Written by HITRUST Independent Security Journalist Sean Martin.
As part of the commitment to support and engage with healthcare organizations to help them adopt and leverage the various resources relating to cybersecurity, HITRUST launched the Community Extension Program to promote education and collaboration. These town hall events are held across the U.S. and hosted by organizations within the community and facilitated by HITRUST CSF assessors. Here are highlights from two recent sessions:
Highmark Health Community Extension Program Event
A lot of this discussion, during a CEP held in February, focused on reporting to senior management and the board of directors. One of the presenters, Omar Khawaja, the CISO for Highmark Health, talked about his journey as the organization’s CISO, dealing with a number of past regulatory challenges that needed to be remediated while spinning up a new services company to extend health plan management beyond the information handled by Highmark.
“As we were in the process of acquiring a health organization, we realized our information management systems were decentralized,” Khawaja said. “We needed a way to centralize, streamline, and manage all the data using just one method. The collection of the HITRUST CSF framework and programs offered the best approach—there really was no other answer given all of the challenges we had to deal with.”
The first challenge Khawaja faced was selling his own organization on the need for an approach like the HITRUST Assurance Process offered and how the supporting framework could positively impact the business as opposed to the mythical view that it is only a time and cost machine. It took about one year to complete this step. While it took longer than desired, it was a necessary step that set the stage for success moving forward.
With this win under his belt, Khawaja then started down the assessment path leading to certification; this program took him about two years to complete. Once the certification was in place, the third part of the journey involved determining how to leverage the certification as a differentiator to grow the services organization while also keeping third-party risk in check as that part of the ecosystem was growing exponentially. Khawaja leveraged the HITRUST Third Party Assurance process by asking all of his Business Associates to undergo HITRUST assessments in place of proprietary information security questionnaires issued by Highmark, and in some instances, on-site audits traditionally executed by Highmark. This process introduced a much more efficient and effective process for both Highmark and its third parties.
Certification Process Outline
- Determine the method to achieve certification
- Sell the benefits internally
- Complete the steps to achieve certification
- Reap the benefits
Because Highmark Health is both a Business Associate (BA) and a Covered Entity (CE), Khawaja can talk about certification from both perspectives. On the CE side of the house, the organization is both a health plan and a hospital system. Combining this with the BA aspects and they meet just about every definition associated with contractual obligations, risk management, and compliance. By leveraging HITRUST programs across the entire organization in every way, they bring streamlined operations and consistency to everything they do risk management, cybersecurity, and compliance wise.
Cleveland Clinic Community Extension Program Event and Pre-Event Dinner
Prior to the Cleveland-based CEP event held in April, there was a cybersecurity dinner the night before, co-hosted by the Cleveland Clinic and the American Medical Association (AMA). The AMA and HITRUST partnered to host this event with the goal of ensuring that healthcare organizations that make up the healthcare ecosystem have access to trusted information and strategies designed and proven to effectively address the threats of ransomware and other cyberattacks.
The group offered a crash course in cybersecurity for doctors—discussing cybersecurity through the lens of a physician.
Some of the topics discussed during the dinner include:
- Performing cyber and HIPAA risk assessments
- Fundamentals of good cyber hygiene
- Implementing cost-effective and manageable cybersecurity solutions within a practice
- Lessons learned and first-hand experiences from physician practices
The CEP event, which took place the day following the dinner, was facilitated by BEYOND LLC. The event was heavily attended by Cleveland Clinic professionals from all different areas of the organization: information security, compliance, third-party risk management, IT practitioners, legal representatives, and contract/procurement teams as well as the chief integrity officer. BAs that partner with the Cleveland Clinic were also in attendance.
Topics covered included cybersecurity requirements in the context of delivering better care; how a security framework can help achieve the requirements in a care delivery model and in relation to what physicians do in their day-to-day activities; and why following a defined risk management program governed by a common set of controls is the most efficient and effective way for doctors to achieve security in their environment—including other doctors in their organization and in conjunction with surrounding hospitals and clinics.
“The Cleveland Clinic is all-in across the organization for information security as the basis for our third-party risk management program going forward,” said Vugar Zeynalov, Chief Information Security Officer at the Cleveland Clinic.
While there was plenty of talk exploring the technological challenges faced when looking to achieve compliance, much of the discussion focused on how to tackle the common challenges of InfoSec and assurance from the perspective of physicians. This was an interesting approach since other CEP events have largely taken on the challenge from the viewpoint of health plans and BA organizations that do business with the health plans. But this group realized the industry needs to change the discussion to focus on doctors and people. In order for physicians to better understand these risks and initiatives, we need to communicate them in the context of how they could impact patient health and life and not business management.
In addition to these in-depth discussions, this CEP session included a well-received CISO panel consisting of Ray Beyondo from BEYOND LLC, Kurt Hagerman from Armor, Vugar Zeynalov from the Cleveland Clinic, and Michael Parisi from HITRUST. The panel was led by Ray Biando and the panelists discussed how challenging it can be to find an efficient and effective program and approach to address broad Risk Management and Security Risks within any organization in addition to compliance risks. Each panelist explained how they are leveraging HITRUST programs to help achieve the most effective and efficient approach to risk management within their own organizations in addition to using the adoption of these programs as a differentiator in the market place.
The group concluded that the discussion needs to move away from InfoSec and turn into a people discussion. When talking about InfoSec and cybersecurity, discuss it through the lens of the doctors and patient well-being. It is about care delivery and patients—it’s all about putting patients first.
If a medical device is monitoring a patient’s vitals and has a security vulnerability, for example, it’s not about the personal data; it’s about the life or death of the patient. If the integrity of the information associated with a patient health record is compromised, incorrect care could be delivered and thereby cause harm to the patient, such as the incorrect delivery of medication or a misdiagnosis of allergies, to cite a couple of examples.
The CISO panel presented some of HITRUST truths/myths:
- Adopting and complying with the HITRUST CSF is more complicated compared to other frameworks (myth)
- Getting assessed against the HITRUST CSF is more expensive than other assessments (myth)
- Establishes market differentiation (truth)
- Represents a consistent process recognized throughout the industry (truth)
- Organizations need a common language to speak with each other (truth)
Building Blocks to Better Collaboration, Risk Management and Cybersecurity
As the attendees at these two events realize, with the persistence of cyber-related threats, healthcare organizations of all sizes need to consider improvements for their information risk management, regulatory compliance, and cyber resilience programs. But they also need to do so in an efficient and effective manner. For many organizations, the HITRUST tools and programs are fundamental resources for achieving their goals.
HITRUST’s experience has shown that education and knowledge-transfer play a fundamental role in simplifying the process, shortening the time in adopting its programs, and maximizing their value. Also, many benefits are gained in collaborating with peers to share lessons learned, discuss best practices, and establish relationships that support ongoing knowledge-transfer and collaboration as it relates to implementing the HITRUST CSF and addressing the latest cyber threats.