HITRUST CEO Testifies at Congressional Hearing

HITRUST-twitter-200On March 22, 2016, Daniel Nutkis, CEO of HITRUST (@HITRUST) testified at a Homeland Security Committee hearing on the Role of Cyber Insurance in Risk Management in front of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

The purpose of the hearing was to examine the role of cyber insurance in risk management, try to determine what, if anything, the government can do to further the efforts of the cyber insurance market, and encourage companies to better evaluate risk and lower premiums for customers to reinvest in further protecting patients.

During the testimony, Dan Nutkis asserted that along with reducing the overall financial impact of cyber-related incidents or breaches on an organization, cyber insurance and cyber insurance underwriters can play a key role in supporting an organization’s overall risk management strategy and help provide for the “adequate protection” of patient information.
Mr. Nutkis pointed out that insurance underwriters have continuously been investigating ways to efficiently and accurately evaluate risk and help healthcare organizations ensure health information systems and services are adequately protected from cyber risks.

Mr. Nutkis’ testimony further outlined the development process in exploring ways to leverage the HITRUST RMF to allow insurers to better evaluate cyber risk and address three concurrent needs:

  1. Ensure people, processes, and technology elements completely and comprehensively address information and cybersecurity risks;
  2. Identify risks from the use of information by the organization’s business units; and
  3. Facilitate appropriate risk treatments, including risk avoidance, transfer, mitigation, and acceptance.

After many months analyzing the benefits of an underwriting program leveraging a robust risk management framework, HITRUST began educating underwriters on a cybersecurity assessment methodology that would provide the industry with consistent, repeatable, reliable, and precise estimates of cyber-related risk. The HITRUST CSF and CSF Assurance program would provide underwriters with the information they could use to better understand an organization’s residual cyber risk, and apply it to their underwriting process.

HITRUST is working to educate cyber insurers regarding the use of the HITRUST CSF and CSF Assurance program in supporting the cyber risk underwriting process. Insurers have found the HITRUST CSF to offer many advantages over the existing approaches, including providing a comprehensive and mature controls framework, aligning strong controls with risk, and accurately and consistently measuring residual cyber risk.

The testimony added that Allied World U.S., the first company to offer preferred terms and conditions based on meeting the HITRUST CSF certification standards, conducted a review and analysis that determined the HITRUST CSF framework and CSF Assurance methodology will enhance its underwriting program in terms of efficiency, consistency, and accuracy, allowing it to better align the effectiveness of an organization’s security controls with cyber insurance premium levels.

Mr. Nutkis informed the subcommittee that the Allied World review also concluded that organizations that had obtained a HITRUST CSF Certification generally posed lower cyber-related risks than those organizations that have not. The comprehensiveness and improved risk reporting enabled by the HITRUST CSF and the CSF Assessment summary scores in place of many of the standard information security application questions create a more streamlined and consistent application process.

In closing, Mr. Nutkis told the Subcommittee that there are discussions with five other cyber underwriters regarding leveraging this approach, with an expectation that two more will be participating by midyear. HITRUST believes that this approach is a win-win for the healthcare industry, underwriters, and of course, the members and patients whose information they are responsible for safeguarding.