Join Sean Martin and a panel of leading cybersecurity figures from HITRUST Collaborate 2024 as they discuss the importance of a robust, adaptable security framework and HITRUST's commitment to addressing real-world security challenges. Discover how continuous innovation and collaborative efforts are transforming cybersecurity and strengthening the healthcare industry and beyond.
Guests:
Dan Nutkis, Founder and Chief Executive Officer of HITRUST
On LinkedIn | https://www.linkedin.com/in/daniel-nutkis-339b93b/
Robert Booker, Chief Strategy Officer at HITRUST
On LinkedIn | https://www.linkedin.com/in/robertbooker/
Omar Khawaja, CISO, Client at Databricks
On LinkedIn | https://www.linkedin.com/in/smallersecurity/
Cliff Baker, CEO at CORL Technologies
On LinkedIn | https://www.linkedin.com/in/cliffbaker/
Andrew Hicks, Partner and National HITRUST Practice Lead at Frazier & Deeter
On LinkedIn | https://www.linkedin.com/in/aehicks2000/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
____________________________
Episode Notes
This episode of the On Location series takes place during HITRUST Collaborate 2024 brought together leading figures in cybersecurity to share their experiences and insights. Moderated by Sean Martin, host of the Redefining CyberSecurity Podcast, the panel included Dan Nutkis, Founder and Chief Executive Officer of HITRUST; Robert Booker, Chief Strategy Officer at HITRUST and former Chief Information Security Officer at UnitedHealth Group; Omar Khawaja, CISO, Client at Databricks and former Chief Information Security Officer at Highmark Health; Cliff Baker, CEO at CORL Technologies and Managing Partner at Meditology Services; and Andrew Hicks, Partner and National HITRUST Practice Lead at Frazier & Deeter.
The session kicked off with Sean Martin highlighting the importance of collaboration and conversation within the cybersecurity community. Dan Nutkis reflected on the early beginnings of HITRUST in 2007 and discussed the initial goal of establishing a comprehensive and effective framework for security. Nutkis highlighted the organization's ongoing commitment to continuous improvement and adaptability in addressing security needs.
Omar Khawaja emphasized the need for setting high-security bars and how HITRUST has been instrumental in providing robust frameworks that simplify complex compliance requirements. He shared how Highmark Health leveraged the HITRUST certification to streamline their third-party risk management, ensuring better outcomes with fewer resources. According to Khawaja, HITRUST’s efforts in adapting to market needs and developing new assurance levels like the i1 and e1 have been vital in meeting evolving security demands.
Cliff Baker discussed the innovation driven by HITRUST in the compliance space. Baker stressed the importance of the HITRUST ecosystem, which is designed not only to meet today’s security challenges but to anticipate future needs. The assurance framework and transparency provided by HITRUST have proven essential in building and maintaining trust within the healthcare industry.
Andrew Hicks praised the rigorous QA process that HITRUST employs, which ensures that certified organizations maintain high standards of security. He emphasized how this rigorous process not only helps organizations achieve certification but also transforms their overall approach to cybersecurity.
Robert Booker spoke about the continuous curiosity and commitment required to stay ahead in cybersecurity. He highlighted how HITRUST’s data-driven approach and innovations in areas like AI and continuous monitoring are crucial in maintaining relevance and enhancing security outcomes.
Throughout the discussion, the panelists collectively underscored the importance of a robust, adaptable, and comprehensive security framework. HITRUST's continuous innovation and commitment to addressing real-world security challenges position it as a leader in the industry. The collaborative efforts of HITRUST and its community not only improve organizational security but also strengthen the overall reliability of the healthcare system.
As HITRUST continues to evolve and introduce new initiatives, it remains a pivotal player in setting high security and compliance standards. The insights shared during this episode of On Location provide a glimpse into the future of cybersecurity and the ongoing efforts to safeguard sensitive data in the healthcare sector.Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
This Episode’s Sponsors
HITRUST: https://itspm.ag/itsphitweb
____________________________
Follow our HITRUST Collaborate 2024 coverage: https://www.itspmagazine.com/hitrust-collaborate-2024-information-risk-management-and-compliance-event-coverage-frisco-texas
Be sure to share and subscribe!
____________________________
Resources
Learn more about HITRUST Collaborate 2024 and register for the conference: https://itspm.ag/hitrusmxay
Learn more about and hear more stories from HITRUST: https://www.itspmagazine.com/directory/hitrust
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
HITRUST Collaborate 2024 Keynote—Industry Perspectives: Charting The Path Forward—Innovations in Security and Assurance | A Conversation with Dan Nutkis, Robert Booker, Omar Khawaja, Cliff Baker, and Andrew Hicks | On Location Coverage with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Alright here we are, so Ryan already set it, you got it all lined up? Music, musical chairs? Those people probably heard it. I didn't sing that hard. From out there. And I'm in the wrong spot anyway. But anyway, here we are.
I'm Sean Martin, the co founder of ITSME Magazine, host of Redefining Cybersecurity podcast, and a huge fan and friend of the high trust community. And, uh, I want to echo what Ryan said about, uh, the, the hosts. So, uh, let's bring this all together so everybody can, again, big round of applause to High Trust for bringing this all together.
Um, it's all about the conversation, amazing content this week, collaborating, of course, and bringing together the outcomes that we all want. And I want an even louder clap. I'm gonna embarrass somebody. This guy started this stuff back in 2007. Thank you. And has done an amazing job, Dan. [00:01:00] Woo! Woo! Dan Nookus.
