HITRUST community extension program (CEP) in Philadelphia

We woke up early this morning in New York's East Village and made our way to Penn Station to take an Amtrak train down to Philadelphia. For the second day in a row, we attended a HITRUST Community Extension Program (CEP). It was our fourth event this year, as we've also attended HITRUST CEP events in Tampa, Nashville, and New York. Today’s HITRUST CEP was facilitated by Intraprise Health and hosted by Microsoft. There were about 45 people packed in the room and as we've seen before, there was a lot of interest in HITRUST, security frameworks, scoping, and new solutions on the market.

HITRUST Philadelphia – My Takeaways

Here are my takeaways from the HITRUST CEP event in Philadelphia today:

• "Remember: Assess once, report many." (Mike Parisi)
• NIST and ISO are two of the most common frameworks organizations leverage
• HITRUST is based on ISO
• "Stop the madness. Stop the [security] questionnaires." #killthequestionnaire (Parisi)
• HITRUST CSF v10 will allow Targeted Assessment Reports against any Control Segment (e.g. HIPAA, GDPR, PCI)
• A majority of HIPAA breaches that occur are linked to a third party
• "Everyone has got their own security questionnaire they want to use." (Parisi)
• "There are no scenarios where performing, 15, 50 or 250 ore more unique assessments makes sense for a vendor to communicate their information privacy and security posture (relating to the same scope of services)"
• What takes Assurance to the next level is an independent review
• The HITRUST Assurance Program: Reliability is at the center of everything
• "All [HITRUST] Assessors are equal relative to the quality standards they must meet." (Parisi)
• There about 90 HITRUST CSF Assessors now
• Mike asked me to share my thoughts and experiences with the HITRUST RightStart program
• HITRUST does not allow carve outs
• Regarding HITRUST CSF assessments: "There is a difference between submitted and accepted." (Parisi)
• Meaningful progress must be made on all Corrective Action Plans (CAPs) during the 12-month interim assessment

Intraprise Health

Ryan Patrick, Senior Vice President, Security, Intraprise Health

After lunch, Ryan Patrick from Intraprise Health gave a detailed overview of the HITRUST CSF. Here are my takeaways from his impressive presentation:

• "HITRUST is a significant emotional event." (Ryan Patrick)
• "Scoping is the single most significant part of the HITRUST journey." (Patrick)
• Intraprise makes scoping a significant exercise with their clients
• HITRUST certifies scopes and implemented systems
• HITRUST will not certify anything that is not implemented
• There are five maturity levels for each HITRUST control
• There are 19 domains to cover for HITRUST CSF
• "The old army adage is, 'you don't want to be trading business cards at the disaster site.'" (Patrick)
• Intraprise has an internal "N/A Review Board" (wise strategy)
• "HITRUST certification is an exercise in patience." (Patrick)
• Every organization pursuing HITRUST will almost certainly have CAPs (Corrective Action Plans) after they submit their assessment
• "We make scoping a very deliberate action." (Patrick)
• "Our goal is to be there every step of the way." (Patrick)

Professional Data Solutions (PDS)

Marianne LeMalefant, VP, Business Solutions, Professional Data Solutions

Marianne LeMalefant from Professional Data Solutions then presented to the room about her company's HITRUST journey. Her thoughtful presentation afforded the room an authentic view of her company's security posture and culture before & after having HITRUST CSF.

HITRUST Community Extension Program

The HITRUST Community Extension Program (CEP) was created to promote education and collaboration among organizations in the HITRUST ecosystem. The primary objectives of CEP events are to help organizations adopt and leverage various HITRUST programs and resources. These town hall events are held across the country, coordinated by HITRUST, and hosted by organizations within the community. HITRUST CSF Assessors normally facilitate the program.