8:00am - 8:30am
Networking Breakfast and Badge Pick Up
America Ballroom

Breakfast will be served in the ballroom, be sure to stop by the sponsor tables.

8:30am - 8:35am
Welcome Remarks
America Ballroom

Editor-in-Chief of Healthcare IT News and Director of Content Development

8:35am - 9:20am

Opening Keynote

Security in an Uber-Connected World
America Ballroom

As first woman to serve as White House chief information officer, and named #4 on IFSEC Global’s list of the world’s Top 50 cybersecurity influencers, Theresa Payton is one of America’s most respected authorities on Internet security, data breaches and fraud mitigation. With real-world strategies and solutions, she helps public and private sector organizations protect their most valuable resources.

Drawing from her experience as a veteran cybercrime fighter and entrepreneur of her successful and rapidly-growing cybersecurity firm, Fortalice, Theresa masterfully blends memorable anecdotes with cutting-edge insights to heighten awareness of the perils of our uber-connected world. As she delves into the cyber-underworld and the new kinds of threats that can lead to tomorrow’s breaches and insider risks, she offers a proven blueprint for audiences to stay ahead with practical steps for thinking like the adversary, while managing cybersecurity risk.

Theresa’s distinct approachability, combined with her visionary perspective and easy-to-implement strategies, effectively prepare audiences for success in the ongoing battle against cybercrime.

Former White House CIO & Cybersecurity Authority and Star on CBS's "Hunted"

9:20am - 9:40am
Introductions & Kickoff
America Ballroom

At all HIMSS events, we strive to secure the best speakers and deliver the most valuable information possible, but in this short session at the start of the forum, we want to hear from you.

Take a few minutes and introduce yourself to fellow attendees at your table, and share why you are attending the forum. This will help facilitate networking and, we hope, create a sense of community and collaboration that will continue throughout the forum. We’ll also then hear from some attendees and speakers and learn what they want to takeaway from the forum.


9:40am - 10:25am

Leadership Panel

Healthcare Security's Second Act - From Prevention to Resilience
America Ballroom

If you think of healthcare security as a three-act play, we are now well into the second act, and orgs that have not kept up (and there are many), face more danger than they likely imagine.

Key second act themes:

  • Healthcare orgs shift resources from prevention to incident response. It’s not if, but when you’ll be breached. To safeguard patient safety and business continuity, organizations must respond and recover quickly.
  • Information sharing has grown in importance.
  • Security leaders recognize the need to optimize existing technology rather than buy the next shiny object.
  • Automation and manage services help offset a shrinking talent pool.
  • Awareness training sits center stage.

The list goes on.

In this session, our expert speakers will discuss these and other key features of healthcare security’s second act. Importantly, they’ll provide guidance to help organizations stuck in the first act move to the second act and create a more resilient security posture.

As for the third act, they’ll have some thoughts on that, too.

Director of Cybersecurity
Senior Director of Information Security
National Healthcare Practice Director
Director, IT Security
Children's National Medical Center
Editor-in-Chief of Healthcare IT News and Director of Content Development
Chief Information Security Officer
Christiana Care Health System

10:25am - 11:00am
Networking Break
America Ballroom

Take this opportunity to mingle with your peers in a relaxed setting to build relationships and establish future partnerships. Coffee will be served in the ballroom area so make sure to stop by our sponsor tables. Networking breaks sponsored by eSentire, Everbridge, Fortinet, Sayers, and Sirius Healthcare.

11:00am - 11:30am
New Generation of Incident Response in Healthcare
America Ballroom

Incident Response is a critical component of the security practice in all organizations, as it enables them to be prepared for the unknown as well as the known and is a reliable method for identifying a security incident immediately when it occurs. Incident response allows an organization to establish a series of best practices to stop an intrusion before it causes damage. How can each industry prepare their own IRP that supports the [1] Identification of positive security incidents, [2] Containment and limiting the damage of the incident and isolating affected systems to prevent further damage, [3] Eradication of the root cause of the incident, and [4] Recovery of affected systems back into the production environment, ensuring no threat remains. This is significant for such a heavily regulated industry such as healthcare.

