EVENT AGENDA - HITRUST...• Preparing for HITRUST CSF implementation to address NIST, PCI, HIPAA,...

EVENT AGENDAThe Gaylord Texan, Grapevine, TX

Monday, May 20, 2019 | Pre-Conference Workshops

9:00 AM - 10:30 AM | Texas 1-2Speakers: Matt Datel, HITRUST (Moderator), Ken Vander Wal, HITRUST, Nancy Spizzo, LBMC, Drew Hendrickson, LBMC

HITRUST Assessment WorkshopWhether you are new to the HITRUST Assessment process or just looking to learn the latest best practices from some HITRUST veterans, attend this session to learn everything about the HITRUST Assessment process. This session will walk attendees through the recommended path to achieving HITRUST CSF Certification, including information on:• What to expect with your first assessment• What NOT to do: Choosing a Self-Assessment or a Validated Assessment• Using the HITRUST MyCSF® Tool – What is it? How do I maximize its value?• How to find an Assessor

9:00 AM - 10:30 AM | Texas 3Speakers: Dr. Bryan Cline, HITRUST, Jason Taule, HITRUST How to Effectively Conduct a Risk AssessmentImprove your approach to risk assessments. Learn best practices from industry leaders how to perform a security risk assessment in the most efficient and practical manner using the HITRUST CSF®.

10:30 AM - 11:30 AM | Texas 1-2Speakers: MIchael Frederick, HITRUST, Eric Moriak, HITRUST, Jeremy Huval, HITRUST

Scoping ExerciseProper scoping is critical to a successful HITRUST Assessment. The scope needs to be correct in order to achieve certification and maximize the value of the assessment results. Learn firsthand from HITRUST how to properly scope an environment using the HITRUST MyCSF, including information on:• What information determines the scope?• What regulatory factors need to be selected?• What CAN be HITRUST certified, and what CAN’T?• How long does the scoping process take?• Can I change the scope of my assessment?

10:30 - 11:30 AM | Texas 3Speakers: Michael Parisi, HITRUST (Moderator), Dr. Bryan Cline, HITRUST, Sean Miller, HITRUST

Understanding the Relationship Between Threats and Controls – A Look Into the HITRUST Threat CatalogueThe HITRUST Threat Catalogue is designed to aid organizations in improving their information security posture by better aligning cyber threats with HITRUST CSF control requirements. Learn about the revisions HITRUST is making to the initial public release and join us in a discussion of how organizations can leverage the threat mappings to help identify critical areas of concern and provide better protection of sensitive data.

11:30 - 12:30 PM - LUNCH

12:30 - 2:00 PM | Texas 4Speakers: Dr. Bryan Cline, HITRUST, Jason Taule, HITRUST

Implementation of the NIST Cybersecurity Framework with the HITRUST ApproachThe question is not, “NIST or HITRUST?” but rather, “How do we incorporate NIST and HITRUST?” Attend this session to learn how to simplify the implementation of NIST through HITRUST assessments. Experts will provide guidance on the value of the NIST Framework as well as its limitations. Attendees will learn how to maximize the value of their next HITRUST CSF Assessment through the incorporation of NIST controls, the generation of a NIST Cybersecurity Scorecard, and a HITRUST Certification to use a proof of compliance with NIST.

2:00 PM - 4:00 PM | Texas 4Speakers: James Nutkis, HITRUST, Michael Frederick, HITRUST, Dennis Palmer, HITRUST, Wade Hansford, HITRUST

MyCSF User GroupOpen to current users and interested customers. Topics covered will be:• Introduction to MyCSF 2.0• MyCSF Analytics• Using the MyCSF API• MyCSF & your GRC - how they work together• MyCSF Roadmap

HEALTHCARE

DAY 1: Tuesday, May 21, 2019

7:00 AM BREAKFAST | PRE-FUNCTION AREA

7:15 AM SPONSOR SHOWCASE | PRE-FUNCTION AREA

8:00 AM - 8:15 AM | Grapevine A/BSpeakers: Michael Parisi, HITRUST

Conference Opening Remarks

8:20 AM - 9:10 AM | Grapevine A/BSpeakers: Michael Parisi, HITRUST (Moderator), Joel Seymour, Premera, Doug Hildebrandt, Mayo Clinic, Chip Council, Shriners Hospitals for Children Adopting HITRUST as the Backbone of Your Information Security ProgramHITRUST provides more than just a means for assessment and certification. The CSF is designed to be adopted at the organizational level so that safeguarding sensitive information is embedded within an organizations culture and strategy. When adopted properly, the CSF provides organizations with the means to be forward-thinking in terms of risk management and compliance efforts. Learn from this panel of leading experts how adoption of the HITRUST framework can be made to improve an organization’s information security program.