So thank you all for that. Um, I'm not going to read the names. This is an amazing panel. Uh, we're going to have some incredible conversations today about kind of the history from 2007. What we've encountered in terms of challenges. What we can learn from that. And, uh, hopefully what we can do moving forward as we encounter more stuff.
So. Um, we can all take a seat. Okay. Alright, so Dan, I'm going to keep putting you on the spot here. Sure. Back in 07, you had a vision and a mission and a passion for bringing this together. Um, what did that look like? Did you know it was going to end up like this?
Dan Nutkis: Yeah, I'm not sure it was a mission, a passion, and a vision.
Um, But there was a, I think there was a, an intent and, um, this came [00:02:00] about probably in 2006 where we, I think, recognized that there was this, this deficiency and it wasn't really raising the bar. As a matter of fact, I think that's a misnomer. It was about establishing a bar and, um, organizations. And it was, I think, I think everyone knows it started in health care and There are a number of healthcare organizations wanted, um, a bar.
They wanted to know what to do, the guidance, the, uh, that they were receiving, the regulations. They were ambiguous, they didn't know what to do. And so the goal, which we thought was, um, uh, doable was to establish a framework and, um, not sure that any of us really knew what that meant by the way. And we knew it wasn't a standard, although it grew into a standard.
We thought it would be focused entirely on security. Ended up not being entirely on security. And then we didn't realize to actually operationalize it so that you could make it [00:03:00] reliable was that you had to build all of these things around it. So, um, and I think that Cliff was there shortly after, um, and I think we really just, um, started to.
Uh, take a bite of the elephant and went, uh, as far as we could, and we just kept on going, and 17 years later we've, uh, I think a lot of what we actually put in place were things that we identified years, so it's actually taken us 17 years, uh, for things that'll be announced tomorrow and the next day, or actually, I guess, later today, are things that we actually envisioned at the beginning, we just couldn't get them done.
Sean Martin: And it's taken a community to Bring it all together. So I don't know if I'll start at the end, Omar, because I know you've been we've had a number of conversations about, um, the outcomes. What were some of the challenges that you faced? And as a member of the board of directors, um, how did you see this stuff coming together?
Omar Khawaja: Yeah, I mean, you know, early on, we didn't have [00:04:00] the name recognition was who are these guys? What are they doing? And so getting strong leaders and having the right, um, The right large health care leaders in on the board and and providing their opinions and being vocal that that significantly that helped as as Dan mentioned, everything was ambiguous because nothing was defined.
We didn't. There wasn't a clear ask of what was needed. There was somewhat of an understanding of the issue and the problem and the challenge. And, uh, you know, the breaches were starting to happen. And We knew we wanted to be compliant, but there was more and more compliance requirements and more and more authoritative sources, and there was this sense of, this feels like a waste of time.
How many of these authoritative sources do we have to comply with, and is everyone going to spend all their time just building crosswalks? Like, why do we have to do that? Can we just have, can we simplify this? And so the idea of having a single framework, having a single standard, Uh, simplifying it was really, was really the key [00:05:00] and eliminating waste if we, if we could do that, we thought that, uh, we'd have a message that would resonate and for a lot of us, it was, it was selfish.
I was at Highmark and I said, this is what I need. So if I can join an industry organization and we can do something that's going to make my life easier, why not? And Robert and the others, we all sort of, that's what we said. This is the challenge we face every day. And if, if, And, uh, I think if, uh, you know, high trust can address this, we could probably save two, three, four, five, six FTEs worth of work on our own teams.
Cliff Baker: I think, uh, you know, one of the things, and this is to Dan's credit, uh, you know, this, this was the domain of government or quasi government institutions, and, and it took, you know, Dan would appreciate this, as a guy from New Jersey, it took chutzpah for somebody to say, I can innovate in this space, right?
Uh, And, and, you know, we may not have had kind of a sense of trajectory, but Dan had instincts for Kind of how to scale, like how to get the right support, how to get the right infrastructure, how to get the right technology, how to get the right [00:06:00] automation, how to get the right assurance program. All of those components took an instinct.
I'm not sure that any of us who who was innovating in the compliance space, right? Like who in their right mind would say I'm going to build a whole organization to innovate in the compliance space, but Dan had those instincts and Yeah. And those instincts have carried us forward in a way that could scale this and make it doable.
Um, and I think people underestimate that. They underestimate that, you know, you think you just write a framework and you publish a bunch of authoritative sources. And, uh, but, you know, I think early on, Dan was saying, listen, like, we don't have an assessor community. This, this fails like this doesn't go anywhere.
And if we only have. The big four. No disrespect from the big four. But if we only rely on the big four, we can't scale this across the nation. It goes nowhere. And so Dan had those instincts from the start of those instincts carried us forward to what is high trust today and enable us to scale and continue to scale going forward.
Sean Martin: Your thoughts on this? I'll tell you my life. My good
Andrew Hicks: should be good. Okay, I'll tell you a little bit because [00:07:00] I've been doing this for 13 years. I was thinking about this in my flight out here. How long has it been? And I never went through college thinking, Oh, I'm going to be an expert in HIPAA or high trust because high trust wasn't even a thing back then, but I think what we're collectively saying what was done all those years ago was true.
I mean, it was remarkable, right to get Anthem and Highmark and HTSC and United and etcetera on and on on board with setting vision for an entire industry at one time, truly, truly remarkable. And you look at where we are today, and I know we'll flip the page and talk about more more about today, but Where we are, I mean, an entire industry has adopted and is aware of what this framework is, what it's done.