WorldWide Security Industry Leader - Healthcare, Life Sciences, Government & Education

11:30am - 12:15pm

Tabletop Exercise

Business Continuity After a Ransomware Attack
America Ballroom

Imagine that hackers hit your organization with ransomware and gain full access to your system. Are you prepared to respond quickly and effectively to maintain business continuity and protect patient safety? Or will you go down like the Titanic?

In this tabletop exercise, seasoned business continuity experts set the stage, alerting the “healthcare facility” that it has been hit by ransomware. Then over the next 40 minutes they’ll take attendees on a simulated exercise, outlining the critical steps required to respond successfully to the attack and maintain or restore business continuity as fast as possible.

As the speakers will make clear: Disaster planning is the difference between having the essential tools at your fingertips or not.

Key discussion points

  • How to proactively assess your facility and your business continuity program.
  • Discuss elements of an effective business continuity plan - people, processes, technology
  • How to operationalize the core elements of a business continuity plan.
  • Review CMS’s new emergency preparedness requirements for Medicare and Medicaid providers.
Director of Business Continuity, Emergency Management and Security
Planned Parenthood of the Pacific Southwest
Director of Training and Exercises
Connect Consulting Services
Director of Business Continuity
Connect Consulting Services

12:15pm - 12:30pm
Security and Compliance in Healthcare
America Ballroom

Healthcare institutions and technology vendors provide vital services. Unfortunately, there has been a significant increase in cybersecurity attacks on some of these organizations which has on occasion disrupted their ability to provide their critical services. In addition, millions of patients were affected by healthcare data breaches in 2017. Healthcare data breaches can have a significant lasting impact on the affected individuals. In this session, we will discuss how Google Cloud (including Chrome, G Suite, and GCP) provides a secure platform for healthcare institutions and the steps that we take to make sure we go above and beyond compliance requirements for handling healthcare data.

Head of Product, Healthcare & Life Sciences
Google Cloud

12:30pm - 1:30pm
Networking Lunch
America Ballroom

Take this opportunity to mingle with your peers in a relaxed setting to build relationships and establish future partnerships.

1:30pm - 2:10pm


The Benefits of Full Visibility
America Ballroom

When it comes to security, most organizations still focus on prevention and take a set-it-and-forget-it mentality. Prevention is ideal, but it's inherently flawed and will fail. Remember, it’s not if but when you’ll be breached.

To respond quickly and contain attacks, you need the people, processes, and technology in place to detect and stay one-step ahead of hackers.

On solution, automated continuous security monitoring, can be a life-saver, providing real-time visibility across your organization’s network.

In this session, our expert speakers will discuss the role continuous security monitoring plays in a healthcare security strategy. They’ll also review and help attendees prioritize other threat detection capabilities necessary to identify and squelch the inevitable attacks yet to come.

Associate Chief Information Security Officer
Adventist Health System
Chief Security Strategist
Cybersafe Solutions

1:30pm - 2:10pm

Risk Management

Pro-Active Steps to Protect Your Organization
St. George A/B

As defenders we are outnumbered five to one. What are the proactive steps and defenses that a healthcare security team can take to evaluate threats, vulnerabilities and risks and to prepare and protect payer and provider institutions from attack? 

This panel session will discuss the healthcare threat landscape, vulnerabilities, pen testing and other forms of technical vulnerability assessment, compliance, risk analysis and remediation including effective patch management and the need for compensating security controls and other risk mitigation strategies where patching is not possible.

Deputy Chief Information Security Officer
Partners Healthcare Information Security and Privacy Office
Cybersecurity Evangelist, SVP Chief Security & Trust Officer
HIMSS Privacy & Security Committee & Clearwater
Chief Information Security Officer
Johns Hopkins University & Johns Hopkins Medicine

1:30pm - 2:10pm


Cultivate C-Suite Champions with These Communication Tactics
St. George C/D

Healthcare security professionals all too often explain risks in gobbledygook that senior, non-technical leaders don’t understand – and then wonder why their initiatives go under-funded!