9:15 AM - 10:05 AM | Grapevine A/BSpeakers: Anne Kimbol, HITRUST (Moderator), Iliana Peters, Polsinelli, Caroline Budde, Baxter International

A Day in the Life of a Chief Privacy OfficerPanelists will discuss the issues facing privacy offices currently and how they have dealt with the numerous changes in compliance requirements over the last year. Panelists will also discuss the importance of collaboration between privacy and security officers and what obstacles they see coming over the next year.

10:10 - 11:00 AM | Grapevine A/BSpeakers: Michael Parisi, HITRUST (Moderator), Robert Booker, UHG, Omar Khawaja, Highmark, Dustin Wilcox, Anthem, Roy Mellinger, Sabre, Jon Moore, Humana

Evolving Role of the Chief Information Security OfficerTechnology and the way we conduct business is constantly evolving. The introduction of new technology also brings along new risks and third-party relationships. As such, the role of the CISO is constantly evolving and has an impact on all facets of an organization. This panel of experts will discuss their roles as and their interactions with senior company executives, boards and business partners to provide insight on the challenges of today that come about from new technologies and risks and how their businesses have adapted.

11:10 - 11:55 AM | Grapevine A/BSpeakers: Michael Parisi, HITRUST (Moderator), John Houston, UPMC, Taylor Lehmann, Wellforce, Jim Purvis, URMC, Omar Khawaja, Highmark

Establishing a Consistent Method for Managing Third-Party RiskThere are no instances where executing hundreds of individual proprietary information security and privacy questionnaires and assessments makes sense in any echo system where a common set of standards that satisfy all stakeholders is available. Hear from some of the leading hospital systems in the world tell their story of coming together as an independent council of organizations to solve for the problem of inconsistent and ineffective third-party risk management.

12:00 - 1:00 PM - LUNCH + SPONSOR SHOWCASE | LONGHORN A

1:00 - 1:45 PM TRACKS:

Grapevine ASpeakers: Hector Rodriguez, Oracle

The Modern Healthcare Value Chain is a Care-centric Supply ChainHealthcare organizations must leverage modern hybrid-cloud technology, cybersecurity and identity, and data to truly optimize healthcare outcomes and address the Triple/Quadruple Aim objectives. In this session, we’ll explore the need to deconstruct and reconstruct the traditional healthcare value chain into a data and process driven supply chain that is designed to provide real-time insights, intelligence, and decision support across operational and clinical systems.

ASSESSMENTBESTPRACTICES

Grapevine BSpeakers: Ken Vander Wal, HITRUST, Jeremy Huval, HITRUST, Brad Barrett, Grant Thornton,

SOC2 and HITRUST - The Best of Both WorldsHITRUST has worked with the American Institute of CPAs (AICPA) to develop and publish guidance to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting. Learn how the HITRUST CSF can be embedded into a SOC 2 report and how this report is different from the standard HITRUST Validated Assessment.

HEALTHCARE

Grapevine ASpeakers: Jerry Beasley, Trace Security, Blake Sutherland, Trend Micro, John Riggi, AHA

Practical Cybersecurity for Medical DevicesOne of the greatest Doctor/Patient concerns today is the accuracy and adequacy of provided care; care that can be greatly affected by the integrity and availability of medical devices. Medical devices today are as wide spread as nurses and provide a litany of critical care to today’s patient. Join us for a frank discussion on cybersecurity and its application to the world of medical devices.

PRIVACY

Fort Worth 5-7Speakers: Anne Kimbol, HITRUST, Dr. Bryan Cline, HITRUST, Sarah Lyons, Privacy Analytics

De-Identification: Its Value to Businesses and How to Do it RightDe-identification or anonymization of data is becoming increasingly important with the growth of both big data and privacy laws. De-identifying data properly considers the risk of disclosure, the risk to the individual, and the data needed to meet the purposes of the study. Sarah Lyons, a de-identification expert, will discuss the HITRUST De-Identification Framework as well as current and upcoming issues in the de-identification field.

