Well, it’s not exactly live anymore but it certainly was worth tweeting live from the brand new Cybersecurity Command Center (CCC) at HIMSS 2015 in Chicago a couple weeks ago given all the excitement. The CCC was the place to be at HIMSS this year with standing room only at the educational sessions. HIMSS staff members were busy adding rows of seating to the session area to fit all the attendees who were clamoring for valuable information delivered by numerous speakers from the FBI to the Secret Service to cyber risk subject matter experts.
They covered important topics such as medical device security, safe cloud enablement, phishing attacks and social engineering, incident response planning, and threat intelligence. These sessions were on top of the usual privacy and security track sessions offered outside of the CCC, which covered many similar topics. I think the highlight was when James Trainor, Deputy Assistant Director for the FBI Cyber Division, presented the key challenges impacting healthcare organizations today. He pointed out how significant breaches like Anthem and Premera are likely to continue as healthcare systems transition to electronic storage and as the financial payout for medical records on the black market grows in value.
At the Coalfire CCC kiosk, security professionals were invited to complete a brief "intake form" and received a custom cyber risk "prescription" to help improve their risk management program. The intent was to determine if organizations were practicing reactive or proactive cyber risk management. Results showed that while a few organizations are moving toward a more proactive approach to cyber risk, most are still in a reactive mode. For example, many have incident response plans (IRPs) in place but they have not tested them in over a year. A best practice in this area is to test your IRP at least every six months given turnover and other changes within your organization during. We saw an uptick in the number of organizations that are adding penetration testing to their list of best practices and many are now conducting risk assessments on an annual basis as opposed to every three years.
Most of the work that needs to be done is in the area of vendor (Business Associate) risk and compliance oversight (no one we spoke with had a formal program in place for this) and almost no one is actively participating in information sharing activities offered by NH-ISAC and HITRUST. Speaking of HITRUST, we spoke with several organizations that have a HITRUST certification on their radar in the next year, along with considering BA requirements for HITRUST certification. This is understandable given that HITRUST offers the most rigorous approach to meeting HIPAA Security Rule requirements.
HIMSS plans to triple the size of the CCC at HIMSS 2016 in Las Vegas which means triple the education and excitement…we hope to see you there!