In this presentation, Shakira Brown, an award-winning branding and communications strategist, will help healthcare security leaders avoid this communication breakdown.

Shakira will share tried-and-true communication tactics that connect your organization’s business goals to the negative impact of a potential breach and related down time.

Most importantly, participants will learn a conversational communications approach that encourages trust with senior leaders. This in turn will create a better understanding of the business case for security initiatives and help cultivate champions among senior leaders – champions critical to achieving your goals and protecting your organization.

Chief Executive Officer and Award-Winning PR & Branding Expert
SMB Strategic Media

2:20pm - 3:00pm

Respond & Recover

Evolutions in People, Processes, and Technology
America Ballroom

The changing world of cyberspace can make information security management feel like navigating travel to a distant planet. It can be daunting. Fortunately, the NIST Cybersecurity Framework is a cost-effective, easy to understand guide to help healthcare organizations better manage and reduce cyber risk.

In this session, speakers use the framework to guide a discussion on how healthcare security has evolved from prevention to response. Attendees will learn how security standards like the NIST CSF can be applied to respond and recover from attacks of all shapes and sizes.

Key discussion points

  • Evolutions in the people, process, and technology needed to support the NIST CSF areas for respond and recover phases.
  • Security automation tools.
  • Establish a plan to facilitate rapid, efficient response to reduce the impact of a breach.
  • Lead an internal cultural shift to change attitudes regarding breach response planning.
  • Discuss where the information security role is headed over the next 3-5 years and beyond.
Partner, IT Risk Management
Chief Information Security Officer
Christiana Care Health System

2:20pm - 3:00pm

Insider Threats

Clamping Down on Your Weakest Link
St. George A/B

If you are worried about insider threats, you should be.The Ponemon Institute reported this year that insider threats now account for 87% of all cyber incidents: 64% from privileged user negligence, 23% perpetrated by malicious insiders.

In other words, education at many organizations has failed – as have perimeter defenses, rendered ineffective against increasing sophisticated attacks.

In this session, a leading healthcare attorney draws on security research to show that to reduce insider threats, rather than rely on technology, healthcare organizations must change their mindset and focus more on people and process – and view employees as threat vectors and not innocent victims of cybercrime.

Attorney Barry Herrin discuss six “Big Decisions” organizations must make to mitigate this weakest link. These include:

  • Cutting the cord to social networking and personal email accounts.
  • Treating access as a privilege, not a right.
  • Deciding when to shift from education to punishment.

Barry will then moderate a group discussion with a healthcare risk-management leader and share best practices to help attendees shore up and button down their approach to mitigating insider threats.

Director Privacy & Security Risk Management
Henry Ford Health System
Director, IT Security
Children's National Medical Center
Herrin Health Law

2:20pm - 3:00pm

Usable Security

Designing Human-Centered Cybersecurity
St. George C/D

We build devices, systems, and applications for real people.  Yet, in the world of cybersecurity, most regard humans as the weakest link in the chain. The notion of strong cybersecurity often equates to poor user experience and disregard for the humans who use the technology and data. This approach can weaken your organization’s security profile, generating workarounds or outright indifference.

To be most effective, security must be convenient and user-friendly.

In this session, attendees will learn how to apply human-centered design principles to an organization’s cybersecurity strategy. As our expert speakers will show, this approach improves the user experience and everyone’s security behavior.

Key takeaways:

  • Broaden your perspective on security concerns by using human-centered thinking.
  • Provide a framework for how to evaluate a situation and design human-centered solutions that support strong security.
  • Provide specific human-centered recommendations for various security scenarios.
Health IT Design Lead, Socio-Technical Systems Division
George Tech Research Institute
Branch Chief, Socio-Technical Systems Division
Georgia Tech Research Institute (GTRI)

3:00pm - 3:30pm
Networking Break
America Ballroom

Take this opportunity to mingle with your peers in a relaxed setting to build relationships and establish future partnerships. Coffee will be served in the ballroom area so make sure to stop by our sponsor tables. Networking breaks sponsored by eSentire, Everbridge, Fortinet, Sayers, and Sirius Healthcare.