DAY 1 Continued: Tuesday, May 21, 2019

1:00 - 1:45 PM TRACKS CONTINUED:

1:45 - 2:00 PM SPONSOR SHOWCASE

2:00 - 2:45 PM TRACKS:

PRIVACY

Fort Worth 5-7Speakers: Anne Kimbol, HITRUST, Dr. Bryan Cline, HITRUST, Christie Hall, NYS DOH, Karen Romano, HealtheConnections, Melissa Regan, Intraprise Health

Lessons Learned from HITRUST CSF Certification of the Statewide Health Information Network for New York (SHIN-NY)Hear how the New York State Department of Health leveraged the HITRUST Approach to certify the security and privacy protection programs of its Health Information Exchanges, what lessons were learned in the process, and what is yet to come.

CROSS-INDUSTRYADOPTION

Fort Worth 5-7Speakers: Roy Mellinger, Sabre

Information Risk in Travel and HospitalityThe travel and leisure industry is no stranger when it comes to the need for strong security and privacy posture and defending against significant data breaches. Hear from the CISO of one of the most intertwined companies across this industry talk about his perspective on where the industry is today relative to security and privacy threats. Also, hear how the industry is looking to leaders from other industries to adopt leading practices around security and privacy assessments and third-party risk management.

Grapevine BSpeakers: Ali Papbrai, ecfirst

HITRUST CSF = A “Kaizen” Standard for Cyber DefenseAttendees will learn about: • Why HITRUST CSF is a “kaizen” cybersecurity standard• Preparing for HITRUST CSF implementation to address NIST, PCI, HIPAA, ISO, GDPR, 23 NYCRR 500 & others• Ensuring cybersecurity supply chain challenges are addressed with HITRUST CSF as the foundation

CYBERSECURITY

THIRD-PARTYASSURANCE

Grapevine ASpeakers: Michael Parisi, HITRUST, Spencer Langston, HITRUST, Justin Bovee, Johnson & Johnson, Melissa Bendana, BlueShield of CA, Brenda Callaway, HCSC

Streamlining Your Third-Party Risk Management ProgramThird-party risk management is a resource-intensive process for any organization. Most organizations cannot perform adequate assessments against their entire third-party population due to limited resources and a significant volume of third parties. Hear from leading organizations on how they are leveraging third-party assurance reporting, the electronic exchanges of assessment data and service partners to help them more effectively and efficiently address third-party risk management.


3:30 - 4:15 PM TRACKS:

ASSESSMENTBESTPRACTICES

Grapevine BSpeakers: Eric Moriak, HITRUST, Michael Frederick, HITRUST

Sampling & ScoringThis session is designed to communicate HITRUST’s scoring methodology during the assessment process. It will also focus on expected sampling methodology for requirement statement testing. Topics will include:• Sampling What should be sampled? How do you document and present the results? Sampling methodologies accepted by HITRUST.• Scoring HITRUST Maturity Levels Supporting evidence needed Concepts for Measured & Managed Using the Scoring Rubric



CYBERSECURITY

Grapevine BSpeakers: Travis Kaun, Wipfli

Dark and Stormy - Attacking Cloud ComputingFederation, Buckets, Containers, EC2 ... the list of acronyms goes on. Technical infrastructures have grown beyond the walls of your company and data likely resides in the ‘cloud’ in some fashion. Come learn how to identify security risks of your cloud-based digital footprint and understand attacker methodologies for abusing these services.

