Symposium Helps CISOs Establish, Implement and Mature Cyber Programs

7.5.17
By Bob Chaput, CEO, Clearwater Compliance

Traditional approaches to patient safety and healthcare information security need to evolve to address today’s emerging direct threats to patients. The current risk environment for hospitals and health systems is changing quickly and includes a wide spectrum of threats — ranging from traditional intrusions designed to steal protected health information (PHI) to more novel attacks, such as tampering with biomedical devices or blocking access to essential records systems. The changing threat environment blurs the lines between information security and patient safety and requires each discipline to expand its scope. Organizations can realize six essential benefits with the implementation of a matured cybersecurity approach — including market differentiation, continuous process improvement to achieve a mature information risk management program, legal and regulatory compliance, better cloud security management, proactive cybersecurity management and program defensibility.

Information security has become an essential component of patient safety. Concurrently, the information needed to provide care resides in more places than ever before, including electronic health records; the smartphones, tablets and laptops carried by physicians and other caregivers; intelligent medical devices such as smart pumps, monitors and implants; patient portals; and mobile health apps, not to mention provider partners, business associates and other members of the patient care ecosystem. Safe, quality care depends on timely access to this information. Therefore, any threats to the confidentiality, integrity or availability of information represent threats to patient safety.

Hospital and health system CISOs must collaborate with peers to integrate their cyber or information risk management (IRM) strategy into their organization’s overall electronic medical record/governance, risk, and compliance strategy. Both must become part of day-to-day operations and address the requirement to respond to inevitable cyber incidents and restore normal operations. When hospital leaders adopt an integrated IRM/ERM strategy, there can be greater returns for the organization in terms of expanded knowledge, informed decision making and reduced cyber risk. But when they choose to ignore the strategic importance of IRM, the resulting complaints, breaches, failed audits or cyberattacks can erode the confidence of their patients and staff, limiting the organization’s ability to grow.

Offered by Clearwater Compliance for AEHIS members, the AEHIS CISO 2017 Virtual Cybersecurity Symposium addresses the need for utilizing a relevant and adaptable framework for establishing tactical processes to address today’s continuously evolving threats to hospitals and health systems. It focuses on how to build a sound justification for security investments built on a solid business risk analysis and delivered in a return-on-investment context that both executive management and the board of directors will understand.

At the five-session program, participants will be encouraged to look at the expanded ecosystem of the healthcare organization, requiring greater attention to make optimal decisions and addressing the critical capabilities in establishing, implementing and maturing their IRM: Governance, People, Process, Technology, and Engagement.

Coupled with adoption of the National Institute of Standards and Technology (NIST) IRM approach, organizations will be able to develop the comprehensive outlook that the fast-evolving threat environment requires and deter gaps from emerging between efforts to protect patient safety and information. The NIST IRM approach provides a standardized methodology that is highly appropriate and adaptable for healthcare organizations.

  1. NIST Cybersecurity Framework (the WHAT) – Presents a way for organizations to combine current standards, guidelines and best practices to reduce cybersecurity risk.
  1. NIST IRM Process (the HOW) – The NIST Information Risk Management Process (NIST SP 800-39) provides detailed steps for framing, assessing, responding to and monitoring risks. The steps are organized into responsibilities for different levels and roles within an organization.
  1. Maturity Model (the CPI/Deming mindset) – The approach encourages adoption of a maturity model to ensure proper implementation and ongoing use, but allows organizations to use the maturity model of their choice.

CISOs will learn how to establish, implement and mature a solid holistic cyber risk management program driven from the top down and staffed with a cross-functional team from IT, risk management, finance, legal, compliance, operations and quality.

AEHIS CISO 2017 Virtual Cybersecurity Symposium comprises several different learning modalities:

  • Recorded On-Demand – HIPAA 101 Webinar – 90-minute session
  • July 6, 13, 20, 27 and August 3, 2017 – Five 105-minute live, virtual sessions comprising ten (10) modules, delivered over five weeks (GoToWebinar™ platform)
  • August 16, 2017 – One 60-minute (optional) Post-AEHIS CISO 2017 Virtual Cybersecurity Symposium™, to discuss any follow-up questions/concerns (GoToWebinar™ platform) 

Attendees will be requested and expected to:

  • Engage in live polls conducted in each session
  • Post questions and comments for Symposium™ Faculty to address

Register for the AEHIS CISO 2017 Virtual Cybersecurity Symposium here.

More AEHIS News Volume 1, No. 1:

Looking to contribute to the AEHISecurity Newsletter? Email your contributions to [email protected].