CEP schedule to see if your town is listed. If not, you can always request your town be added to the list – or, better yet, you could offer to host a session if you are so inclined. It’s a safe bet that tour community will thank you for it.