And when we talk about assurances up and down the supply chain, it's it's there. So there's a lot of positive traction with high trust and where it's where it's gone over the years.
Robert Booker: Yeah, you know, I think I go back to when I was I was at one of those companies you mentioned on the board of high trust.
And, uh, you know, I joined I joined that company in 2008. [00:08:00] Also a highlight of the day, uh, Can you please tell us about the, the That'd be a great topic to talk about, Ryan. Well, um, uh, The, the CRMP, uh, finally came into being, so we had a couple different initiatives. The first one, uh, was basically like I said, uh, I think, uh, we were, we were talking about, um, uh, How do we check the box on HIPAA, because that was the big thing everybody was worried about at that point in time.
And secondly, it didn't really, it didn't really attract any kind of industry momentum yet, where there were, there were the people that had a point of view that could actually help the industry make the right decisions and create that sort of flywheel effect, if you will, of, you know, the industry helping, helping self governing in an appropriate way.
And, you know, Dan had the vision, and Uh, I think, uh, I think that vision always was built to, to deliver at scale and health care, arguably, in my [00:09:00] opinion, still is one of the most complex industries that exists today. And it's very, very diverse and very dynamic. And it's hard to get anything right there because of the complexity of the system.
And um, but the mission was simple as how do we, how do we make security and then privacy, how do we remove that as a barrier from, you know, the healthcare industry? And, and. I mean, I think, um, I think we've all seen the, the, the, the, the, the, the, the current healthcare system is a barrier to adoption. And then as, as healthcare continue to be challenged in our country and as we looked at our system and other systems that were growing, there was this constant drumbeat of like, can we make healthcare more efficient?
Can we reduce the waste that we spend every dollar on compliance or duplicate or triplicate or quadruplet, if that's a word, compliance, is a dollar not spent caring for patients and helping people that have needs. And so the mission, at least, At least for, I think a few of us that have been in the industry for quite a long time was, was really synergistic.
It was how do, how do we build a system? How do we empower the supply chain of our system, the people that we do business [00:10:00] with, our business associates, how do we, how do we engage those, those people together for a common good? And, uh, you know, it, it seems like, it seems like from a vision perspective, you know, Dan, you've always been kind of the next step ahead, looking at where Cloud was going and looking at where, uh, TPRM challenges really were emerging for.
Um, I think it's important for a lot of us, and I think, I think it's still that way, we're still looking to what's the next challenge, and that's what's kind of exciting here.
Sean Martin: So Dan, you mentioned setting the bar, and you spoke to advancements in tech like cloud, and then the need to evaluate the supply chain, which third party risk management came along, you did a lot of innovative things there as well.
Um, it requires a mindset, in my mind, of a community that believes in the same thing, and that it, How did you, how did you invigorate folks to become part of this? I know you leveraged a lot of the, the big names, but there's much more than, than just the few.
Dan Nutkis: Well, I think we tried to [00:11:00] be inclusive and we tried to set out a plan and uh engage people.
I, I think in general, there was a, um, a willingness and a want to change things. Um, we, we, we, we, we, We really wanted to, uh, Uh, mitigate the risks, And um, and, you know, We saw adoption for many reasons. Some that, you know, had breaches, And they wanted to, uh, to do better in the future. Some that realized they didn't want to have breaches.
And then others that wanted to use it as, uh, As a way to demonstrate that they were, uh, Trustworthy that you should do business with them. And there certainly was on the vendor community and once we identified those organizations and got grounds well, we found we just got more and more. And it as everything tips over, we just continue to tip.
But we evolve like everything else for those that have been with us for many years. The [00:12:00] framework was certainly not very mature and how we develop the framework. I don't even how we even did it. Thank you. Thank you. I think we literally maxed out Excel, um, trying to do it and now we have tools and we actually have incorporated AI into those tools to actually help develop the framework and things we never had before and, um, but we.
You know, I think we did our best. The framework, the assurance methodology for those that adopted it in the early days. We had very few controls required for certification and we continue to ratchet that up over time and probably the one thing I think we've done well and I think our vision was that was we would just try to always improve, right?
We we never said that you wouldn't have a breach being high trust certified, but What we hoped was if you had one, none of your peers would have one, right? That we would take the learnings and improve the framework, improve the assurance methodology. And I think, uh, through our latest trust report, there aren't a lot of high trust [00:13:00] certified organizations that get breaches.
And I think that is really part of what we tried to start with 17 years ago, and I think we did bring a lot of organizations along. Um, it's always fun for me because a lot of the organizations would always tell me years ago. I can remember a couple of the really big ones. The fortune 15. You probably remember him as well.
Never getting high trust certified. Not going to happen. Never going to do it. And then they get high trust certified. We love it. It's great. Best thing in the world. You know, it's always
Sean Martin: so assess once. Cover many so our assessment cover once but. For me. Having a vision, building something is one piece of the puzzle.
Having people that want it is the other piece. And then they have to meet in the middle. I call that operationalizing security or compliance, right? How, just down the line, how did you take what [00:14:00] HITRUST delivered and embrace it and empower your teams to leverage it for the benefit of your organization and then Benefit of your customers.
Cliff Baker: I think that Dan mentions, you know, I think the reason. Dan's been successful. I just been successful. It's about solving problems like first and foremost, and then and so you know, as problems have evolved. Uh, high trust is adjusted to address those problems directly and so whether in the early days like Dan was mentioning the industry came to us and said, listen, like we have to comply with HIPAA.