3:30pm - 4:10pm

Security Think Tank

3rd Party Risk Management Best Practices
America Ballroom

Welcome to the Think Tank!

This highly interactive and fun session leverages the audiences’ collective experience to drive greater value and takeaways. It works like this: For the first 10 minutes, each table discusses individual roadblocks and challenges with 3rd party risk management. Then a designated attendee from each table takes the floor microphone and asks our panel of experts a key question from the table discussion. The goal here is to cater to specific interests of attendees to provide the most pertinent and valuable information possible.

More and more, breach and enforcement activities against covered entities result from the actions or in-actions of third party partners. Poor engagement, oversight, monitoring and dis-engagement often leaves covered entities responsible for all of the risk, fees, and reputational fall out.

In this session, get your questions answered and learn best practices to mitigate 3rd party risk.

Director Privacy & Security Risk Management
Henry Ford Health System
Chief Information Security and Privacy Officer
Einstein Healthcare Network
Vice President and Chief Information Security Officer
First Health Advisory Solutions
Cybersecurity Analyst
St. Luke's Health System

4:10pm - 4:45pm


The Economic Costs of Cybersecurity
America Ballroom

Cybersecurity does not generate revenue, and this makes it difficult to assess how much money to allocate to a cybersecurity budget or predict the economic impact of a successful cyberattack or major breach.

But not impossible.

In this session, Partners HealthCare CISO Jigar Kadakia explains that while there is no exact science to how much money should be allocated to a security budget, it relates directly to: 1. Assessing your risk tolerance; and 2. Quantifying ROI – cost of solution versus potential cost of a breach.

Learning objectives

  • Explain how much an organization should invest in cybersecurity and how to allocate the cybersecurity budget.
  • Outline the economic impact (and potential loss) associated with a successful cyber-attack.
  • Illustrate the costs associated with a major breach of protected health information and/or sensitive information.
  • Additionally, Jigar will discuss the appeal healthcare holds for hackers, your odds of being breach (much more likely than marrying a millionaire), the assets at risk, and the potential costs of a breach to a healthcare organization.
Chief Information Security Officer
Partners HealthCare

4:45pm - 5:25pm

Phishing Quiz Show

Test Your Knowledge - Learn How Not to Get Speared
America Ballroom

Phishing poses a major threat to your organization, and this interactive session will test your knowledge and provide best practices for mitigating these increasingly sophisticated attacks.

Here’s how it works: Our moderator will ask multiple-choice questions based on recently released public-private research on phishing. Attendees will answer via our real-time polling app. Finally, our panel of experts will address the questions and discuss the correct answers more in-depth.

Some sample questions:

  • What’s the difference between spear-phishing and whaling?
  • Phishing is the most common entry point for a breach? Yes or no.
  • List three factors that make people more susceptible to phishing.
  • If you suspect a phishing attack, what’s the first thing you should do?

As this session will prove, learning can be fun, and the information shared will strengthen your organization’s phishing defense.

Principal, Cyber Security Research
Distinguished Technical Architect
Symantec/HIMSS Privacy & Security Committee
Senior IT Director & Chief Information Security Officer
Boston Children's Hospital
Editor-in-Chief of Healthcare IT News and Director of Content Development

5:25pm - 5:30pm
End-of-day Remarks
America Ballroom

Editor-in-Chief of Healthcare IT News and Director of Content Development

5:30pm - 6:30pm
Networking Reception
America Ballroom

After a day of informative and incisive presentations, enjoy a drink and hors d'oeuvres in the Grand Ballroom with your fellow attendees, speakers and sponsors. Networking reception sponsored by ClearDATA and IBM.

Get Updates

Sign up to get the latest information on upcoming events.