Paubox blog: HIPAA compliant email made easy

An interview with Michael Parisi: New threats to organizations and compliance shifts

Written by Hannah Trum | August 11, 2020
ENCRYPTED INTERVIEW SERIES The Paubox Encrypted Interview Series allows us to chat with leaders in healthcare IT, compliance, and cybersecurity to pick their brains on trends and best practices. In this Encrypted Interview, we chat with Michael Parisi , Vice President, Assurance Strategy & Community Development  at HITRUST.

Early career and professional growth

Sierra Reed: Before you joined HITRUST, you worked at Price Waterhouse Coopers and have been in the industry for a number of years. How has this experience helped you in your current role?

Mike Parisi: Yeah, it's a good question, Sierra. Reflecting on my experience with PwC. It's helped me tremendously in my current role for a number of different reasons.

Some, not only did I have the opportunity to learn, but the concept of auditing and providing assurances relative to security and privacy, but I think that the most valuable aspect of working within that environment was learning and understanding how to work with people and building relationships is everything that we do. 

I think, regardless of what our career is, what company we work for, with what industry we're in, if you don't understand and appreciate how to work with people and build relationships, you're not going to be as successful as you can be. 

That's what I really learned. What I take away from PwC is not only having to work with multiple different individuals internally across the firm but certainly externally right from a client and from a stakeholder perspective. 

Having the opportunity at such a, I'm going to date myself a little bit, at such a young age back then to interact with individuals that were in higher positions with clients and within organizations. 

Having that opportunity so early in my career was invaluable because you are the one that's looked at within that setting and with a professional services firm like PwC. You're looked at as the expert, and you're looked at as the one that needs to provide perspective. 

The stakeholders sitting across the table from you, or maybe in this day and age, sitting on virtual calls from you, asking questions and wanting you to provide perspective, that's going to help them, and sometimes that perspective is the greatest value that you can provide along with connecting personally… and the rest, you can figure out together from there.

 

Current role

Sierra: I totally agree, and knowing you personally, your greatest asset, Mike, is being able to talk to people, you're very personable, and that is what makes you great at your job. So how did you end up at HITRUST?

 

Mike: Yeah, so that's an interesting story in another chapter. So when I was at PwC, ironically enough, I worked in and ran their HITRUST practice. So I was very familiar with HITRUST as an organization and the standards and the assessment process. 

And I had the responsibility for managing a team across the country that was executing HITRUST related services, whether it be consultative or readiness or actual full assessments and certifications throughout the country. 

Even prior to that, when HITRUST services were still just an idea, the organization at that point in time and a number of the stakeholders had reached out to some professional services firms to help them create the idea and the initial programs that they were going to release to the marketplace the very first time. One being the CSS and the control framework. 

So back then, I had the opportunity to be part of the working group that actually created aspects of the CSS. Later on, once the organization took off, and the successor program became part of the organization, I was one of those assessors. 

So throughout the years, and not only working with organizations from a HITRUST program perspective but also working with HITRUST themself, I identified a number of opportunities for improvements relative to HITRUST and so many great programs and so many great ideas. 

I saw an opportunity to assist the CEO directly and also the organization to adopt and take that more broadly. I got to a point in my career at PwC, multiple years of working in the professional services space, and Big Four... it can take a toll on you, and I had a number of personal things that were health-related and family-related that all kind of hit me at once.

In addition, there were some things that were happening within PwC that, frankly, didn't really align to my own personal and professional values that I knew were going to be coming down the pipe. 

So at that point in time, I think we all collectively felt that it was a good time to move on and seek out a new opportunity. I wanted to do something completely different. So I went from a very large private for-profit consulting organization to a very small, almost like a startup, not for profit organization. 

I had the opportunity, based upon conversations with the CEO, to come hang my hat for a while and give some ideas in terms of what we can do with the company in three years, and two months later, I'm still here.

Sierra: And what's the biggest challenge or mission you have at HITRUST currently?

Mike: Yeah, you know, I'm going to give you a couple. The demand for our programs and the assurances that we provide to the marketplace. I would say, especially the last year has outpaced our own internal growth. 

So one of our biggest challenges is to make sure we continue to scale up to meet the demand that exists within the marketplace. That's one. Then two, and I would say that the second challenge is probably more of a challenge than the first one.

The first one is more tactical and operational. But second is getting more organizations to recognize the value of the programs and to adapt and leverage those programs. That only comes through conversations and education to make sure they understand everything that's included within the programs themselves.

 

New threats being introduced to organizations

Sierra: What new threats are being introduced to organizations with the COVID work-from-home shift?

