Mike Parisi, Vice President, Assurance Strategy & Community Development, HITRUST
We flew in from San Francisco for a HITRUST Community Extension Program (CEP) today in Nashville, Tennessee. It was our second CEP event this month, as we also attended a HITRUST CEP in Tampa a few weeks ago.
With at least 40 people in the room, there was a lot of interest in HITRUST, security frameworks, and new solutions on the market.
Vanderbilt University Medical Center
Andrew Hutchinson, CISO, Vanderbilt University Medical Center
The Nashville HITRUST Community Extension Program began with remarks from Andrew Hutchinson, Chief Information Security Officer at Vanderbilt University Medical Center.
Here are my takeaways from Andrew’s presentation:
- There are over 25,000 employees within Vanderbilt University Medical Center (VUMC)
- A vendor security questionnaire is also known as “the gauntlet of fire.”
- Andrew is a founding member of the Provider Third-Party Risk Management council.
Drew Hendrickson (LBMC)
After Andrew’s remarks, Drew Hendrickson spent a few minutes on the scope of services provided by LBMC. For example, I learned today that Nancy Spizzo is the longest-serving HITRUST assessor in the business.
HITRUST Nashville CEP – My Takeaways
Here are my takeaways from the HITRUST CEP event in Nashville today:
- “What are the common security challenges that we’re all dealing with?” (Mike Parisi)
- HITRUST was born in the healthcare vertical. It is now industry agnostic.
- HITRUST CSF now stands for CSF.
- “The real value is in the framework.” (Parisi)
- 81% of US hospitals leverage HITRUST frameworks. This does not mean however, 81% of hospitals have HITRUST certifications.
- Certification is a journey.
- “If you can achieve certification, great. But start with the framework.” (Parisi)
- Travel and Leisure is a vertical of interest to HITRUST.
- Communicating security gaps is hard to convey to boards.
- “We work with everyone.” (Parisi)
- Mike queried the room about their use of Fair methodology. It’s a new partnership HITRUST has with Fair.
- “Frameworks are like lawyers, everyone’s got one. But if you choose the wrong one, you can get in a lot of trouble.”
- Start with risks, then look for the framework that can address those risks. Don’t start with the framework.
- “The CSF is not a silver bullet… but it’s pretty close.” (Parisi)
- Parisi emphasized that HITRUST is a Controls-based Risk Management Framework.
- “Assess once. Report many.”
- “There a lot of frameworks out there are not updated to reflect the current threat landscape.” (Parisi)
- HITRUST chooses its authoritative sources via market feedback.
- In HITRUST CSF version 10, every authoritative source will be selectable.
- Version 10 is a cleanup of the framework. It’s scheduled for release in Spring 2020.
- The four legs of the HITRUST Assurance Program stool:
- Risk management methodology
- A Controls-based risk management framework
- An Assurance program
- The certification itself
- Unlike a SOC report, HITRUST CSF does not allow carve-outs.
- There was considerable interest in the HITRUST Shared Responsibility Program.
- Unless explicit consent is given, HITRUST does not disclose which organizations have HITRUST certification.
- HITRUST is beginning work on a Products and Services guide in the CSF. It’s expected for release in about 8-10 months.
- When I was asked to share some remarks on the HITRUST RightStart program, a lot of heads nodded when I mentioned the fact that email ranked as the top breach vector for 12 of past the 15 months in our HIPAA Breach Reports.
- There’s only two types of assessments: Self-assessment and Validated assessment.
- “Not all assessors are created equal. Keep that in mind.” (Parisi)
- Pro tip: Reach out to your cyber liability insurance carrier and let them know you have HITRUST. You may get a cheaper premium of up to 50%.
Types of HITRUST CSF Assessments and The Journey to Certification (LBMC)
Nancy Spizzo (LBMC)
After Mike’s presentation, Robyn Barton and Nancy Spizzo spoke about the two types of HITRUST CSF assessments and the the Journey to Certification.
One thing of note, Nancy strongly advised against putting “N/A” on a HITRUST CSF application. In fact, she doesn’t allow it for her clients.
Robyn Barton (LBMC)
Lastly, Drew Hendrickson hosted a panel that focused on organizations that have undergone multiple HITRUST certifications.
The panel consisted of:
- J.R. Garrett, Chief Legal & Risk Officer, AdhereHealth
- Sebastian Haupt, Vice President of Enterprise Systems, Onlife Health
- Blake Beller, Director of Information Security, Change Healthcare
HITRUST Community Extension Program
Nancy Spizzo, Ashley Barton, and Robyn Barton
The HITRUST Community Extension Program (CEP) was created to promote education and collaboration among organizations in the HITRUST ecosystem. The primary objectives of CEP events are to help organizations adopt and leverage various HITRUST programs and resources.
These town hall events are held across the country, coordinated by HITRUST, and hosted by organizations within the community. HITRUST CSF Assessors normally facilitate the program.