We've got sock to audits. We've got state audits. Have you ever tried building a security program around HIPAA? Good luck. Have you ever tried building a security program around Sock Trust Principles? Good luck. And so, you know, we came away from that and said, Listen, alright, we gotta do an end to end framework for building a robust security program, but we gotta add on and build an assurance platform related to that.
You know, and so they were married together. And really, You know, that, that, that [00:15:00] was based on listening to the market and listening to the industry and getting feedback and adjusting, and I think it's been that, that way throughout and now, you know, a great example for me, you know, it's, it's, I, I use this terminology earlier, so forgive me for repeating to folks, but it's mind boggling that we still exchange documents in this assurance world, right?
Like we, we send each other PDFs and we send each other documents and you got to go through these PDFs. Yeah, high trust looks and it goes. That's that's bonkers, like in this day and age. And so let's deliver these things in an automated way. Let's deliver them through an automated platform. That's what the market's telling us.
And that's, you know, I think that's one of the powers of high trust is that the innovation that's been been Enabled in the space in the compliance space, uh, folks take that for granted, but it's really difficult in traditional. Government across our government spaces to be really innovative and high trust is brought innovation to this compliance space, and I think it's reflected that various milestones throughout its history.[00:16:00]
Robert Booker: You know, for the world, the world that I was in at the time, I, uh, I think a lot about the challenge of knowing. What was needed, and we could all look at the rule and we could all understand the rule said to do things, but and I will argue today that there still is a lack of precedent, at least in health care, where, you know, organizations that believe they've done the right thing.
No, with confidence that right thing will stand the test of time. So absent that I started more is for an internal purpose and internal assurance need for our company. And I said two things I wanted. I wanted to have a Clear and understandable way of communicating requirements across at the time. Uh, you know, an organization where I had made might have had a team of a couple hundred people and, uh, working on security across a much larger, larger organization.
Uh, and then I needed to have the ability to know with confidence that I could quantify internally for my own purposes that we are making progress. And it [00:17:00] wasn't just about achieving the certification, it was about knowing where you were from a baseline. So that you could continually advance the ball forward in that regard.
And then, uh, and then we had, um, you know, the events of, I want to say 15, uh, 16, the healthcare industry really suffered a significant wave of attacks and the third party risk problem for us. We might have been later to the third party risk dimension of it. We, we had relationships and third party risk management programs, but I hadn't yet been able to go that last step of having an expectation that they achieve a.
Security, uh, expectation that we would set and, uh, you know, those those events really created the catalyst for our company to go to the suppliers. We work with many of which were working with other companies that had already started those conversations and say, you know, we need you to achieve a certain outcome, and so it really became.
It became two needs supported by a single program in a relationship with a single company in a single leader in high [00:18:00] trust that. Could actually help us solve both the internal governance and internal assurance problem. You know, me communicating every day to my colleagues and other executives about what we think the right the right approach to security was in plain, simple English and then communicating with the third parties.
And I think that that ability to work both sides of that problem was two sides of the coin has really paid great dividends. And, uh, I think today many organizations are are using a similar approach now and built on that type of framework.
Andrew Hicks: So, my response to that question is, and I've said this for a long time, I can get behind anything I believe in, and, and looking back at the CSF and how it was constructed all those years ago, and you see it today too, um, we've talked a lot about compliance already, um, it's not a compliance thing, this is a security initiative, um, and it goes all the way back to the roots of, of where Hytress began.
And if you look at just how it's built with consideration to present day threat attackers, [00:19:00] threat vectors, it's baked in so that when you see the residual requirement statements that we're all familiar with, hopefully, when you see those requirements statements, those are very directed to present day attackers and vectors.
So, um, for me, and by the way, I represent kind of the external assessor. I'm not on the adopter side of the house per se. But when we go to market, we're trying to help organizations like yours out there. Yes, we want to help with certification. That is the ultimate goal, but it's the belief in, you know, as you as you come out the other side that you're gonna be way more secure than where you started.
And to me, that's always kind of been the underlying theme of why I like what I do, because I get to help a lot of organizations. But it's the belief that we're together helping out the entire industry as a whole through a framework that's got so much. You know, packed into it. So.
Omar Khawaja: I think you know, as I as I look over the past decade plus, um, [00:20:00] and we just had a board meeting right before this.
The amount of energy and excitement we have, and in some cases frustration we have with the status quo. Doesn't feel much different today than it did 10 years ago. We still feel like we've got problems to solve. We still feel like there's challenges in the market. What's different is. We're solving different problems.
We're solving different challenges. We've got a significantly larger amount of stakeholders and constituents, and we're significantly more engaged through all the programs that that that we have. But so much of it is what Cliff said and what what Robert said is it's this obsession with solving problems.
And it's this obsession with solving problems and sensing what the market, what the customers are seeing. And the customer could be the relying party. It could be the assessor. It could be the assessed party and thinking about all of their needs. I remember when we first rolled out TPRM and a few of the organizations we had issued [00:21:00] a press release saying from now on, we're going to require all of our third parties that have access to our PHI to be high trust certified.
I can't remember if that was true or not. Was 2015 or 2016 so but 89 years ago and we thought this was a really good idea and we high fived and then the vendors learned about all of this and they were up in arms. They're like, what do you mean? You're just going to tell us to do this. We don't know what high trust is.
We don't know what the requirements are or we looked at the requirements. Are you crazy? There's all these requirements and we said, well, what do we do? We thought we solved a problem, but we created another one. And until we solve that, we're not really going to solve The initial initial challenge to begin with.
So then we started to have conversations and we brought the the vendors, the B. A. S. themselves together. We realized we needed to listen to them. We created a council for B. A. S. We realized we needed to grow the assessor ecosystem. And as soon as we thought about this as an ecosystem where we had to work together and we had to partner and we had to [00:22:00] figure out how to create it.