Mike: Yeah. That seems to be the leading question these days, and I won't spend a lot of time on the obvious things that I think a lot of individuals have brought up. 

Such as the shift to working remotely. Obviously, there's been some new threats and challenges for some organizations that have not been accustomed to that type of environment in the past.

Those that are really focused on being in an office every day and now having to shift to work remotely or work from home naturally will introduce a number of new threats. 

Everything from... do you have the appropriate hardware security configurations at home from a network perspective? But I'll add a little twist on that which would be IoT. 

Now it's one thing if you're sitting in an office and you've got your phone with you, and you know your phone's always listening anyway. But now all of a sudden, you take that individual, that employee, and you drop them within their home. Well, now, there's multiple devices and things that are listening. 

How many people have Alexa? How many people have other types of these things within their home? And then things that you don't even think about? 

It's so funny you bring this up because I was talking to a good friend of mine who's with a large health plan this morning, prior to us having this discussion. 

He gave the example that he was sitting in his kitchen, and he was on a work call. He's in information security, and they were discussing some pretty sensitive topics, and his backdoor slider was open on his patio. 

We just had it open, let in the air, and then his wife was sitting outside while he's having this conversation. So his wife came inside, closed the patio door, interrupted him, and said, “I just heard your entire conversation, and our neighbor is on the other side of the fence, which means they heard too.”

So it's not just about the environments and the devices, but it's also the activity and the behaviors that can introduce a lot of risk. But that's not the riskiest thing that I'm concerned with. The riskiness aspect, or, the new threat is not knowing what we've introduced or let in the door. 

What I mean by that is, when you look at organizations impacted by COVID, one of the things that most, if not all, organizations have had to do is they've had to bring on contract, introduce new business partners into their environment in order to address COVID.

So whether that's...we have to use more software, we have to use the cloud more, we have to buy new hardware to ship to people's houses. If it's in the healthcare space, we need to get as many ventilators in the door as we possibly can. 

We need personal protective equipment, right? So all of those things have forced us to create new business relationships and bring on vendors quicker than we've ever had to before. 

Naturally, as part of that process, when we think about COVID, and the ultimate risk, is to stop the loss of human life. We're going to get those vendors on quicker, and we're probably going to cut some corners and haven't done as much due diligence as we've done in the past.

What worries me is, if we don't go back and close those doors that we opened up, what are those new threats and vulnerabilities that are lurking, sitting there now? Where six to nine months down the line, they can actually show how ugly they can be.

 

Regulatory and compliance shifts

Sierra: Right. And the new threats that you're mentioning, how do you think that these new threats are changing the regulatory and compliance landscape?

Mike: Yeah, so that's another great, great question. I'll give you a couple [of] different perspectives there. There's a difference between what I would call the regulatory and compliance landscape and standards and requirements versus enforcement. 

So I would tell you, there is no relaxing, there's no public statements that say the regulations or the requirements are being removed. The expectation is, and the fact is, they're still there, right? 

Everyone is expected to be performing appropriate procedures, executing appropriate controls, have stopgaps in place, etc. In line with all of these requirements. 

As a matter of fact, even when you look at something like HIPAA...Now, HIPAA indicates that you must maintain compliance with the standard, even in times of operating in emergency mode. 

It actually says that right as a requirements perspective, what's changed is the enforcement. So when you look at entities like the OCR, I mean the OCR has publicly indicated that we recognize during these times, you need to be able, from an interoperability perspective, share more information openly across health information exchanges and hospital systems.

When you look at what happened in New York back in April, and so recognizing that the speed of sharing data offsets the ability to protect it appropriately, they've indicated that we will relax enforcement of the standards. 

Although you should be following it still, during these times and recognizing that organizations may have to relax the ability to enforce it.

I don't know that I necessarily agree with that. I think I would say that if you've made appropriate investments and a strong security and privacy program and solutions and tools, then you should already be in a good position to continue compliance and operation and enforcement even during times like this. 

And the last perspective I would give is when you think about the concept of business continuity plans... it's funny back in my PwC days, we would come across those requirements and those controls, and we would kind of laugh and say, yeah, these things are never really used.

Let's just make sure that they're doing a tabletop exercise, and there's a policy and a procedure in place, and they're never going to have to use that. 

But that has certainly changed, and I think what you will see is you'll see more requirements and regulations standards, relative to business continuity and being able to react to things like a pandemic, in the upcoming years.

Sierra: Do these new threats change how organizations should interact with third parties/vendors?

Mike: Yeah, good. Good question. I think it definitely does in a couple of different ways. So as I mentioned before, out of necessity, I think it has changed the onboarding process and how we interact with vendors during the onboarding process. 

