HITRUST 2017 Conference Highlights


The HITRUST 2017 annual conference is over but healthcare’s info security threats continue with heightened resolve after the recent “WannaCry” ransomware cyber attack.

Our team was onsite and, Mark Ferrari, our VP and CISO, presented with our client, Beebe Healthcare, in the session “Managing Medical Device Risk with HITRUST CSF.”

Here, we’ll highlight three key takeaways from the conference: 

  1. From Mark’s session – next steps you can take to manage medical device risk better
  2. News from the HITRUST Alliance
  3. A major theme we saw throughout the conference and what it means to you

Managing Medical Device Risk

Gartner predicts that, by 2020, 25 percent of all enterprise breaches will involve IoT, including medical devices. And, because medical device manufacturers haven't focused much on security, this mounting challenge lies at the feet of healthcare organizations and their biomedical engineering and IT departments.

Mark and Mike Maksymow, CIO at Beebe Healthcare, discussed the rising need for healthcare organizations to protect themselves. One of the best takeaways from the session was a Next Steps lists of actions that you can start with today.

Here are eight ways that you can improve your IoMT security posture:

  1. Know what you have. Create a complete and up-to-date inventory of your medical devices.
  2. CRITICAL: Shift your reporting structure to ensure that your biomedical department reports to IT.
  3. Start including your BioMed devices and systems in your IT Security Risk Assessment
  4. Perform a risk assessment of your current BioMed environment and inventory
  5. After the assessment, develop action plans and prioritize activities based on the risk impact on your medical device inventory
  6. Establish a multi-disciplinary committee to actively remediate security issues
  7. Develop security standards and policies with supportive education to raise appropriate governance and awareness around medical device risks, as well as what requirements to include in your RFPs.
  8. Lastly, become more a part of the IoMT community via InfoShare, Med Dev task force and others.

If you would like to receive the slides from our presentation or have questions around assessing your medical device risk, contact pamela.hayduk@blueprinthit.com.

HITRUST Alliance News

HITRUST Common Security Framework Updates

MyCSF 2.0 Updates

HITRUST will be rebuilding the MyCSF interface from the ground up.

  • It’s planned that MyCSF 2.0 will be launched by end of 2017 or beginning of 2018 with general access by the end of March 2018.
  • Their goals for the new portal include:
    • Cleaner and easier to use interface
    • Streamlined assessment navigation
    • Added functionality
    • Better dashboards
    • Functionality with iPad and iPhones
    • Certification Verification

Major Conference Theme – Scoping

Each member of our team attended different sessions and then caught up periodically to weigh in on what we were hearing from the presentations, as well as from the audiences. One theme that was persistent throughout the conference was around the importance of a well-executed Scoping exercise when embarking on your HITRUST certification process.

In fact, as part of our monthly HITRUST Certification Essentials webinar, the topic of properly scoping your assessment is the top challenge we highlight in the Q&A portion.

Making sure you have the right guidance as to how to scope your organization against the HITRUST CSF is a critical part of any HITRUST Certification initiative. In collaboration with our clients, we create the appropriate “boundary” within the MyCSF administrative factors and details questionnaire to limit scope to the desired business units and supporting technologies of your organization. This questionnaire is a crucial aspect of the process due to its direct correlation to the number of applicable controls that apply to your particular organization.

What was surprising to learn was that our HITRUST certification and consulting services differ from other assessors. We learned that we do two things that others do not. BluePrint Healthcare IT provides a total fixed fee pricing model based off a series of scoping questions and we actually work side-by-side with you to complete your scoping assessment together. It’s these seemingly small, but important differences that help our clients take on HITRUST and manage the process successfully.

If you would like to learn more about our distinct approach to HITRUST certification and our Partner Promise, contact pamela.hayduk@blueprinthit.com.