SI 2019 CISO Summit Highlights

The SI 2019 CISO Summit sponsored by Deloitte was held October 24 & 25. Co-hosts CHRISTUS VP and CISO Fernando Blanco and BayCare VP and CISO Thien Lam welcomed 21 chief cybersecurity officers and other healthcare IT security executives from across the country to the CISO Summit convened at the Hyatt Regency on the beautiful San Antonio River Walk.

Deloitte’s Raj Mehta kicked off the two-day meeting with a “Cyber Breakout Room” exercise that used an escape-room type game to foster deeper security awareness. Participants were dared to solve seven challenges within 20 minutes focused around unlocking a laptop infected with ransomware.  Seven security executive volunteers did it in eight minutes, breaking the previous Deloitte record of 11 minutes!  The world record-setting game participants included Ron Mehring, Michael Erickson, Alex Ludwinek, Mike Czumak III, Tom August, Preston Jennings and Scott Dresen.

To wrap up the afternoon session, the group tackled “Next-Generation Cybersecurity: Trends and Issues,” exploring the challenges and complexities in the context of healthcare trends such as consumerism, interoperable data and the cloud. Discussion focused on the characteristics of healthcare transformation in the context of:

  1. Agility;
  2. Increasing complexity of eco-system & alliances;
  3. Explosion of connected devices, wearables, IoT & medical devices;
  4. User-friendliness of cyber-risk prevention tactics;
  5. Digital privacy in an era of data sharing; and
  6. Artificial intelligence-related cyber-risk management considerations.

 

"It's All About the Data" chart
“It’s all about data” Click to see full-size.

 

On Day 2, CHRISTUS’ Fernando Blanco introduced case study presentations focused on next-level technical architecture:

  • Memorial Sloan Kettering Cancer Center’s AWS Hybrid Cloud Architecture Design, presented by Mike Czumak, VP & CISO, MSKCC
  • Cloud Security and O365, presented by Preston Jennings, EVP Information Security & CISO, Trinity Health

On cloud, virtual and remote monitoring:

  • Texas Health Resource’s Continuous Monitoring, Event Triage & Reporting, presented by Ron Mehring, VP Technology and Security & CISO, THR
  • Trinity’s Threat Intelligence Investments/Results, presented by Preston Jennings, CISO, Trinity Health

On board and executive management reporting:

  • Strategic Business Risk/Cyber Controls, presented by Tom August, VP & CISO, John Muir Health
  • Offshore Exception Tracking/Reporting, presented by Fernando Blanco, CHRISTUS Health

On future business-model infrastructure:

  • Business Model Evolution, presented by Mike Gomez, VP & CISO, Bon Secours Mercy Health
  • Workforce of the Future, presented by Michael Erickson, CISO, Baptist Health

Fernando Blanco, Thien Lam, and SI Executive Director Janet Guptill wrapped up the 2019 SI CISO Summit by summarizing the sessions, placing them in the context of the ongoing healthcare cybersecurity conversation nationally and globally, and then inviting everyone to the 2020 SI CISO Summit to be hosted by Baptist Health in Louisville in May 2020.

Summit Attendees

    Thomas August

    VP and CISO, John Muir Health

    Vice President and Chief Information Security Officer | John Muir Health

    Tom August (CISSP, CPHIMS) is an award-winning CISO and respected industry leader with over 25 years of experience in Information Security, IT Auditing and Risk Management.   Tom has made a career of developing, implementing and managing financially-responsible cyber programs that effectively balance risk, regulatory requirements and strategic business goals.

    Tom currently serves as Vice President & Chief Information Security Officer for John Muir Health, a nationally-recognized healthcare leader comprised of two acute care hospitals, a behavioral health center and community health practices located throughout the east San Francisco bay area.  As CISO, Tom has overall responsibility for assessing, measuring, addressing and reporting on technology risk and compliance matters across the entire health system.

