HITRUST community extension program (CEP) in New York

We flew in from San Francisco for a HITRUST Community Extension Program (CEP) today in New York City. It was our third event this year, as we also attended HITRUST CEP events in Tampa and Nashville. Today’s HITRUST CEP was facilitated by ESHA IT and hosted by AdhereTech. There were about 40 people in the room and as we've seen before, there was a lot of interest in HITRUST, security frameworks, scoping, and new solutions on the market.

HITRUST New York – My Takeaways

Steve Baram (CMO, HITRUST) Here are my takeaways from the HITRUST CEP event in New York today:

• The word "journey" is often used when describing the HITRUST CSF process
• Mike Parisi's two hats at HITRUST: Assurance Strategy and Community Education
• Mike emphasized focusing on the HITRUST framework first
• HITRUST is now industry agnostic
• How are we managing third parties?
• "Our framework is designed to leverage what you've already done as an organization." (Parisi)
• Only a couple of hands went up when Mike queried the room about people using threat catalogues in their workplace.
• "What are our threats to the organization and how do we communicate that to the board?" (Parisi)
• "What's the impact to the business if we don't address the threat?" (Parisi)
• HITRUST is working with FAIR Institute to establish a threat catalogue
• Zurich Insurance recognizes HITRUST as a way to reduce cyber liability insurance premiums
• "Never lead with the framework. What we should be starting with is a risk analysis." (Parisi)
• Targeted Assessments: New feature from HITRUST
• "One of our favorite terms is Report Once, Assess Many." (Parisi)
• It's not recommended to mark "N/A" on HITRUST controls
• Enterprise Risk Management is hard
• The biggest pain point for vendors are the security questionnaires.
• HITRUST Assessors must follow certain guidelines
• HITRUST Assessment XChange: It's designed to simplify the process of sharing HITRUST CSF reports between vendors and organizations
• Provider TPRM: Not many people in the room had heard of it.
• HITRUST VC Council: To be launched soon (in about a month). About 10 VC firms are looking for ways to improve security postures of their portfolio companies. The aim is to require them to get HITRUST CSF.
• HITRUST CSF v10 now slated to be released Q3 2020.
• HITRUST is currently undergoing the process to become a GDPR-certifying body.

HITRUST Community Extension Program

The HITRUST Community Extension Program (CEP) was created to promote education and collaboration among organizations in the HITRUST ecosystem. The primary objectives of CEP events are to help organizations adopt and leverage various HITRUST programs and resources. These town hall events are held across the country, coordinated by HITRUST, and hosted by organizations within the community. HITRUST CSF Assessors normally facilitate the program.

Manish Desai (BNY Mellon) shared his table with us during lunch break