Sort of incentives and structures and approaches that we felt like we were doing this together. We started to. We started to solve it, and since then we keep solving bigger and bigger problems
Cliff Baker: in a full circle moment. We have a health 3PT Council. We have a vendor subcommittee in the vendor subcommittee.
Number one requirement is help us communicate to customers that they should be accepting height. So talk about a full 360 moment there.
Dan Nutkis: Oh, that was one of the most widely attended conferences we ever had.
Cliff Baker: Yes, it was vocal to and
Dan Nutkis: the room was quite a bit deeper than this one, and the line for people to come up and talk was out the door. Yes,
Sean Martin: yes, yes, yes, so one of the things I wanted to touch on it. You kind of alluded to this a little bit.
Omar is it? There's constant change and things are moving right tech rags. The patient care needs systems that [00:23:00] are, that are running the hospitals and other organizations that, that we're trying to protect. I find that high-trust kind of shields folks from a lot of that. So the experts and the, and the assessors and the community kind of help pull that all together to provide a nice buffer, if you will.
For a lot of that change and so that organizations can focus on what matters, which is patient care for health care and other customer care and other industries. So who can speak to who wants to start off speaking to kind of the the change that we see internally and externally and how you've leveraged high trust to.
Um, kind of offer and help.
Cliff Baker: Um, and, uh, you know, I think, uh, so, you know, often we'll, we'll, we'll get the pushback [00:24:00] around questionnaires, for example, you know, companies are kind of wedded to the questionnaires and those questionnaires take on a life of their own. And, uh, and so the question we'll get is, well, if I don't ask this question, this next question, then what kind of.
Do I create for my company? You know, what kind of compliance exposure and really, you know, the, the, the, the conversation we should be having is actually, if you ask that additional question, what kind of compliance exposure you're going to create for your company? In other words, if you ask one more question that you can't follow up on and you can't do appropriate due diligence and you've got this great documentation trail about everything your supplier is not doing right, what kind of real compliance situation are you creating for your company versus?
Versus relying on assurance and so we, you know, we're kind of trying to flip the conversation. You had to kind of think about compliance from a different angle. So that's been a great use case where high trust assurance is such a powerful message. And to your point, you know, high trust, you know, companies have spent hundreds if not thousands of hours.
Uh, [00:25:00] kind of dedicated to putting the controls in place to document the controls to getting certified no. Individual process that a third party risk management program does can compensate for that amount of work effort. And so high trust kind of shields you as an organization, you as a customer from from, you know, your exposure because you couldn't do appropriate due diligence or you couldn't dig deep enough where you've created this crazy documentation trail that's now sitting in your GRC.
High trust provides that cover for you like no other vehicle out there. That's a great example. I think of where the where the framework and assurance is really provided value. Yeah,
Robert Booker: you know, I think the, the, it's already been said here, but I'll, I'll say it again. The, the challenges we're solving today are not the challenges we solved, you know, yesterday or last year, and the challenges we'll solve next year are different than the challenges we solve today.
And uh, that's been this continuous curiosity, kind of, I call it unrestedness. We're kind of unrested about the status quo, you know, how do we want to think about the, the next place that we're going. [00:26:00] You know, each of you setting in your seats in the organizations that you serve, you know, the challenges you're facing as you look to the, to the environment around you and it does begin with threats and the fact that, uh, we operate in an environment where the, the threat landscape has changed remarkably.
I think the awareness of the impact to the systems we serve from a bad day has changed remarkably because we've seen, you know, we've seen those events that are really, really challenging. The system is a single entity and yet we work, if we work from a compliance lens and we work in a regulatory uh, landscape alone, we, we know with confidence that you know, if it's, if it's untenable for us to keep up, regulations are two or three years behind us.
And so, if you really want to think about it, and we really want to think about the problem we're trying to solve, and again I maintain it's more than the compliance problem, it's about having a system that's continually restless and kind of asking the question like, what's next? What's next? You know, what have we learned from The events of this year.
Um, [00:27:00] where do we think the world is gonna go next? With you know the advent and the explosion of things like a. I. We've been we'll talk a lot about that this week, but, um, you know, we talked about that. Um, you know, Chat GPT came on the scene, uh, October, November of 22 Uh, here we are. 24. We started talking in early 23 about the fact that, you know, this a I thing, we now know what that thing is, and we understand it much more clearly.
But that thing is going to change the world of security, uh, requirements and security needs because it's taking all the oxygen out of most organizations in terms of I T development and I T capital and all these other things. So we have to stay ahead. So I just think that restlessness restlessness is really critical.
Just a couple of examples there of how we think about the problem.
Omar Khawaja: I think, um, you know, some of this is. When you're in a security organization, you realize the amount of things you need to [00:28:00] do is a magnitude or two greater than the amount of time and capability and resources and budget that you actually have. And so I almost had this first principle as as a see so that there's someone else that can do this and they can do it even 80 percent as well as I can or my team can do it.
I would much rather they do it, because the list of things that only my team can do is so long, the default is, let me find someone else to do it, and HITRUST sort of took a lot of things off of my plate, and it turns out they actually did it, HITRUST does it way better than my team ever would be able to do it, so To do the crosswalks to between compliances to map threats to controls to, uh, go assess third parties.
So I didn't even have the third party risk program in my organization because. All I said to the head of audit who wanted to run third party risk, I said, you can take it as long as we just have something in our [00:29:00] contracts that require our third parties to be high trust certified. I don't really care about anything more than that, because I have more than enough to do within our four walls.
