As the HITRUST 2015 conference in Grapevine, Texas ended, I was reminded of the numerous predictions that flagged 2015 the year of the [healthcare] breach. And in just the first half of the year we’ve already witnessed three mega breaches that combined to compromise over 90 million patient records. At the HITRUST conference attendees were greeted with a plethora of speakers ranging from payers and providers to service providers and certified practitioners, Coalfire included.
The conference kicked off with a full day dedicated to cloud security. While the speakers covered the gamete of cloud services, i.e., IaaS, PaaS, and SaaS, one topic was synonymous across all presenters. That is, in response to the need for compliance, security, and risk management, cloud service providers need to be fully transparent in the services they provide, how security is enabled, and where control ownership is differentiated between the cloud service provider (CSP) and the customer. Additionally, with 65% of organizations embracing the cloud (according to a Verizon report) it’s essential for organizations to perform due diligence to ensure patient information is safeguarded in a manner that conforms to the customers' appetite for risk. Per Kurt Hagerman of Firehost, organizations should do their due diligence when selecting a CSP, including: performing risk assessments that acknowledge the risks that CSPs present, obtaining evidence of CSP control design and effectiveness, and monitoring CSPs’ ongoing compliance just to name a few. All of this can be easier to digest if the CSP can provide assurance by way of a HITRUST certification.
Day two started out with an informative (understatement) presentation by Anthem’s Chief Information Security Officer, Roy Mellinger. He delved into the facts behind the recent Anthem breach including pre- and post-breach activities, as well as an in-depth look at the lessons learned after identifying and responding to the advanced persistent threat (APT) attack. He told the audience how the “micro can change the macro” by discussing the often unmitigated risk that end-user devices represent to organizations.
Another interesting topic of the day was about using HITRUST assurance to manage third-party risk. Several organizations including Blue Cross Blue Shield of Michigan, United Health/Optum, and Humana discussed their approaches to vetting the IT security posture and risk exposure of their downstream business associates. While most leverage questionnaires, ranging from home-grown to the full-blown 1,700-question SIG, it was unanimous that HITRUST certification reigns supreme and provides the “fast track” to vendor approval and engagement. Though there is strong speculation, time will tell if HITRUST certification will become the de facto requirement for business-associate compliance.
Day two activities concluded with a networking reception hosted by Coalfire in the atrium of the Gaylord Texan Convention Center. Over a hundred people turned out to mingle with their peers and discuss the ‘latest and greatest’ in the healthcare industry.
Topics on the third day of the conference were primarily focused on breach prevention, detection, and incident response. A panel of IT security executives from Express Scripts, Humana, United Health, and the University of Rochester Medical Center got things underway with a discussion of how each of their respective organizations are maturing their IT security programs, communicating risk with their boards of directors, and improving incident response. All panelists agreed that three of the highest priorities for breach prevention included network segmentation, comprehensive log generation and monitoring, and privileged account management.
Back for a second presentation, Roy Mellinger from Anthem offered guidance on the importance of having a thoroughly defined and tested incident response plan. One area where Anthem excelled during the breach was having a swift and actionable incident response plan that was predefined and previously tested. Guidance for building out a plan included: defining roles and responsibilities, localizing the event while maintaining operations, identifying the extent of the breach and taking corrective action, executing the communications plan with employees, business partners, and the public, and defining post-incident tasks including a formal debrief to identify lessons learned. The reason why incident response is a hot topic is reiterated through the statement, “It’s not if you’ll experience a breach, it’s when.” Based on a Ponemon study in 2014, 68% of C-level executives said their staff is not ready to respond to a breach, their company would not be able to handle negative publicity, and their organization wouldn’t know how to minimize reputational harm through customer, vendor, and public loss of trust.
The final day of the conference concluded with a co-presentation by Brenda Callaway from Health Care Service Corporation (HCSC) and Tom Glaser of Coalfire. Brenda covered the deciding factors for choosing the Common Security Framework (CSF) as well as her perception of the certification process. She explained that the primary drivers for certification were: (1) its acceptance across the healthcare industry, (2) the harmonization of the CSF across other frameworks and regulatory requirements, (3) the reduction in audit fatigue, and (4) the fact that HITRUST certification can be leveraged to satisfy SOC 2 requirements.
Following Brenda’s discussion, Tom Glaser presented the HITRUST certification roadmap from an assessors’ point of view. He covered the process of achieving certification and also underscored many of the common pitfalls that organizations should be aware of. Examples included how to choose the right assessor, knowing when you’re ready for the certification process, understanding the importance of control maturities, and several other important factors. At the conclusion of the presentation the audience responded with many questions, which demonstrated the interest level of this topic.
Looking back, the conference brought to light many of the key topics that CISOs, CIOs, CCOs, CLOs, and organizational boards of directors consider to be the hot topics in the healthcare industry. Given the recent breaches and topics presented, it’s clear that healthcare organizations are no different than organizations in retail, education, and federal government. They have a common concern around breach prevention, cyber risk management, and sound IT security practices that satisfy regulatory requirements.