Mike Parisi (HITRUST)
We flew in from San Francisco for a HITRUST Community Extension Program today in Tampa, Florida. It was sponsored by 360 Advanced and hosted at Microsoft’s Tampa office.
There were about 20 people in the room and it was an interactive event with meaningful discussion.
HITRUST Tampa CEP – My Takeaways
Here are my takeaways from the HITRUST CEP event in Tampa today:
- Open discussion encouraged
- HITRUST works with everyone (re: standards and frameworks)
- 149 controls in HITRUST
- CSF does not actually stand for anything now. “It just means the CSF.”
- It was Mike Parisi’s 47th CEP event
- The CEP event was designed to be framed around business challenges, specifically around security.
- A common theme are working groups getting created out of CEP events
- HITRUST is now industry agnostic
- Mike Parisi’s two roles at HITRUST:
- VP of Assurance Strategy
- Community Development (focused on education)
- “The gray has gotten much larger, as far as who is a health care company and who is not.” (Mike Parisi)
- Re: Security Frameworks: “Leverage what you’ve already done. Don’t start over.” (Parisi)
- Overheard in the room: “You cannot make risk go away by buying more insurance.”
- “What I’m here to do is provide some perspective around HITRUST programs you can leverage.” (Parisi)
- Financial Services was the first industry outside of healthcare came asking about HITRUST
- “Today’s event is really whatever you want to make it.” (Parisi)
- Assess once, report many.
- Security discussions should start with risks to the organization, not the framework.
- Driving factors behind HITRUST version changes:
- Changes to underlying authoritative sources
- Changes in the threat landscape
- Market demand (i.e., GDPR)
- HITRUST v10: A cleanup. Will focus on being industry agnostic. Not out yet (March 2020 ETA)
- The 4 legs of HITRUST:
- Transparent Framework
- Assessment Methodology
- Third Party Assurance program
- HITRUST Certification itself
- Targeted Assessments: As of version 9.3, you can do an assessment just on an authoritative source now (e.g., just PCI only)
- Contracting process is a big nightmare right now in enterprise healthcare
- There are no scenarios where it makes sense to do dozens of unique assessments around information privacy and security. Both for the vendors and customers.
- There are only two types of HITRUST Assessments: Validated Assessment and Self Assessment
- There are 85 approved HITRUST CSF Assessors
- By design, HITRUST does not perform assessments itself
- HITRUST RightStart Program: Paubox was the first company to go through it.
- Provider Third-Party Risk Management Council was brought up by Chip Council.
- The Shared Responsibility Program was also actively discussed. Microsoft is leading the charge in this respect right now.
- “I always catch everything, by the way.” (Parisi)
- “Organizations are not certified. Scopes are certified.” (Parisi)
- 360 Advanced does a lot of integrated assessments. “Scoping is key.” (Eric Ratcliffe)
- “Work with your assessors as early as possible.” (Parisi)
- The MyCSF tool is an annual subscription. It is not required for HITRUST certification but is highly recommended.
- HITRUST Assessment XChange: Allows third parties to share assessment reports with prospects and customers
- Travel and Leisure is on the radar for HITRUST
HITRUST Community Extension Program
Chip Council (Shriners Hospitals) checking in while Greg Hoffman (Paubox) shakes hands
The HITRUST Community Extension Program (CEP) was created to promote education and collaboration among organizations in the HITRUST ecosystem. The primary objectives of CEP events are to help organizations adopt and leverage various HITRUST programs and resources.
These town hall events are held across the country, coordinated by HITRUST, and hosted by organizations within the community. HITRUST CSF Assessors normally facilitate the program.