By Sanjeev Sah, CISO, Texas Children’s 
Contributions from Shenny Sheth, Information Security Manager, Texas Children’s 

Texas Children’s Hospital is on a journey to enhance its security and compliance posture through the implementation of a robust cybersecurity program.  The program approach is based on the HITRUST CSF, CSF Assurance and related supporting methods. The 2016-18 program goal is to become secure, vigilant and resilient. We are on a path to complete foundational remediation while planning for improved capabilities in each of the areas required by the HITRUST CSF. Healthcare and Public Health (HPH) sector organizations alike in the community can consider our experience in designing and enhancing their cybersecurity program:

1. Understand capabilities, gaps and opportunities. Texas Children’s leveraged and conducted an analysis of its information security posture to understand related capabilities, gaps and opportunities. We engaged an approved CSF Assessor to effectively adopt the HITRUST Risk Management Framework (RMF). The team began reviewing Texas Children’s mission, business purpose, technology stacks and services across the system. After leveraging the HITRUST CSF to navigate and evaluate the complex maze of regulatory and industry requirements, we identified mandated and additional controls for information privacy and protection. The status of each led to identifying a “gaps” baseline in the program’s maturity, and accordingly developed a prioritized roadmap of initiatives and projects to address gaps and enhance our capabilities. This understanding led to the development of Texas Children’s cybersecurity program.
2. Understand organizational and environmental context. In order to shape Texas Children’s cybersecurity program to our organizational and environmental context, we performed an environmental scan of the enterprise business model and integrated the top priorities of our organization, including our organizational growth initiatives, new facilities construction projects, health plan, financial or consumer-focused services, technology projects portfolio, and payment cardholder data environment. The effort was exhaustive yet essential for the developing cybersecurity program to stay aligned with our business requirements and remain valid. Additionally, we leveraged inputs from our external partners and service providers to better understand the cybersecurity threat landscape.
3. Develop a program with stakeholder buy-in. Leveraging available organizational profile data, the team examined key technology-centered processes and artifacts; interviewed personnel, and crafted a program model complete with a prioritized list of controls gap and an action plan.  This information was transformed in various formats for consumption by technical, clinical and leadership audiences within our organization. The intent was to socialize, forge buy-in and win budget for all or part of the implementation. It’s a “must do” at any cost so that the implementation can be a ‘breeze’ minding the fact that CSF controls need to be relevant and appropriate yet flexible enough to provide a measured approach for gaging how we are enhancing security and compliance. It must be flexible to accommodate changes in the industry or the threat landscape, e.g., Texas Children’s produced on-demand education and awareness for the workforce in response to the increased threat of ransomware.
4. Why wait. Implement! If you don’t, the cybersecurity program and related action plans quickly become stale – so plough ahead. We created a target profile for the future of the Texas Children’s cybersecurity program. Identified in the target were Waves 1, 2, 3 corresponding to each year’s sourcing, security reference architecture development, production deployment, post production verification, service ownership and control compliance re-assessment. Texas Children’s leveraged existing and new staff resources, external advisory services and partnership with its supply chain to become a type of Security Project Management Office. Experience suggests that keeping the ‘lights on’ during such a timeframe is quite difficult. For example, there would be competition between urgencies of the day and the important work that must be done to move the bar on security and compliance. Execution must take into consideration this conflict and ensure the program cadence/communications are maintained so that stakeholders remain engaged and steadfast in their resolve to move the bar. Tactically, your cybersecurity program must demonstrate flexibility and appreciation for resolving chronic operational challenges otherwise program success is destined to suffer!
5. Leverage the CSF Assurance Framework. Advance marketing amongst stakeholders allowed the program to gain sufficient momentum and credibility in its 2nd year of life. We’re nearly complete in bringing to production a comprehensive view of the cybersecurity program through our Governance, Risk and Compliance (GRC) suite. Texas Children’s assurance program focuses on reporting risk to all stakeholders, inclusive of executives and the board. We are creating a new business model where the third-party/vendor security risk validation and certification process is mandatory for our new business associates.
6. Remain open for continuous feedback. Any responsible organization has to manage to its financial margins when tasked with operationalizing a large, multi-year program. A great attribute of the leadership at Texas Children’s is that they provide routine feedback to the CISO about program quality and fiscal championship. Where warranted, we modified our budget and adjusted our general course to ensure we continued to make progress as efficiently and effectively as possible. 

Executive leaders in the organization must demonstrate how each is overseeing and extending support in the development and implementation of the program. While program tasks can and will have finite timelines for completion, it is imperative that when accomplished, the executives openly recognize the importance of the ongoing security lifecycle. There should be a recognition that each organization will have unique characteristics, culture and complexities that will dictate the time and level of effort required to reach program milestones with intended robustness.  Finally, be sure to onboard the right talent, train them and retain them to develop an ongoing baseline of knowledge appropriate to their responsibilities. Happy journeys ahead!