CROSS-INDUSTRYADOPTION

Fort Worth 5-7Speakers: Jay Trinckes, NCC Group (Moderator), Joe Meyer, NCC Group, Shane Lewis, Semafone

HITRUST CSF Beyond Just HealthcareAttendees will learn: • Why the HITRUST CSF benefits companies outside of healthcare and why it is attractive to many different industries? • Some challenges and opportunities within other industry market space and how HITRUST assists in these efforts. • Competitive advantages of utilizing HIT

THIRD-PARTYASSURANCE

Grapevine ASpeakers: Alison Prosser, UHG, Jeff Caldwell, UHG, Catherine D. Gross, UHG

Operating an Effective and Scalable Supplier Risk Management ProgramAttendees will learn: • Consistency and Scalability are key – leveraging stratification to effectively use resources to appropriately focus time and efforts • How the 3P Risk Audit can make your program more efficient • Identification of vendor risk owners – why finding the right person matters • Assessment of risk and management of risk – two essential pieces of a complete program • Why documentation matters – system and tools play a key role in success

4:30 - 5:15 PM TRACKS:


6:30 PM - 11:00 PM | Grapevine A/B Casino Night

COMPLIANCE

Grapevine ASpeakers: Chip Council, Shriners Hospital for Children, Bipin Paracha, INRY, Michael Siegrist, ServiceNow

Streamlining Your HITRUST Compliance with ServiceNow

DAY 2: Wednesday, May 22, 2019



7:45 AM - 8:15 AM | Fort Worth 3Speakers: Dr. Earl J. Motzer, Healthcare and Public Health Sector Coordinating Council Chair

Breakfast Roundtable with the Chairman of the Healthcare and Public Health Sector Coordinating Council on Black Sky and All Hazards Preparation

8:30 AM - 9:20 AM | Grapevine A/BSpeakers: Bob Kolasky, DHS

Cross-Sector Risk Management Evolution

9:25 AM - 10:15 AM | Grapevine A/BSpeakers: Andrew Hicks, Coalfire (Moderator), Matt Sharp, Logicworks, Brenda Callaway, HCSC, Joel Seymour, Premera, Lee Penn, PDHI

Maximizing ROI with HITRUST

10:20 AM - 11:10 AM | Grapevine A/BSpeakers: Michael Parisi, HITRUST (Moderator), Fred Bret-Mounet, Syapse Inc., Hoala Greevy, Paubox, Ben Waugh, Redox Navigating HITRUST for the First Time in a Startup WorldAnything that takes away from a focused go-to-market strategy for a start-up organization can be very disruptive to their ability to deliver promises made to the market place and investors. Hear from startup organizations that recognized the need to embed strong security and privacy posture into the foundation of their organizations and leverage that to quickly expand in the market place and provide investors additional comfort. These organizations will tell the story of their HITRUST journeys.

11:15 - 11:55 AM | Grapevine A/BSpeakers: Kenneth Yood, Sheppard Mullin

Third Party Assurance - A Legal Perspective

12:00 - 1:00 PM - LUNCH + SPONSOR SHOWCASE | LONGHORN A

1:00 - 1:45 PM TRACKS:

COMPLIANCE

Grapevine ASpeakers: Travis Good, Datica, Doug Hildebrandt, Mayo Clinic

Leveraging HITRUST Programs for NIST AssuranceIn this session hear how organizations leverage HITRUST programs to gain comfort over the successful implementation of NIST standards. You will hear from both organizations using HITRUST programs and the CSF to increase comfort internally as to whether they have successfully satisfied the requirements of NIST. You will also hear from organizations that have used HITRUST assessments from their third parties to gain comfort over their third parties successfully implementing and addressing relevant NIST standards.

CLOUD /EMERGINGTECHNOLOGIES

Fort Worth 5-7Speakers: Mike Annand, Armor (Moderator), Kurt Hagerman, Coalfire, Blaise Wabo, A-LIGN, Becky Swain, HITRUST

Shared Responsibility - Understanding How to Share ControlResponsibility in the CloudLast year, HITRUST started the Shared Responsibility Program to address the misunderstandings, risks, inefficiencies and complexities when utilizing Cloud Service Providers. A focus of the Shared Responsibility Working Group is to remove the ambiguity and confusion associated with defining the roles and responsibilities between a customer and their CSP as far as shared security controls are concerned and to streamline the assurance process by automated control inheritance and review. Join us for this panel discussion featuring the HITRUST Team and Working Group members to learn about the program and how it can assist your organization.

RISK MANAGEMENT


Fort Worth 5-7Speakers: Gerry Miller, Cloudticity

Automating HITRUST Compliance in the CloudAttendees will learn: • How to leverage cloud automation to address CSF controls. • Discover specific cloud techniques to automate many aspects of governance and compliance management. • See how automation drives faster and more effective risk discovery and mitigation. • How to map cloud governance to CSF controls.

