Highlights from the Recent HIMSS Security Forum – Boston Dec 9 & 10, 2019

Highlights from the Recent HIMSS Security Forum – Boston Dec 9 & 10, 2019

Ronnie Daldos, CISSP – MITRE Corporation

NJ HIMSS Board of Directors; Co-Chair Security, Privacy and Compliance Committee


I recently attended the HIMSS Security Forum in Boston (By recently, I just got home last night) and while I have not had a chance to formalize my notes, I wanted to jot down some quick thoughts on my experience to share with our membership. I think the first keynote (Michael Coates -CISO – Formerly of Twitter & Mozilla) summed it up nicely when he said (I am paraphrasing)” It is not the zero day that is the problem, it is the 100 day.” We still need to do a better job at operationalizing security at enterprise scale. We are still talking about the need to understand our asset inventory and the importance of segmenting our networks. Unfortunately, there are some HDO’s that for what I assume are resource constraints, are still struggling with meeting this basic cybersecurity baseline. Of course, once organizations know what they have, there is still a challenge for some of those same organizations to remain current with patches and updates. As a co-chair for our chapters Security, Privacy and Compliance (SPC) Committee, I would love to hear from our members who may be struggling so we can figure out some way as a healthcare cyber community to help lift each other up.

At the opposite end of the spectrum, I met Christopher Frenz, Associate VP of Information Security at Interfaith Medical Center in Brooklyn. Interfaith is the first HDO to have implemented a Zero Trust Architecture (ZTA). They accomplished this by doing a lot of the tedious legwork upfront. Once you know what devices that are in your network, you need to understand what systems they need to talk to and who needs to access them. (Control and data plane flows) It took them a little over two years to document all their endpoints. There were comments on how well this might scale in a healthcare environment, and I found out that Interfaith is managing about 10,000 endpoints. Interfaith leveraged many of the same basic tools that many of you have in place today, such as Netflow logs and Wireshark. (Free packet sniffer) Even if you don’t plan on moving to ZTA, it is still important to understand your network traffic flows in order to develop a risk-based security architecture for your organization.

The amazing John Halamka, MD (President of the Mayo Clinic AI platform) was our keynote for day two and shared some insights into the next five years of healthcare cybersecurity. He commented on how we are on the cusp of business model changes. In his organization, he moved the clinical engineering staff to be under IT, to ensure a closer team integration. When asked about blockchain, he does not see it as a panacea, but does see a few specific use cases for it, such as a way help ensure the most current information about healthcare providers is available in the provider directories maintained by health insurers. (See www.synaptichealthalliance.com for more info)

A final thought is from the threat intelligence session, which is of personal interest to me. I learned about the Factor Analysis of Information Risk (FAIR) Institute (https://www.fairinstitute.org/) which is a Value at Risk (VaR) framework for cybersecurity and operational risk. Simply stated, it is a quantitative risk analysis model that describes what risk is, how it works and how to quantify it. Omar Khawaja, the CISO from Highmark Health shared how they were using the tool to better inform their executive officers and board members of their current risk posture and potential business impacts.

I’m sorry I could not do justice and cover the other sessions that were presented at the forum. It was a big difference from a HIMSS National event, which I liked because it made it easier to speak with presenters after their sessions. I found it to be a very productive event and well worth the time.

Please feel free to reach out to me (rdaldos@mitre.org) with any questions or comments. We are always looking for new SPC committee members or ideas on webinar topics! 

I wish you all peace, health and happiness! Happy Holidays!

Ronnie Daldos