And if someone else is willing to take on what's happening outside of our four walls, namely, the Transcribed by https: otter. ai High trust, then that's great. I don't need to go fight for 7810 people on my team to go manage 1000 1000 third parties because I don't need to. That felt like a waste that felt like it wasn't the best use of my time.
So I saved money. I saved resources. I saved headache and I got a much better outcome. And that's what I always look to high trust for is, you know, cyber threat. Intelligence became a bigger thing 678 years ago. We went to high trust and said, Hey, I trust. All healthcare organizations have a need for cyber threat intelligence.
That was still a newer space. And so high trust decided they were going to play a role in that. Now, did everything high trust do over the last 78 years? Is it still around? Was everything successful? Absolutely not. But that's what it takes to be entrepreneurial and to be [00:30:00] successful is you will have a long list of failures in your wake.
And that's okay. Remember, Microsoft did come up with the Zune. But Microsoft is still doing okay in spite of that. And Amazon did try to get into the phone business, but they're doing okay in spite of that. And the same thing with high trust. We've had our our share of failures, but every failure led to a significant set of learnings as as Robert mentioned, and that's been that's been key to be that learning organization that's always market market centric.
Dan Nutkis: I will just point out on that one, though, and it's a close point earlier as in. I don't assume,
Omar Khawaja: but it was an mp3
Dan Nutkis: player. In case anyone
Omar Khawaja: doesn't know
Dan Nutkis: our, uh, our foray into cyber threat intelligence and understanding it was really the basis for what we now refer to as cyber threat adaptive, which is kind of one of our innovative projects and programs that works very well and it was to this issue with questionnaires and everything [00:31:00] else, which was how do you maintain Uh, relevance of a framework, and this is one thing that was extremely frustrating for us, and well, there's a lot of things frustrating for us, but this one in particular happened to be with the fact that everyone would accept the high trust, uh, certification, but they wanted to ask some additional questions because it didn't feel that we were able to be topical enough.
And there were, um, controls that we may or mitigations we may not have in our framework and. Uh, we went to work on that and really, uh, uh, leveraging this, uh, the threat intelligence that we continuously review, uh, map it to mitigations and we map it against then our framework, determine if the framework has any deficiencies that would, uh, on the E1, level that would, um, Um, uh, jeopardize the, uh, the security, the control itself, and that became a, uh, [00:32:00] um, you know, an opportunity for us, and it was one that was really based on our knowledge of threat intelligence.
It also, uh, made it easier for us to talk to people that said, well, I still need my questionnaire, and we would say, why? What, what is your questionnaire provide that we don't have in the framework? What, you know? What threat, what mitigation, what are we trying to, to do? And, and I think there's a lot of that.
Uh, I don't know where Ryan went, but you know, I think Ryan has a lot of those conversations, uh, on a regular basis. So talk to Ryan. Anyway, our, our failed, uh, cyber activity actually worked,
Sean Martin: uh, just fine for us. Well, I'm, I'm gonna pull, uh, pull back, uh, cyber activity as well. So I, 30 years, I, I used to build and bring Norton antivirus to market.
Our biggest challenge with that wasn't the number of threats we're trying to protect against. It was getting enterprises to adopt antivirus in their organization. And guess what? We got the attention of [00:33:00] business. We got the attention of government. Everybody's concerned with security now. And there's a lot of pressure to demonstrate that you're doing the right thing or one could potentially end up in trouble.
Um, so how important is Reliability, transparency, consistency, demonstrability. And obviously in the context of what we're trying to accomplish here with Hytrust and the community.
Cliff Baker: I mean, I think it's critical. I really, you know, in today's context. Kind of, uh, uh, commercial environment, transparency and, uh, and reliability, trust is, is, is critical, you know, especially in health care, the proliferation of third party, uh, relationships and how important those kind of contracts and relationships are to the delivery of core services, right?
Whether it's on the health plan side of the providers, but. Provider side, this is different than it was a decade ago. [00:34:00] You, you, you cannot deliver core healthcare services anymore without the reliability and support and delivery of your partners and, and, and vendors. And so, so, you know, I think in, in, in that, that's, that's what we're here for.
It's only kind of growing and, uh, you know, at a rapid rate. So this need for trust, this need for transparency, this need for open communication is only going to grow. I think it's, I think it's fundamental candidly to commerce in healthcare and to the transactions and delivery of care in healthcare and, and, and, you know, that's why kind of a framework and a way to communicate in a language that both sides can understand.
It's really critical to the way we're going to deliver care and going forward.
Andrew Hicks: Go ahead. I'll uh, I'll double down on critical. It's critical because, um, you know, interoperability was a huge thing. It still is, obviously, but, uh, a few years ago. And to what, to what Cliff was saying with your supply chain, your vendors, [00:35:00] et cetera, right?
As you're exchanging data, it's, it's, It's a huge importance to us as patients and the industry at large to make sure our data is secure. Um, and one thing I'll touch on a little bit is just, you know, looking at HITRUST over the last, whatever, 13 years that I've been doing it. Um, from a external assessor standpoint, going through the QA process, and a lot of you go through that with us.
But. Um, just going through that process. There is. It's not a free pass. It's not a pay to play. It's a, it's a difficult, challenging experience to go through that and rightfully so, um, to go through that Q. A. Process and hats off to the Q. A. Team because they've really, um, uh, learned and great gained experiences going through that with us, the community at large to provide a better Q.
