how are other organizations

addressing third-party risk

management?

How do we statisfy the information

privacy and security assurance

requests from our customers?

How can I leverage a single

privacy and security

assessment with all

my customers?

What are the impacts of

changing U.S. and International

regulations on third-party

assurance?

Streamlining third party risk management Most agree that third-party assurance is a crucial component of an organization’s risk management program. Developing and implementing an effective program, given the increased regulatory oversight, reliance and complexity of outsourced relationships and evolving threat landscape, is a challenging task – and one that requires alignment and support internally and with business partners.

Also, by engaging, partnering and coordinating with third parties in the risk management process, versus imposing redundant and inconsistent assessment and reporting requirements, greater efficiencies and improved partner relations can be gained, and appropriate risk management can be ensured.

The HITRUST Third Party Assurance Summit brings together leaders and experts representing customers, vendors and consultancies in various aspects of risk management to share best practices, lessons learned and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program and HITRUST Assessment XChange. Additionally, the Summit provides a unique forum for customers, their business partners and vendors to truly collaborate in evolving approaches, ensuring effective communications of appropriate, timely and consumable risk management information.

The Summit provides a combination of facilitated discussions, educational sessions and networking opportunities with general sessions and tracks specific to customer or vendor areas of interest.

Summit CommitteeRyan sawyer

Staff VP, technology risk &

vendor security oversight

anthem, inc.

Debbie HutchinsonDirector IT Audit & third-party

assurance

availity

jutta WilliamsProgram manager,

health research

Google

Omar khawajaVP & cISO

highmark

Chetana SankhyeDirector, Vendor risk

management & Technology risk

management

Kaiser Permanente

Hector Rodriguezciso, WORLDWIDE health

Microsoft

Bob SmithSenior manager,

Technology Compliance

Salesforce

Bryan sheehanSenior director, enterprise

information security

unitedhealth group

John HoustonVP, privacy & Information

Security & associate counsel

University of Pittsburgh

medical center

Taylor LehmanNCISO

Wellforce

FPO: Art render by Matthew Warlick - drawing of venue??location city??

P2

General sessions will include:

• Customer’s perspective, approach, challenges and issues managing third-party and fourth-party risk • Vendor’s perspective, approach, challenges and issues in supporting customer third-party assurance requests• Collaboration to identify areas of contention and brainstorm solutions • Legal and regulatory considerations in the U.S. and internationally• Role of continuous monitoring and risk ratings• Streamlining the process by leveraging HITRUST Assessment XChange and vendor risk management systems• How just one HITRUST CSF assessment can meet all your regulatory and third-party requirements including

SOC 2®, NIST Cybersecurity, HIPAA, and more

Educational sessions will include:

• Leveraging the HITRUST CSF Assurance and CSF BASICs programs as part of comprehensive risk management strategy

• Vendor identification and risk classification• Vendor engagement and outreach• Contractual amendments and contracting process

Come learn why the HITRUST CSF Assurance program is the most widely utilized assessment approach for third-party assurance, how to enhance your third-party assurance program, or how to better engage with your partners on this topic. Regardless if you are a customer or vendor, large or small, the HITRUST Third Party Assurance Summit is a great venue to learn, collaborate and be part of the conversation driving change in third-party risk

management. For more information or to register, click here.

Who Should Attend?

Organizations:• Any organization that leverages a third-party vendor to support the creation, transport, processing or storage

of sensitive information, including health, financial and intellectual information• Any vendor or business partner

Departments:• Information Security• Enterprise Risk• Internal Audit and Compliance• Procurement• Vendor Risk Management• Finance• Legal and Compliance• Customer Relationship Management

P3

Pre-Summit Meetings

9:15 a.m. - 11:30 a.m. Third party assurance council meeting

Summit Meetings

Summit Agenda Day 1

Customer and Vendor Perspective Sessions: Presentations and panel discussions by customers and vendors sharing their position, perspectives and approaches to effective third-party risk management or customer information assurance requests, respectively.

1:00 p.m.

Welcome

Michael Parisi, Vice President -- Assurance Strategy & Community

Development, HITRUST

Michael odenwald, Vice President -- Third party programs, strategic accounts &

Partnerships, HITRUST

Programmatic Considerations for Organizations

Learn about common challenges in establishing a Third Party Risk

Management program and what various stakeholders within organizations

care about.

Jutta Williams, Program Manager – Health Research, Google

Michael Parisi, Vice President -- Assurance Strategy & Community

Development, HITRUST

Taylor Lehmann, CISO, Wellforce

Customer perspectives

Customers share their perspectives and challenges around implementing

an effective third-party assurance program.

