I attended the national HIMSS 2018 conference in Las Vegas a few weeks ago. 43,000+ roaming loose in Vegas, primarily in a few hotels and the Sands Expo Center. It was mayhem. I attended the Cyber Security Symposium all day Monday. Six sessions focused on cyber security and best practices. I then attended the keynote speech by Eric Schmidt, the CEO of Alphabet, the parent company of Google. Tuesday was primarily more sessions and a few minutes out in the expo “acres” wandering around trying to get my bearings and locate a few people and vendors. Wednesday and Thursday were spent seeking partners that we thought might offer beneficial products and services to our customers. I’ll try to summarize each “section” of the event I experienced, hopefully offering some insight and benefit to you and your organization.
Cyber Security Symposium
First, all of the speakers and presentations were excellent. HIMSS does a great job finding top notch speakers on relevant topics.
The cyber symposium confirmed our approach here at Third Rock is on track with NIST, GDPR, OCR, and large healthcare CIO/CISOs approach.
High Points / Lessons Learned made throughout the various presentations.
- It’s about Cyber Risk – Managing it and Correcting Issues
- Cybersecurity requires a Holistic Approach – People, Process, Technology (BINGO, I think I’ve heard someone/company preaching this.)
- Perform a Third Party Assessment that includes a cyber security assessment
- Backups that will restore and not be corrupted/infected/hijacked.
- Data Inventory – Data Flow – DO IT, NOW!!!
- Shadow data is a problem – keep on top of it. (Data the IT dept doesn’t really know about.)
- Equipment inventory – there are more computers on your network than you think – HONEST
- Policies & Procedures are necessary and they need to be USED and operational, law firms don’t do this well.
- Security Play Books – Scripted Scenarios for responding to issues – know what to do before it happens
- Like Disaster Recovery Runbooks, but for Breach Response.
- The NIST CSF is the standard – USE it as the basis, reference. HITRUST CSF complicates it, why bother.
- CSFs are high level guides, you need step-by-step policies and procedures that become standard operating procedures.
- COMMUNICATE with Executives, Management, ALL departments. Do NOT ASSUME they know. They DON’T.
- Provide daily status, simple color charts
- Enable, don’t inhibit.
- Reduce friction. Implement Policies and Procedures as beneficial Standard Operating Procedures.
- Use compliance as a gap analysis (assessment) tool and score card.
- AUDIT YOUR Business Associates – NOW.
- Every organization needs a privacy and security leader.
- If you declare an issue in your risk register (Issues) the OCR will not FINE you.
- Almost ALL OCR settlements cited Risk Assessment as a critical lapse of compliance!
- Trying to hide you’re mismanagement and lack of cyber security, which is non-compliance, will COST you in fines.
- Risk Management is how to achieve improved cyber security.
- Use Compliance standard (HIPAA, GDPR, NIST 800-171) as the gap analysis and benchmark / scorecard.
Eric Schmidt included a few interesting points in his typical chairman of the board or CEO inspiring talk about what’s to come.
- MOVE to the CLOUD now! (Whether it’s google’s, AWS, or a vendor, do it.) It will save you time, money and improve performance, security and compliance.
- Embrace new technology, it will allow you to catch-up with the other industries and transform healthcare. Stop using the fax machine, it’s DEAD. Harness the power of IT for the benefit of the patient.
- It was implied that based on history, innovation will come from outside the Healthcare technology giants. It will take consumer focused technology companies to bring real change to healthcare.
What the OCR had to say about HIPAA Compliance Issues and Continued Fines
- Lack of Security Risk Analysis
- Lack of Business Associates agreement and auditing of BAs.
- Lack of Risk Management Plan to Manage Identified Risks, e.g. Encryption
- If you don’t have a risk register in prioritized order, your assessment isn’t worth much.
- Lack of Transmission Security
- Lack of Appropriate Auditing
- Lack of Patching of Software
- Insider Threats
- Improper Disposal of equipment and media
- Insufficient Data Backup (inability to restore)
- Lack of Contingency Planning (and emergency response planning)
- CMS will start auditing for Disaster Recovering and Emergency Response Plans in May 2018.
- Make sure you prioritize the systems based on CIA importance in your DR plan.
Hope some of this info was helpful.
Sign up for our newsletter to see all of the new services and Trusted Alliance Partners Third Rock will be announcing over the next few months.