A. That's where, uh, to your point, the assurance comes into play. Because when you see a high trust report, So you know what everybody's gone through, and that's why the industry accepts it so wildly, [00:36:00] um, kind of as the de facto standard.
Omar Khawaja: Yeah, the other thing I would, uh, I would add to that is I remember the early days when we started requiring our partners to be high trust certified.
I'd once a month. I'd hear from someone saying we have a third party. We really want to do business with them, but they don't want to do high trust, and they've got issues with this. So then I would go meet with them. Here them out. What's your concern? And the bottom line would be there's too many controls.
It's too expensive, and people would ask me how expensive is it to get high trust certified? And what I'd say to them is the answer to that is the same as how expensive is it to renovate your home? Well, it depends. What does it depend on? It depends on how poor condition your home is in. So if your home is in really, really poor shape, a renovation is going to be very costly.
If your, if your home is in pretty decent shape, a renovation is not going to be that costly. And so what I would turn around and say to some of these [00:37:00] vendors is, so what you're telling me is the bar that I've set for adequate protection of my customer's data is too high a bar and it's too expensive for you to protect my customer's data.
Is that what you're telling me? They're like, oh. Yeah, maybe maybe we shouldn't have said it's too expensive to do it, right? But that's sort of the important thing now over the years as organizations have gotten savvier as they've deployed more controls. A lot of those concerns. I don't hear nearly nearly as often, but it's important to set the bar high.
But then going back to the market or the point earlier about being responsive to the market and responsive to the needs. What did high trust you over the last couple years? We introduced a couple of different assurance levels. So now you have the I one. You have the one in addition to just having the R two.
So it's sort of important to be able to hold multiple points of view at the same time. Yes, we want to be flexible. Yes, we want to set the bar high. Yes, we want to meet the needs of the market. And as a result of that, we keep rolling out services and [00:38:00] products and mechanisms in order to meet all of those needs, which sometimes are divergent needs.
Dan Nutkis: It's, uh, it's interesting because I, I would agree that what we deem as reliability, um, which is transparency, integrity, quality, um, and to some degree suitability is, is important and, uh, we've strived for many years to improve that and, uh, drive those numbers up and, and, uh, so that, and I think we've always used the term if you're going to rely on an insurance report, it should be reliable.
What's interesting is, and, and, um, then we got into this whole notion of relevance. Relevance was ensuring that the framework itself maintained its relevance because the reliability, uh, was, or the assurance was, was based on the controls themselves, and they needed to be. And we had CyberThreatAdaptive, and we had all these, you know, what we felt were really impressive programs, and [00:39:00] Uh, and then we went and, uh, we made our, our portfolio more traversable, and we expanded from a high assurance to a medium and low with the I one and the E one.
And then, as I think Cliff mentioned, we, we added our results distribution so that people could consume the results electronically. Um, we thought we did a great job and it was, but people, they, they really saw it as, as kind of different pieces. And it wasn't until we issued the trust report. Which, by the way, is our most widely downloaded, uh, document ever.
Uh, people just, um, then it was actually that they could see. They, they got it. Oh, okay. So basically all this other stuff was really necessary for, to get trust and trust at a very high level. Okay. That I get. So all the, I think most people don't appreciate all the pieces that go into it, but. Uh, they could see and they it was a tangible result and that's what they [00:40:00] wanted was the result.
And I think some people, and we saw this over time, they, you know, they got a result. They got business because they could be a vendor to a customer and they like that. And others felt that they got risk mitigation. But the trust report was actually probably the, you know, the, uh, the tipping point, I think, for most people to really understand it.
And we've seen the same thing on the TPRM side as well.
Robert Booker: And Dan, that's, that's where I wanted to go as well, was the um, I keep, I keep thinking about the performance level we quantified with the trust report. And just, yeah, I think everybody would know this, but I'll just say it for, for clarity. The trust report wasn't written in 24 to report on how good we are in 24.
It was written on two years of data. And the data led to the conclusion, not the conclusion we're seeking, looking for the data. So I think, you know, many of you are the, the people that have been at the forefront of [00:41:00] this journey. You've been with HITRUST and this HITRUST, uh, journey for quite some time.
And, uh, I think to explain the outcomes to your, to your question, Sean, is that, that reliability based on all those principles that, that Sean asked about. Uh, the ultimate proof is, are you. Safer from a cyber security perspective today because you have invested in the work necessary to achieve that standard.
Can you have with confidence, can you have confidence that you have achieved the level of trustworthiness in your operations? And I think the data proves it now. I think we've always believed it was the best system you know we built a system based on science. that we felt confident would deliver the outcomes that each of you would need to have to be secure and also to be compliant.
But now we have the data to prove that it is the best model, and I'll make, I'll make the argument all day long that the response of the relying parties, specifically the regulators to the events in our industries [00:42:00] is more regulation, more standards, and yet another approach to security coming down the path.
They've never asked the real question, though, and all of you that are doing high trust are are are in possession of the right answer. They've never asked the question about how do you actually know if the standards being met or not? And that level of confidence and the ability to communicate with confidence that all these things, regardless of whether it's a large list or small list, we think it's the right list, but all of these things are achieved as evidenced by the fact that, uh, you know, less than a percent of you have had issues because you've invested.
So I think that is the proof point, and that's the thing we have to continue to, to reinforce is that that That reliability based on relevance is, in fact, the secret sauce that makes this successful.
Cliff Baker: And the ecosystem, right? I mean, what would Dan and high trust has built? I hope you all appreciate for me.
