To round out National Cybersecurity Awareness Month, we interviewed our client, Bezawit Sumner, Director of Security and Compliance at CRISP, Maryland’s formally designated healthcare information exchange.
Due to increased pressure from regulators requiring healthcare organizations to maintain stronger data controls, CRISP and Hartman worked together to look for a more systematic method for maintaining the organization’s information risk management and regulatory compliance systems. Working with Hartman, CRISP implemented the controls, policies and processes necessary to achieve the HITRUST certification, one that is intended specifically for the healthcare environment.
We talked to Bezawit about her role within the organization, CRISP’s cybersecurity training efforts, and how they are adapting to the “new normal” as a result of COVID-19.
Broadly, what is CRISP doing related to cybersecurity?
CRISP has implemented a risk-based security management program. We adopted the HITRUST Common Security Framework (CSF) a few years back and continue to use the maturity model to strengthen our security posture. This approach allows CRISP to consistently measure the effectiveness of our controls and adjust as needed to further enhance security and manage risk.
From a technical controls standpoint, we have a patch and vulnerability management program and security tools such as a next-gen web application firewall (WAF), a Security Information and Event Management (SIEM) tool with a managed service provider providing tier 1 support, File Integrity Monitoring (FIM), next-gen firewall, and data loss prevention (DLP). As part of our maturity model, we are currently engaged in a proof of concept to deploy a network monitoring tool.
CRISP is also aligned with the industry standard Electronic Healthcare Network Accreditation Commission (EHNAC), which focuses on data security, data transmission and resource capability. Finally, as a state designated health information exchange (HIE), we undergo various assessments including SOC-2, HIPAA, COMAR and cybersecurity testing, all in accordance with federal and state regulatory requirements.
Who is in charge of cybersecurity at CRISP?
As the Director of Security and Compliance, I lead the cybersecurity program at CRISP. Our team is made up of a Senior Cybersecurity Analyst, Junior Security Analysts, a Privacy Project Manager, a Security Program Manager and a CISO advisor from Hartman Executive Advisors. Previously, I was responsible for the internal security and privacy audit activity and developed a broad understanding of the CRISP environment and its requirements for in depth security management. When the leadership role opened, I was selected to assume that position. I believe that the key characteristics that influenced my selection were my understanding of CRISP’s mission and programs, my organization and attention to detail and discipline, and my ability to communicate effectively.
How important is employee training related to cybersecurity? What successes have you had? Any surprises?
Employee training is integral to an effective cybersecurity program since employees are the first line of defense, the “human firewall” so to speak. And as an organization, we are only as strong as our weakest link. To mobilize this effort, we require robust cybersecurity training when we onboard new employees and send additional cybersecurity training exercises throughout the year. We configured a “report phish” button in the email task bar that makes it easy for employees to report suspicious emails. Additionally, we send out various types of phishing campaign tests both internally and from independent third-party vendors to test employees on an ongoing basis.
How has COVID-19 affected your cybersecurity efforts? What changes had to take place?
The sudden change to accommodate full remote work as a result of COVID created an urgency to address a much broader set of security requirements because of our inability to rely on in-person structure and services, as well as the significantly increased need to support BYOD. Like many others in the industry, we are exploring a Zero Trust strategy. In this strategy, nothing will be trusted to connect to our systems until verified. This will continue to offer all employees an optimal working environment, while maintaining the security and privacy standards that our stakeholders expect.
Hartman’s risk management professionals have extensive experience working with clients to assess their cybersecurity risks and determine which risk mitigations are most effective for their organization’s security goals. Learn more about our risk management consulting services (link to services page) or request a consultation.