Why HITRUST is Well Positioned to Lead the Way

By Roy Mellinger
Vice President, IT Security and Chief Information Security Officer, Anthem, Inc.
Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force Member and Board of Directors Member, HITRUST

As a healthcare CISO, HITRUST Board Member and Department of Health and Human Services (HHS) Health Care Industry Cybersecurity Task Force Member, I’d like to share with you the key takeaways of the newly released task force report as well as highlight the work HITRUST has already done and can expand on to support this crucial national effort.

Amid the backdrop of recent threats such as WannaCry and the assessment that “healthcare cybersecurity is in critical condition,” 21 task force members from public and private sectors – including 17 from private sector organizations – spent the past year discussing and developing recommendations on the growing challenge of cyber attacks targeting health care, working diligently to balance industry and government perspectives and solicit input from outside stakeholders and the general public.

The Task Force’s discussions resulted in the development of six imperatives (and related recommendations and action Items) reflecting the need for a unified effort and reflecting a shared understanding that, for the healthcare industry, cybersecurity issues are, at their heart, patient safety issues. As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve.

The imperatives are:

  • Define and streamline leadership, governance and expectations for healthcare industry cybersecurity.
  • Increase the security and resilience of medical devices and health IT.
  • Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  • Increase healthcare industry readiness through improved cybersecurity awareness and education.
  • Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
  • Improve information sharing of industry threats, risks and mitigations.

The report makes clear that there are many steps public and private partners must take to continue this progress. An important first step is to leverage the work HITRUST has done in developing a healthcare-specific security and privacy framework (the HITRUST CSF), assessment methodology (CSF Assurance) and fully supporting the work the Healthcare and Public Health Sector Coordinating Council (HPH-SCC) has developed and continues to enhance (with HITRUST) for a healthcare-specific implementation guide of the NIST Cybersecurity Framework.

Several of the other HITRUST programs that answer many of the recommendations include:

  • CyberAID – An innovative, new, low-cost program designed to help physician practices by providing them with a cyber security solution designed to support their small business environment.
  • CSFBASICs – A streamlined risk assessment approach for small healthcare organizations.
  • CyberRX – The only healthcare-focused cyber exercise coordinated with HHS, DHS and the FBI.
  • Health Sector-tailored Cyber Insurance – Insurance providers underwriting healthcare industry-specific cyber insurance programs leveraging the HITRUST CSF and CSF Assurance program.
  • Cyber Threat XChange (CTX) – The most active cyber threat sharing platform that automates the process of collecting and analyzing cyber threats and distributing actionable indicators (IOCs) that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses. Subscription available at no cost.
  • De-Identification Framework – Provides a consistent, managed methodology for the de-identification of data and the sharing of compliance and risk information amongst entities and their key stakeholders.
  • HITRUST Threat Catalogue – An offering that maps the HITRUST CSF control requirements to the enumerated threats, giving greater visibility into areas representing the greatest risk exposure for companies.

While the report highlights a number of shortfalls in the industry, the fact remains that companies must continue to invest in security and risk management and move from a compliance to risk management mindset. HITRUST is uniquely positioned to lead the way forward and work with HHS, policymakers, law enforcement and industry to mitigate risk, protect patient information and maintain consumer confidence in the healthcare industry’s safeguarding of their information. HITRUST is committed to doing more and will review and work with the healthcare industry on implementing new programs and/or expanding existing programs.

I encourage organizations to leverage tools already available by HITRUST and to get engaged in HITRUST activities to have an influence on the future direction.

HITRUST has been supporting the information risk management and compliance needs including that of cyber risk in the healthcare industry for the last 10 years and is as committed as ever to supporting our industry. We are all in this together, and I look forward to raising awareness and strengthening industry’s cyber resilience.