    Prior to joining John Muir, Tom served in leadership roles at Sharp Healthcare, Sony Corporation, Pacific Life Insurance Company, Deloitte and Ernst & Young.  Tom is a co-author of “The CISO Handbook”, an alumnus of the FBI CISO Academy, and a frequent presenter at healthcare and information security industry events.  Tom is widely-recognized for publishing a popular Information Security Buzzword Bingo Scorecard each year to highlight the need for more meaningful dialogue between information security professionals, vendors and business leaders.

     

    Posted December 2019

     

        Fernando Blanco

        VP and CISO, CHRISTUS Health

        Fernando Blanco is Vice President and Chief Information Security Officer at CHRISTUS Health, one of the nation’s largest Catholic healthcare delivery system.  He is responsible for the Cybersecurity program supporting CHRISTUS Health’s delivery network across four states, in four countries and in more than 300 locations.  Prior to his experience in Healthcare, Mr. Blanco worked in domestic and international information security roles in the consumer products industry.  Mr. Blanco lectures in areas of Cybersecurity and IT General Controls.

         

        Updated March 2017

            Chris Convey

            VP and CISO, Sharp HealthCare

            VP and CISO at Sharp HealthCare

            Chris has extensive leadership experience in information and technology risk, cyber security, IT operations and cloud technologies.  Before his current role at Sharp, Chris was CIO and CISO at Millennium Health where he led development, operations and security of all company systems, including their recent lab information system custom built and deployed in Amazon Web Services.  Prior to Millennium Health, Chris was the enterprise HIPAA Security Program leader at Kaiser Permanente, where he launched and led the strategic plan to improve organizational compliance with the HIPAA Security Rule and other regulations.  This required working cross-functionally with medical groups, health plan and hospital operations, C-level leaders and regulators.  Prior to that Chris was Director, Technology Risk and Security Consulting at PwC, where he advised Fortune 500 companies in all aspects of business and technology improvement.

             

            Updated October 2018

                Michael Czumak, III

                VP and CISO, Memorial Sloan Kettering Cancer Center

                VP and CISO at Memorial Sloan Kettering Cancer Center

                I have over 11 years experience in IT and Information Security. My primary role is developing and leading an application security and penetration testing program, performing hands-on testing of a variety of systems, devices, and applications (web, desktop and mobile applications, medical devices, etc).

                My primary areas of interest and core competencies are application security, penetration testing, and Windows OS security and I spend the majority of my free time researching these and related topics. Please visit my website to see more of my research interests: http://www.securitysift.com.

                Published Exploits: http://www.exploit-db.com/author/?a=6450

                Other Published Advisories/CVEs: http://osvdb.org/creditees/11091-mike-czumak

                Regular Hands-on Experience with:
                – Pentesting suites / tools (Kali, Metasploit, Burpsuite, Nmap, Sqlmap, etc)
                – Debugging / Reversing / Binary Analysis (Immunity, WinDbg, IDA Pro, JPEXS, etc)
                – Programming / Scripting languages (C/C++, Assembly, Python, Perl, Ruby, PHP, Javascript)
                – Web / Database Platforms (IIS, Apache, MS-SQL, MySQL, Oracle, Sybase, etc)
                – Other: Vulnerability Scanners, DLP, Network analysis, etc

                Recognized by multiple organizations for security contributions including: Microsoft, Apple, Adobe, PayPal, Ebay, Sony, and Etsy

                Practical Professional Certifications: OSCE, OSCP

                Other certifications: CISSP, CISM, CNSS 4012, Six Sigma Green Belt, CompTIA Security+/Network+/A+/Project+

                 

                Updated November 2018

                    Scott D. Dresen, MBA, FACHE, FHIMSS

                    SVP and CTO/CISO at Spectrum Health

                    Scott Dresen is senior vice president & CTO/CISO, information services, for Spectrum Health, a billion not-for-profit integrated health system based in West Michigan. As the chief technology and information security officer, Scott is accountable for leading the enterprise technology and information security functions for Spectrum Health and Spectrum Health entities. Responsibilities include enterprise operations, enterprise and cloud infrastructure management, enterprise architecture, and enterprise security. Key to success in this role is effective collaboration with the respective executive leadership teams at the system level and within each SH subsidiary to establish service offerings and expectations, service levels, and refine the shared service delivery model as necessary.