Debbie Hutchinson, Director - IT Audit & Third Party Assurance, Availity

Phil Curran, Chief Information Assurance & Privacy Officer, Cooper

University Healthcare

Bryan Sheehan, Senior Director, Enterprise Information Security,

Unitedhealth Group

John Houston, Vice President, Privacy & Information security &

Associate Counsel, UPMC

break

Vendor perspectives

Vendors and business partners share their perspectives and challenges

in meeting customers information requests efficiently.

MIKE SWYT, VP – INFORMATION SECURITY RISK MANAGEMENT, CHANGE HEALTHCARE

HECTOR RODRIgUEZ, HEALTH Ciso, MICROSOFT

LEE PENN, cfo, PDHI

BOB SMITH, SENIOR MANAGER – TECHNOLOGY COMPLIANCE, SALESFORCE

How states impact health information exchanges

Learn how various states are ensuring health information exchanges

have effective information assurance.

Mark jacobs, CIO, Delaware health information network

CHRISTIE HALL, PROGRAM MANAGER – DIVISION OF HEALTHCARE INNOVATION, NY

STATE DEPARTMENT OF HEALTH

P4

1:15 p.m.

3:00 P.m.

4:00 p.m.

1:45 p.m.

2:45 P.m.

Education sessions

Summit Agenda Day 2

Sessions will focus on transferring knowledge and outlining best practices on key areas relevant to third-party assurance and will be further segregated into tracks for customers and vendors.

9:00 a.m. Collaboration + Leadership + HITRUST CSF Assurance = Win for Everyone

OMAR KhaWAJA, vp & CISO, HIGHMARK

MICHAEL PARISI, Vp, ASSURANCE STRATEGY & COMMUNITY DEVELOPMENT, HITRUST

customer track vendor track

Third Party Identification and Risk

Ranking

DOUG PETERSON, CISO, GREAT-WEST

FINANCIAL

Dennis Quandt, Director, risk

assurance, Pwc

Third Party Outreach and

Communications

Ryan sawyer, Staff vp, technology Risk

& vendor security oversight, ANTHEM

Chetana Sankhye, director - vendor risk

management & technology

management, Kaiser Permanente

Leveraging Information Privacy and

Security as a Competitive Advantage

TBD, Blue Cross Blue Shield Association

travis good, CEO & Co-founder, DATICA

Improving Information Security

and Reporting to Meet the

Requirements of Your Customers

RICK GILMORE, DIRECTOR -- CORPORATE

SECURITY INFORMATION RISK

MANAGEMENT, COGIZANT

BRENDA MAGRI, DIRECTOR, RISK

MANAGEMENT – BILLER SOLUTIONS,

FISERV

Lunch

THIRD PARTY (& FOURTH PARTY)

ASSURANCE-RELATED CONTRACTS

IMPLICATIONS AND APPROACHES

BRENDA CALLAWAY, DIVISIONAL VP --

INFORMATION SECURITY RISK

MANAGEMENT, HCSC

TIM BELARDI, DIRECTOR -- GRC

TECHNOLOGY & THIRD PARTY RISK

MANAGEMENT, HIGHMARK

What to Expect When Undergoing a

CSF Assessment

ANDREW HICKS, managing principal,

Healthcare & Life sciences, COALFIRE

chad phillips, risk & financial advisory

Director, DELOITTE & Touche LLC

KEN VANDER WAL, CHIEF COMPLIANCE

OFFICER, HITRUST

10:00 a.m.

11:00 a.m.

12:00 p.m.

12:45 p.m.

Legal and regulatory considerations in the U.S.. and internationally

Learn about the latest developments in the state, federal and

international regulation and enforcement of privacy and security,

including a legal perspective on third-party assurance and what

companies are obligated to do under GDPR.

KIRK NAHRA, PARTNER, WILEY REIN

networking reception

4:30 p.m.

Summit Agenda Day 1 Continued...

6-9:00 p.m.

P5

Post-Summit Meeting

CSF assessor council meeting3:30 P.m.

HITRUST considerations for the future

Michael Parisi, Vice President -- Assurance Strategy & Community

Development, HITRUST

Michael frederick, Vice President -- operations, HITRUST

elie nasrallah, director -- cyber security strategy, HITRUST

Closing remarks

Michael odenwald, Vice President -- Third party programs, strategic accounts &

Partnerships, HITRUST

1:45 p.m.

3:00 p.m.

P6

Registration:

HITRUST Third Party Assurance Summit 2018

Hyatt Regency O’Hare

February 20-21, 2018

Chicago, IL

To register, click here

Learn more about the other

conversations taking place around

information security, privacy and

risk management in the HITRUST

storyboard series at

Hitrustalliance.net/Stories/