- HITRUST held its first Community Extension Program meeting last week at Tufts Medical Center in downtown Boston, talking challenges, best practices, and lessons learned in healthcare risk management programs. One of the overarching goals of the program is to help organizations of all sizes improve their healthcare cybersecurity approach.
The town hall style events aim to promote “greater collaboration between organizations across the country,” HITRUST previously explained.
The September 14 meeting was a great success, bringing together healthcare security executives from numerous New England states, including Connecticut, Massachusetts, New Hampshire, Rhode Island, and Vermont, according to Tufts Medical Center CISO Taylor Lehmann.
“One of the main goals of the forum was to bring together a community of practitioners in this area to get to know one another, build relationships, and create a community of practitioners who could leverage each other’s skills and capabilities to be more resilient at their own organizations,” Lehmann told HealthITSecurity.com.
“We also wanted to leverage and communicate around best practices,” he continued. “For folks who may not know what those are, we brought in HITRUST and PwC to talk about their observations in addition to Tufts and other participants sharing what their best practices were. We talked about risk management, effective board reporting, and governance.”
Lehmann added that the day’s events with HITRUST and PwC spent a good amount of time discussing best practices in risk management, risk assessments, and how to properly leverage certain best practices.
“Overall, there aren’t enough of these types of meetings that happen,” he stated. “And for us to begin to build a community around health information security and share some of those best practices, is a step in the right direction.”
The HITRUST program is also set to have events in Houston, Texas; Denver, Colorado; Dallas, Texas; Cleveland, Ohio; and Seattle, Washington. Topics will include aligning information risk management and cyber insurance programs, structuring and implementing risk management programs, and considerations in implementing the HITRUST CSF.
One of the key discussions from the Boston forum was how organizations should approaching risk management, as well as common methods that entities are using, Lehmann explained.
“It’s largely about having consistent approaches,” he said. “Ones that we can talk about openly, and have a common language around cybersecurity in healthcare. We also need to have a way of benchmarking each organization against each other, because we’re all in a sense doing the same thing.”
The healthcare threat landscape was also a hot topic for the day, Lehmann added. It’s important for healthcare organizations to hear what other entities are actually seeing, and to not just read about events in a magazine.
“What are organizations here seeing and how are they responding to it? That was a great discussion,” he said. “Going forward, we want to know how to more effectively work with our colleagues in non-IT departments to communicate what’s important and why. We need to do it in the right context of threats to the business, threats to our patients, and threats to high quality patient care. We need to discuss what organizations can do to combat those threats.”
Building a more trusted circle around threat intelligence sharing will be essential to strengthening healthcare cybersecurity programs across the country, Lehmann maintained.
“HITRUST is doing a lot to bring these programs to the community, and not just the people who can necessarily afford it and spend all the money,” he stated “It’s really taking a community focus and educating the community as a whole.”
Specific threats affecting healthcare data security
Strong employee training programs are critical to all healthcare organizations, and entities need to show that they care about their staff members, Lehmann pointed out.
“Traditional methods of classroom based training and onboarding training have not been effective enough,” he stressed. “You’re starting to see an emergence of new methods for getting users to really learn from not only the mistakes, but being rewarded for doing the right thing.”
Organizations should also consider transitioning away from the academic training environment. Gamification and penalties and reward systems have shown to be very powerful ways of training users, Lehmann noted.
“In a healthcare environment it’s absolutely critical that those programs continue to progress and be easier and easier to use,” he said. “Hospitals and health plans are not made up of technologists and cybersecurity experts – most companies aren’t. Finding ways to more effectively reach users in a way that engages them is how those programs are going to be more successful than they currently are.”
“At the end of the day, people are the first line of defense. You need to treat them like they’re an important asset to you, instead of a liability.”
Ransomware is another key pain point for healthcare organizations currently, Lehmann noted, and the forum made sure to discuss ways to best prepare for a potential attack.
“We talked about how to foundationally prepare yourself for a ransomware attack,” he explained. “Things like segmenting your network, ensuring you’ve got good cyber hygiene, and making sure that you’re aware of the threats to your business are important. Additionally, organizations need to know the specific types of malware to be expecting, and should work toward strengthening the controls they have to recover from an event. Inevitably, those things will affect you.”
Threat intelligence and the role it plays in healthcare was probably the most discussed topic of the day though, according to Lehmann.
“It’s less about how to be compliant and more about, ‘How do I respond to things that are existential threats to the business of medicine?’” he said.
There is lots of talk around the best methods and the best ways of increasing the fidelity of the information being received. Entities need to know how to align the use of intelligence in the operations of cybersecurity, make it actionable, make it reasonable, and make it measureable, Lehmann stated.
“The big takeaway was that if you’re not using any sort of intel today, you should be. And you should assess and make sure that where you’re consuming that intel from is the right source for your business,” he concluded. “Organizations need to make sure they use that intel at the right opportunities and when appropriate.”