DAY 2 Continued: Wednesday, May 22, 2019


2:00 - 2:45 PM TRACKS:

Grapevine BSpeakers: Scott Mattila, HMHS, Britany Loss, HMHS

Making Cents ($) of Maturity: Building Resistive StrengthCybersecurity is an ever-evolving industry. This presentation addresses the cost benefits of taking a risk-based approach to maturity of cyber controls. Enhancing control maturity decreases the cost spent directly or indirectly on risk management. Topics include: Maturity, FAIR, HITRUST.

ASSESSMENTBEST PRACTICES

Grapevine ASpeakers: Michael Frederick, HITRUST, Eric Moriak, HITRUST

Changes to the Assurance Program and What They Mean for YouRecent HITRUST Assurance Advisories were announced that spoke to changes within the Assurance Program. Join this session to learn what these changes mean for your organization. Topics will include:• Changes announced in the recent HITRUST Advisories• New required documents and evidence• Certified HITRUST Quality Professional (CHQP) Course• Engagement Executive and QA Reviewer Roles and Expectations• The Assessor QA Checklist


Fort Worth 5-7Speakers: Jeff Pochily, KirkpatrickPrice, Shannon Lane, KirkpatrickPrice

True or False: Is Everything in the Cloud?Having to undergo an onsite assessment for a cloud environment sounds like an oxymoron, right? Many organizations tell their auditor that because they are a cloud-based organization, they do not want or need an onsite assessment. A new, dangerous trend that we’ve seen is auditors complying with that request. Audit firms advertise that they can effectively conduct an audit 100% remotely. This disregards physical controls that are in place to safeguard sensitive data and the frameworks that require testing of physical controls. Not everything is in the cloud, and it’s irresponsible to claim that everything is in the cloud. Offices, employees, weather patterns, heating and cooling systems, power regulation, device management, physical security controls — these things don’t exist in the cloud. Physical security and onsite assessments must be a major component of cloud security and the shared responsibility model. As more organizations migrate massive amounts of data to the cloud, it drives both cloud service providers and customers to consider how the cloud will change their privacy, security, and compliance efforts. Lack of security in the cloud can be detrimental to both providers and customers. In this session, Shannon Lane will educate the audience through lessons learned from recent breaches, his own experiences as an information security auditor, and best practices for cloud security.

RISKMANAGEMENT

Grapevine BSpeakers: Anders Norremo, ThirdPartyTrust

Beyond Controls - How to Get the Most From Your Peers and Data Intelligence to Secure the Enterprise Digital Supply ChainToday, healthcare companies are engaging with more and more vendors. Ultimately, sharing more and more data and attackers know this. They are creating more sophisticated attacks targeting industry companies directly in your supply chain and even some outside of your purview. In order for the healthcare community to keep up, we need a smarter approach. The biggest problem that we are uncovering right now is that it’s an “every organization for themselves” approach to solving the problem. There is little to no information sharing or collaboration with your peers. We are also seeing new innovative data sources providing valuable but hard to correlate patterns. We can all agree, we are in this to improve the security posture of our business partners and vendors, so we may be better protect our own organizations. Often attacks can surface from exploits at any time and time becomes precious when our servers are breached or information exfiltrated. In this session we will cover the strategies and next generation thinking it will take to help our business partners remediate their security gaps faster, ultimately reducing exposure time and susceptible attack vectors.




3:30 - 4:15 PM TRACKS:

CLOUD / EMERGINGTECHNOLOGIES

Fort Worth 5-7Speakers: Scotty Perkins, Quisitive, David Houlding, Microsoft

Enterprise Blockchain With Security and ComplianceThis session will describe how enterprise implementations of blockchain technology in the cloud can help organizations better protect information and better prove compliance and maintenance of proper controls over time.

RISKMANAGEMENT

Grapevine BSpeakers: Jaclyn Detloff, Crowe LLP, Robert Vittitow, Crowe LLP, Chris Barnes, Equian

You’re HITRUST Certified! Now What?During this session, attendees will gain an understanding of:• Corrective action plan management strategies • Components of an effective continuous monitoring program • The interim assessment process • Considerations for CSF framework updates

ASSESSMENTBEST PRACTICES

Grapevine ASpeakers: Ken Vander Wal, HITRUST, Eric Moriak, HITRUST, Jeremy Huval, HITRUST

Q&A with QA - Ask the HITRUST TeamJoin us for this panel discussion featuring the HITRUST QA Team to get all of your questions answered regarding the HITRUST Assessment and QA Process.

