Reporting LIVE from the HIMSS 2015 Cybersecurity Command Center

Andrew Hicks, Managing Principal, Coalfire

Well, it’s not exactly live anymore but it certainly was worth tweeting live from the brand new Cybersecurity Command Center (CCC) at HIMSS 2015 in Chicago a couple weeks ago given all the excitement.  The CCC was the place to be at HIMSS this year with standing room only at the educational sessions.  HIMSS staff members were busy adding rows of seating to the session area to fit all the attendees who were clamoring for valuable information delivered by numerous speakers from the FBI to the Secret Service to cyber risk subject matter experts.

They covered important topics such as medical device security, safe cloud enablement, phishing attacks and social engineering, incident response planning, and threat intelligence.  These sessions were on top of the usual privacy and security track sessions offered outside of the CCC, which covered many similar topics. I think the highlight was when James Trainor, Deputy Assistant Director for the FBI Cyber Division, presented the key challenges impacting healthcare organizations today. He pointed out how significant breaches like Anthem and Premera are likely to continue as healthcare systems transition to electronic storage and as the financial payout for medical records on the black market grows in value.

At the Coalfire CCC kiosk, security professionals were invited to complete a brief "intake form" and received a custom cyber risk "prescription" to help improve their risk management program.  The intent was to determine if organizations were practicing reactive or proactive cyber risk management.  Results showed that while a few organizations are moving toward a more proactive approach to cyber risk, most are still in a reactive mode.  For example, many have incident response plans (IRPs) in place but they have not tested them in over a year.  A best practice in this area is to test your IRP at least every six months given turnover and other changes within your organization during.  We saw an uptick in the number of organizations that are adding penetration testing to their list of best practices and many are now conducting risk assessments on an annual basis as opposed to every three years.

Most of the work that needs to be done is in the area of vendor (Business Associate) risk and compliance oversight (no one we spoke with had a formal program in place for this) and almost no one is actively participating in information sharing activities offered by NH-ISAC and HITRUST.  Speaking of HITRUST, we spoke with several organizations that have a HITRUST certification on their radar in the next year, along with considering BA requirements for HITRUST certification.  This is understandable given that HITRUST offers the most rigorous approach to meeting HIPAA Security Rule requirements.

HIMSS plans to triple the size of the CCC at HIMSS 2016 in Las Vegas which means triple the education and excitement…we hope to see you there!

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS