How do we statisfy the information privacy and security assurance requests from our customers?

Transcription

1 How can I leverage a single privacy and security assessment with all my customers? how are other organizations addressing third-party risk management? How do we statisfy the information privacy and security assurance requests from our customers? What are the impacts of changing U.S. and International regulations on third-party assurance?

2 Streamlining third party risk management Most agree that third-party assurance is a crucial component of an organization s risk management program. Developing and implementing an effective program, given the increased regulatory oversight, reliance and complexity of outsourced relationships and evolving threat landscape, is a challenging task and one that requires alignment and support internally and with business partners. Also, by engaging, partnering and coordinating with third parties in the risk management process, versus imposing redundant and inconsistent assessment and reporting requirements, greater efficiencies and improved partner relations can be gained, and appropriate risk management can be ensured. The HITRUST Third Party Assurance Summit brings together leaders and experts representing customers, vendors and consultancies in various aspects of risk management to share best practices, lessons learned and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program and HITRUST Assessment XChange. Additionally, the Summit provides a unique forum for customers, their business partners and vendors to truly collaborate in evolving approaches, ensuring effective communications of appropriate, timely and consumable risk management information. The Summit provides a combination of facilitated discussions, educational sessions and networking opportunities with general sessions and tracks specific to customer or vendor areas of interest. FPO: Art render by Matthew Warlick - drawing of venue?? location city?? Summit Committee Ryan sawyer Staff VP, technology risk & vendor security oversight anthem, inc. Debbie Hutchinson Director IT Audit & third-party assurance availity jutta Williams Program manager, health research Google Omar khawaja VP & ciso highmark Chetana Sankhye Director, Vendor risk management & Technology risk management Kaiser Permanente Hector Rodriguez ciso, WORLDWIDE health Microsoft Bob Smith Senior manager, Technology Compliance Salesforce Bryan sheehan Senior director, enterprise information security unitedhealth group John Houston VP, privacy & Information Security & associate counsel University of Pittsburgh medical center Taylor LehmanN CISO Wellforce P2

3 General sessions will include: Customer s perspective, approach, challenges and issues managing third-party and fourth-party risk Vendor s perspective, approach, challenges and issues in supporting customer third-party assurance requests Collaboration to identify areas of contention and brainstorm solutions Legal and regulatory considerations in the U.S. and internationally Role of continuous monitoring and risk ratings Streamlining the process by leveraging HITRUST Assessment XChange and vendor risk management systems How just one HITRUST CSF assessment can meet all your regulatory and third-party requirements including SOC 2, NIST Cybersecurity, HIPAA, and more Educational sessions will include: Leveraging the HITRUST CSF Assurance and CSF BASICs programs as part of comprehensive risk management strategy Vendor identification and risk classification Vendor engagement and outreach Contractual amendments and contracting process Come learn why the HITRUST CSF Assurance program is the most widely utilized assessment approach for third-party assurance, how to enhance your third-party assurance program, or how to better engage with your partners on this topic. Regardless if you are a customer or vendor, large or small, the HITRUST Third Party Assurance Summit is a great venue to learn, collaborate and be part of the conversation driving change in third-party risk management. For more information or to register, click here. Who Should Attend? Organizations: Any organization that leverages a third-party vendor to support the creation, transport, processing or storage of sensitive information, including health, financial and intellectual information Any vendor or business partner Departments: Information Security Enterprise Risk Internal Audit and Compliance Procurement Vendor Risk Management Finance Legal and Compliance Customer Relationship Management P3

4 Summit Agenda Day 1 Pre-Summit Meetings 9:15 a.m. - 11:30 a.m. Third party assurance council meeting Summit Meetings Customer and Vendor Perspective Sessions: Presentations and panel discussions by customers and vendors sharing their position, perspectives and approaches to effective third-party risk management or customer information assurance requests, respectively. 1:00 p.m. Welcome Michael Parisi, Vice President -- Assurance Strategy & Community Development, HITRUST Michael odenwald, Vice President -- Third party programs, strategic accounts & Partnerships, HITRUST 1:15 p.m. 1:45 p.m. 2:45 P.m. 3:00 P.m. 4:00 p.m. Programmatic Considerations for Organizations Learn about common challenges in establishing a Third Party Risk Management program and what various stakeholders within organizations care about. Jutta Williams, Program Manager Health Research, Google Michael Parisi, Vice President -- Assurance Strategy & Community Development, HITRUST Taylor Lehmann, CISO, Wellforce Customer perspectives Customers share their perspectives and challenges around implementing an effective third-party assurance program. Debbie Hutchinson, Director - IT Audit & Third Party Assurance, Availity Phil Curran, Chief Information Assurance & Privacy Officer, Cooper University Healthcare Bryan Sheehan, Senior Director, Enterprise Information Security, Unitedhealth Group John Houston, Vice President, Privacy & Information security & Associate Counsel, UPMC break Vendor perspectives Vendors and business partners share their perspectives and challenges in meeting customers information requests efficiently. MIKE SWYT, VP INFORMATION SECURITY RISK MANAGEMENT, CHANGE HEALTHCARE HECTOR RODRIgUEZ, HEALTH Ciso, MICROSOFT LEE PENN, cfo, PDHI BOB SMITH, SENIOR MANAGER TECHNOLOGY COMPLIANCE, SALESFORCE How states impact health information exchanges Learn how various states are ensuring health information exchanges have effective information assurance. Mark jacobs, CIO, Delaware health information network CHRISTIE HALL, PROGRAM MANAGER DIVISION OF HEALTHCARE INNOVATION, NY STATE DEPARTMENT OF HEALTH P4

5 Summit Agenda Day 1 Continued... 4:30 p.m. 6-9:00 p.m. Legal and regulatory considerations in the U.S.. and internationally Learn about the latest developments in the state, federal and international regulation and enforcement of privacy and security, including a legal perspective on third-party assurance and what companies are obligated to do under GDPR. KIRK NAHRA, PARTNER, WILEY REIN networking reception Summit Agenda Day 2 Education sessions Sessions will focus on transferring knowledge and outlining best practices on key areas relevant to third-party assurance and will be further segregated into tracks for customers and vendors. 9:00 a.m. Collaboration + Leadership + HITRUST CSF Assurance = Win for Everyone OMAR KhaWAJA, vp & CISO, HIGHMARK MICHAEL PARISI, Vp, ASSURANCE STRATEGY & COMMUNITY DEVELOPMENT, HITRUST 10:00 a.m. customer track Third Party Identification and Risk Ranking DOUG PETERSON, CISO, GREAT-WEST FINANCIAL Dennis Quandt, Director, risk assurance, Pwc vendor track Leveraging Information Privacy and Security as a Competitive Advantage TBD, Blue Cross Blue Shield Association travis good, CEO & Co-founder, DATICA 11:00 a.m. Third Party Outreach and Communications Ryan sawyer, Staff vp, technology Risk & vendor security oversight, ANTHEM Chetana Sankhye, director - vendor risk management & technology management, Kaiser Permanente Improving Information Security and Reporting to Meet the Requirements of Your Customers RICK GILMORE, DIRECTOR -- CORPORATE SECURITY INFORMATION RISK MANAGEMENT, COGIZANT BRENDA MAGRI, DIRECTOR, RISK MANAGEMENT BILLER SOLUTIONS, FISERV 12:00 p.m. 12:45 p.m. THIRD PARTY (& FOURTH PARTY) ASSURANCE-RELATED CONTRACTS IMPLICATIONS AND APPROACHES BRENDA CALLAWAY, DIVISIONAL VP -- INFORMATION SECURITY RISK MANAGEMENT, HCSC TIM BELARDI, DIRECTOR -- GRC TECHNOLOGY & THIRD PARTY RISK MANAGEMENT, HIGHMARK Lunch What to Expect When Undergoing a CSF Assessment ANDREW HICKS, managing principal, Healthcare & Life sciences, COALFIRE chad phillips, risk & financial advisory Director, DELOITTE & Touche LLC KEN VANDER WAL, CHIEF COMPLIANCE OFFICER, HITRUST P5

6 1:45 p.m. 3:00 p.m. HITRUST considerations for the future Michael Parisi, Vice President -- Assurance Strategy & Community Development, HITRUST Michael frederick, Vice President -- operations, HITRUST elie nasrallah, director -- cyber security strategy, HITRUST Closing remarks Michael odenwald, Vice President -- Third party programs, strategic accounts & Partnerships, HITRUST Post-Summit Meeting 3:30 P.m. CSF assessor council meeting P6

7 Registration: HITRUST Third Party Assurance Summit 2018 Hyatt Regency O Hare February 20-21, 2018 Chicago, IL To register, click here Learn more about the other conversations taking place around information security, privacy and risk management in the HITRUST storyboard series at Hitrustalliance.net/Stories/