RISK MANAGEMENT

Grapevine BSpeakers: Dr. Bryan Cline, HITRUST

Understanding the Relationship Between Threats and Controls -A Look Into the HITRUST Threat CatalogueThe HITRUST Threat Catalogue is designed to aid organizations in improving their information security posture by better aligning cyber threats with HITRUST CSF control requirements. Learn about the revisions HITRUST is making to the initial public release and join us in a discussion of how organizations can leverage the threat mappings to help identify critical areas of concern and provide better protection of sensitive data.



5:15 PM - 6:30 PM

Sponsor Showcase Cocktail Hour

4:30 - 5:15 PM TRACKS:

DAY 3: Thursday, May 23, 2019



7:00 AM - 8:00 AM | Special Breakfast Event | Pecos 1Speakers: Anne Kimbol, HITRUST, Cathlynn Nigh, Beyond LLC, Pamela Arora, Children’s Health, Nancy Spizzo, LBMC, Ellison Anne Williams, Enveil

Women in HITRUST, Information Security, and Data Privacy Breakfast

8:30 AM - 9:20 AM | Grapevine A/BSpeakers: Kirk Nahra, Wilmer Hale Key Privacy and Security Developments at the State, National and Global Levels2018 was a critical year in the development of privacy and security law around the world, and we can expect 2019 to perhaps have an even greater impact. This session will address the key issues arising on privacy and security law, at the state, national and international levels. We will be focusing on the issues that you need to know about to help your company plan its privacy and security activities this year and in the future.

9:25 AM - 10:15 AM | Grapevine A/BSpeakers: Greg Singleton, HHS

Forging a Stronger Approach to Sector Sharing• Health sector’s increasingly complex mission in the overall cybersecurity landscape• Brief Health Sector Cybersecurity Coordination Center (HC3) introduction• Information-sharing channels to support cybersecurity defenses for the sector • Opportunity to ask questions in open forum

10:20 - 11:10 AM | Grapevine A/BSpeakers: Michael Parisi, HITRUST (Moderator), Brenda Magri, Fiserv, Roy Mellinger, Sabre, Bob Healey, Evolve IP,

Cross Industry HITRUST AdoptionAlthough HITRUST programs were born in the healthcare industry, the programs, tools, and standards are industry agnostic. Hear from leading non-healthcare organizations about how they have implemented and leveraged HITRUST programs to help address risk management requirements within their industries.

11:15 - 11:55 AM | Grapevine A/BSpeakers: Omar Khawaja, Highmark, Jason Martin, Highmark, Jack Freund, RiskLens

HITRUST + FAIR: A Marriage of MeasurementAddressing the pathway for incorporating the Factor Analysis of Information Risk (FAIR) methodology in any HITRUST-focused program. The session will demonstrate the value of presenting an enterprise-level dashboard view of quantified risk across various business units by coordinating cross-alignment of the HITRUST CSF, the HITRUST Threat Catalogue, and the FAIR model.

12:00 - 12:40 PM | Grapevine A/BSpeakers: Michael Parisi, HITRUST, Michael Frederick, HITRUST, Jason Taule, HITRUST, Anne Kimbol, HITRUST, Dr. Bryan Cline, HITRUST

HITRUST Updates | Lunch & LearnLunch & Learn with the HITRUST Team to get the latest updates on the following:• CSF v10• MyCSF 2.0• Shared Responsibility• Continuous Monitoring• Provider Third Party Risk Management Initiative• International Plans• HITRUST Assessment XChange• Risk Triage

12:00 - 1:00 PM - BOXED LUNCHES + SPONSOR SHOWCASE | PRE-FUNCTION AREA

EVENT AGENDA - HITRUST...• Preparing for HITRUST CSF implementation to address NIST, PCI, HIPAA,...

Documents

Transcript of EVENT AGENDA - HITRUST...• Preparing for HITRUST CSF implementation to address NIST, PCI, HIPAA,...