So we may be willing to not have as much transparency and comfort relative to security and privacy upfront with the understanding that we will go back and revisit it later on. 

I think that's one behavior change that's happening for all organizations. The future outcome of that, knowing that's put us in an uncomfortable position, right, because we don't know what we don't know, is I think you'll see more and more in the future of organizations unwilling to even enter into a relationship with the third-party unless they have those assurances upfront relative to security and privacy. 

I think they're going to start building their directory of third parties or business relationships that they can call up in the event that they need them. 

They're going to build that based off of who has strong security and privacy posture that they can contact at any point in time to engage for necessary services. I think those will be some behaviors that change.

Sierra: Okay, great, and my last question... Are on-site audits going to be a thing of the past with companies shifting to a remote-only workforce?

Mike: Another great one and one that we talk about a lot. It is difficult to tell at this point in time; however, I do believe they will come back. But you may not see them performed as frequently as they were before. And what I mean by that is today, it's not an option, right? 

So auditors are finding different ways and authoritative bodies that enforce certain requirements are relaxing their standards. We did from a HITRUSTperspective, right, or recognized the challenges. 

We said ...hey, we're going to provide a waiver for on-site validation procedures we have. So I say from the auditing organizations, the authoritative sources and standard bodies are really having a good look inside themselves and saying, if we were able to get it done this time, and if we were able to relax our standards this time, why can't we continue that model? 

I think here's the difference. It's all about how far can you extend or extrapolate assurances. And if one year you're doing an on-site audit, and the next year, a pandemic hits and you're not able to do an on-site audit, and you could still provide that same level of assurance and auditors can still issue their opinions, etc. 

When does that become stale? And maybe they've done some additional alternative procedures to extend or extrapolate the assurances, but at some point, it's going to become stale. Right? 

So maybe we'll see a model where it doesn't all go away, but it shifts to every other year. There's an on-site audit as an example. So I don't think you'll see them fully go away, but I do think they will be more relaxed and not as rigid as they've been in the past.

Sierra: And Mike, how do you keep up with industry trends? Do you listen to any good podcasts reading any good blogs, newsletters, anything that we should be following?

Mike: Yeah, I mean, I'm doing a number of different things. You know everything from looking at Flipboard with topical items and articles that are relevant to the industry. I stay in contact with a lot of the industry thought leaders relative to, obviously, security, privacy, third-party risk management.

I interact with a lot of the other standards organizations and authoritative sources, right, such as CMS, HHS, NIST, etc. and follow some other organizations that are thought leaders within the third-party risk management space. 

So I do a lot naturally, but I would tell you, most of my updates are from talking to people. And it's just understanding, you know, what are they seeing, what are they dealing with, maybe hearing about something new or something interesting. 

Taking a note on that, and then going back and doing like my own research, to learn more about it.

Sierra: My last question for you is, what do you do to de-stress and relax? I know that, but I don't think our listeners know that.

Mike: Yeah, yeah, de-stress, and relax. You know, I would tell you, some of those things are the same as they were before. And some things are naturally different considering the environment that we're having to live with within today. 

I'm certainly a big fan of wine. So I enjoy the hobby of exploring and naturally drinking wine, especially being in Northern California. I love spending time with my family, of course, kids like friends and also our dog, who just recently got out of surgery yesterday. 

So looking after her right now. So you know, all those things were things from before. Also, today, we love to travel as a family. That's something that we really enjoy and exploring new places. 

Naturally, that is not something we're able to do right now. We're looking forward to when we can begin to do that again and have no agenda. Those trips and just really exploring and being open. And so what that's been replaced with, maybe it's a little more tactical, but every day we make a point to cut the workday off and go for a walk with the family, with the friends, with the dog every day, right, get out of the house, clear your mind.

I guess it's a form of a trip and travel or to the extent that they can do it right now. Yep. But that's important because in today's day and age, it's funny and you know; you’re probably experiencing this as well, Sierra that. 

I think working from home, of course, has its benefits, but it has its determinants as well. I get a lot of people are working from home more now without breaks and without ways to escape than they have been before just because the laptop is always on. 

You don't have to necessarily commute to work, or your commute is very short to your desk and then. As a result, I think, as a society, we are working a lot more now than we have before, and it becomes harder to draw those lines. You know, to stop working and shift to the personal life. So it's really important to have some diligence in place.

Sierra: I agree with you, and I think that the lack of human interaction is detrimental to our emotional stability. We need human interaction, to touch other individuals; we need to talk and interact with others.  So I agree with you on that. We've been trying to get out more and go on walks and get some sun as well. So I appreciate all of that, and I appreciate your great insight today. Thank you so much.

 

Try Paubox Email Suite for FREE today.