I trust is like no other organization, right? From an innovation perspective, [00:43:00] like who else is innovating in the space? Like nobody, nobody across any industry is innovating. Sure, there's tech platforms. It's GFC platforms. But who else is innovating in this compliance risk? Standard space. Nobody else. And it doesn't work by just, you know, publishing a framework.
It works because there's an ecosystem that evolves and continues to adapt and continues to innovate. And that's what HITRUST means for me, right? Like, it's not just a framework. It's not just a bunch of standards. It's not just assurance framework. It's this whole ecosystem that has to work together and has to evolve and has to innovate in order to keep up.
And hopefully everybody here is comfortable with that. You've got a sense of pride about that because you've helped achieve that where many in our industry, you know, doing the same thing they've been doing for 20 something years, uh, in our profession, excuse me, I've been doing the same thing for 20 something years.
High trust is evolving this compliance space like no other organization, something we all should be proud of.
Sean Martin: We only have a few minutes left, so for this group here. In a few words, what do you hope? With [00:44:00] knowing what a lot of being on the board, knowing what the future holds for high trust and the results that will have on this, this community.
What do you hope this group takes away from the next few days? One more.
Omar Khawaja: You know what I'd say is take advantage of high trust. Make sure you share your concerns, your expectations of high trust, and there are so many more services that and capabilities that high trust offers. Then what the average organization out there is using.
So think about how you can use the different parts and bring them together to solve the the hard challenges you're solving for your organizations and your customers.
Andrew Hicks: I would say find find a new way to see value in what high trust is built, and so there's lots of vendors out there. It's we use the word ecosystem quite a bit.
This is kind of a feels like a family. We've been coming here for a long time. It feels a little weird not seeing the water fountain at the [00:45:00] Gaylord, but we've been coming for a long time. Embrace this group network and then kind of my soapbox thing is find value in the framework. Yes, it's great to achieve certification hats off to you.
If you've done that, but look at how that transforms how you look at cyber security in your organization. Um, integrated adopted, um, and embrace it as an organizational culture, because I think that's to me, that's where the true value is. It goes back to roots. I think Dan on the mission you set out to, uh, to achieve way back.
One is just really transforming the industry to make it a secure environment.
Robert Booker: My offer would be to, uh, to, uh, I'll use a word Omar used in the AI session this morning. I'd ask you to unlearn a little bit of what you've thought about. Where high trust starts and where we stop and it is based on an innovation journey and, uh, the performance that we see through the trust report is impressive.
It's still not good enough and we know how to make it better and we're [00:46:00] going to talk about that over the next. The next days is ways to make the assurance that you receive through the high trust ecosystem. Even higher levels of assurance, continuous monitoring, the things that are really going to. So the world for you and make your jobs easier and make the reliability of your systems that trustworthiness even higher and stepping into spaces that we are, you know, we're new and novel with like like AI.
I think there's some exciting stuff there. So, we, many of us have been with HITRUST for so long, we know it, we know where we think it is, and we think we know what we think the success factors it creates are. I would argue that we are creating much more for you. And I would really invite you to look at when we send things out, when we ask you to consider things, we ask you for feedback, give us the feedback because we are designing something that's exciting for the future and it's based on everything we do today.
Cliff Baker: Yeah, I feel like I'm sounding like a broken record, but I kind of reiterating what my colleagues have said here. [00:47:00] Plug into the ecosystem, right? And plug into the ecosystem with a vision towards, uh, in the space. Like, uh, dimension RDS, for example, you know, RDS may sound like a technology, but, like, delivering the point is that we're gonna deliver assurance electronically like that versus pushing documents around to each other, right?
And so that's, that's, that's, that's a step in terms of innovation. That's a step in terms of the right direction in our space. It's a plug into that figure out how to adopt to figure out how to promote it. Because it involves the whole industry and the whole space in the right direction.
Dan Nutkis: Yeah, I, I have not much else to say.
I, I think this, I don't know how many this is. This is, I think, number 13 or 12. I don't remember how many we've had. But, I, I think the value, it's, you know, some people call it a conference. I, I call this a big user group. Uh, and I think the opportunity is just to, to provide feedback. I, you know. High trust base is what we [00:48:00] do on what the market tells us, what we perceive, um, you know, where we think the market's going.
And these these events are extremely important for us to get that feedback. I think there are, uh, and probably have said this before, but I think this year there are three or four big initiatives that are larger that are setting out, uh, you know, a direction that we think is pretty exciting. Uh, some that, um, uh, you know, are, are delivering in 24 some, uh, 7 and, and I think those are pretty exciting and, uh, being able to get feedback, uh, from the market on those is going to be important for us, so.
Cliff Baker: Before we adjourn, I want to say, I want to thank Dan for everything, you know, uh, uh, Dan doesn't, doesn't like, doesn't, Dan doesn't like the limelight. Uh, we got him to really dress up for this occasion. He showed up. He showed up and dressed up and, uh, But, but, you know, this is the guy that's [00:49:00] pressing, I mean, you know, if there's anybody behind the scenes, you, like, you wouldn't believe, pressing, pressing for innovation, pressing for progress, pressing for outcomes, pressing for objectives.
And so, he's not, he's not the kind of guy that's out front and center taking credit for all of it, but he's the kind of guy that's making it work behind the scenes. So, before we adjourn, I just, on behalf of all of us that have been involved a long time, I want to say thanks. And
Sean Martin: for showing up and for making this happen. Andrew and Omar. Thank you so much for your insights. Hope everybody enjoyed that. Please enjoy the conference. Connect with each other. We have each other here to learn from. Um, so thank you all. Thank you.