                    Prior to joining Spectrum Health in 2007, Scott served as chief information officer for the Wayne State University Physician Group, where he was responsible for the strategic growth and development of the information technology services department, which supported the multispecialty group practice and the Wayne State University School of Medicine.

                    Additionally, Scott has significant experience delivering innovative information technology solutions in academic, for-profit, and not-for-profit health care systems and has published articles on a variety of technology topics including wireless technology for physician practices, directory services, security, and the application of technology in a clinical environment.

                    He holds a Bachelor of Science in sociology with a minor in computer science from the University of Minnesota and a master’s degree in business administration from the University of Michigan. 

                    Scott is a fellow of the American College of Healthcare Executives and a fellow of the Healthcare Information and Management Systems Society. Scott is an ISACA® Certified Information Security Manager, an (ISC)2 Certified Information Systems Security Professional and an HIMSS Certified Professional in Healthcare Information and Management Systems.

                     

                    Updated November 2019

                        Michael Erickson

                        CISO, Baptist Health

                        Michael Erickson is chief information security officer (CISO) for Baptist Health. In this role, which he has held since Nov. 1, 2016, he works in collaboration with the system’s clinical, information technology and compliance departments, serving as a member of the system Enterprise Risk Management committee to oversee all facets of the system’s Information Security Risk Management programs.

                        Erickson joined Baptist Health in January 1995 and was named system director of IT Infrastructure and HIPAA Security officer in 2005. In 2014, he was named executive director of IT Infrastructure and Security.

                        Erickson earned a bachelor’s degree in mathematics from Hanover College in 1994 and an MBA from Vanderbilt University in 2010. He is a member of the Governing Body of the Evanta Cincinnati CISO Executive Summit, a member of the Kentucky chapter of Infragard, a non-profit organization that serves as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation, and a graduate of the Kentucky Federal Bureau of Investigation Citizens Academy.

                        Learn more about Baptist Health at BaptistHealth.com

                         

                        Updated December 2016

                            Michael Gomez

                            VP and CISO, Bon Secours Mercy Health

                            VP, Chief Information Security Officer | Bon Secours Mercy Health

                            Michael Gomez is VP, CISO for Bon Secours Mercy Health. In this role, he is responsible for technical security control environment and risk oversight across 7 states, 43 hospitals, 1,000 points of care, and 57,500 employees. Prior to the merger of Bon Secours and Mercy, Gomez worked at Bon Secours in various technology and security management roles spanning over 20 years. Other than healthcare provider space, Gomez has technology leadership experience in defense, computer game development and energy industries.

                            Gomez has a Master of Business Administration from The Ohio State University, Columbus, Ohio, and an undergraduate degree in Business from the University of Baltimore, Baltimore, Maryland.  In addition, he has been certified as Project Management Professional by the Project Management Institute, as a Certified Healthcare CIO by the College of Healthcare Information Management Executives (CHIME), and as a Healthcare Information Security and Privacy Practitioner by ISC2.

                             

                            Posted December 2019

                                Todd Greene

                                AVP and CISO, Atrium Health

                                Todd Greene is the AVP and CISO for Atrium Health. Todd has been with Atrium Health, formerly Carolinas HealthCare System, for more than 17 years, much of that time in the Information Security Department. He is a founding member of Atrium Health’s cybersecurity team dating back to 2000. He has a bachelor’s degree in Computer Science concentrating in Electrical Engineering and holds the CISSP certification.

                                Atrium Health operates as an innovative healthcare organization. Atrium Health provides a full spectrum of healthcare and wellness programs throughout North and South Carolina. Their diverse network of more than 900 care locations includes academic medical centers, hospitals, healthcare pavilions, physician practices, destination centers, surgical and rehabilitation centers, home health agencies, nursing homes, and hospice and palliative care. Atrium Health works to improve and enhance the overall health and well-being of its communities through high quality patient care, education and research programs, and a variety of collaborative partnerships and initiatives.

                                 

                                Updated March 2019

                                    Kevin Hamel

                                    CISO, Baystate Health

                                    Kevin has nearly 25 years of experience and proven leadership in cybersecurity and IT management in the financial and healthcare sectors.  Prior to joining Baystate Health, Kevin was the Chief Information Security Officer for COCC, a managed IT services provider for banks and credit unions.  He was at COCC for over 13 years and led cyber and physical security as well as corporate risk management.  Prior to COCC, he was Vice President of Information Technology at PeoplesBank in Holyoke, and he also worked at Dow Jones & Company early in his career.

                                    Kevin holds a Bachelor’s degree in Computer Science from Westfield State University, and an MBA from Western New England University.  He is a Certified Information Security Manager and is a 2016 graduate of the FBI’s Citizens Academy program.  He is a member of the External IT Advisory Board at Western New England University, and is a member of the Bay Path University Cybersecurity Advisory Council.

                                    While in the financial industry, Kevin served on the FS-ISAC Education Committee, the MassBankers Cybersecurity Task Force, and frequently spoke at industry events.

                                     

                                    Posted November 2019

                                        James L. Hanson

                                        Regional Information Security Officer, Avera Health

                                        Regional Information Security Officer | Avera

                                        James L. Hanson (Jim) has over 30 years of senior management experience in the healthcare, insurance and financial services sectors.  His career has spanned organizations from Fortune 500 companies to information security start-ups.  In his current role at Avera Health he has overall responsibility for information security as well as being the regional information officer for a subset of Avera’s facilities.

                                        Jim has participated in and served on several industry, technology and community groups over the years.  He and his wife Deb reside in Sioux Falls, SD and have two grown daughters.

                                         

                                        Updated December 2016

                                         

                                            Todd Hill

                                            Director, IT Security and Deputy CISO, Baptist Health

                                            Todd Hill is a member of Baptist Health’s cyber security leadership team.  He is responsible for the implementation and management of Baptist’s enterprise security architecture, threat detection & response, and vulnerability management capabilities.

                                            Hill joined Baptist in March 2015 as an information security officer and transitioned into a leadership role on the team in October 2016.  Prior to joining Baptist Health, he worked in various IT leadership and project management roles for Catholic Health Initiatives and LG&E and KU Energy.

                                            Hill received his Bachelor’s degree in Biology from Hanover College and an MBA from the University of Louisville.  He holds certifications as a Project Management Professional (PMP), Healthcare Information Security & Privacy Practitioner (HCISPP), and Certified Information Systems Security Professional (CISSP).   Hill is a member of the Healthcare Information and Management System Society (HIMSS) and the Kentucky chapter of Infragard.

                                            Learn more about Baptist Health at BaptistHealth.com.

                                             

                                            Posted December 2019

                                                Preston Jennings

                                                EVP, Information Security and CISO, Trinity Health

                                                Preston Jennings is the EVP, Information Security and Chief Information Security Officer for Trinity Health, a .3 B healthcare provider with 120,000 employees, operating in 22 states.

                                                Preston joined Trinity Health in 2016 from PricewaterhouseCoopers, where he was the CISO of the US firm for 8 years, building their Information Security Program – including ownership of their Information Security Policy, Incident Response, and build out/implementation of their first Security Operations Center.  Prior to his role as CISO at PwC, Preston was a Director in PwC’s consulting practice for 10 years, where he worked with over 40 Fortune 500 clients, addressing a broad range of security topics from Ethical Hacking to design and deployment of security solutions.

                                                    Thien Lam

                                                    VP and CISO, BayCare Health System

                                                    Thien Lam currently serves as Vice President and Chief Information Security Officer for BayCare Health System (BayCare) in Clearwater, Florida. His responsibilities include: Information Security and IS Compliance

                                                    Thien has over 25 years of experience in information technology. Prior to joining BayCare in 2011, he served as Director of IT Security Systems and Data Security Officer for the Methodist Hospital System in Houston, Texas. Prior to working at Methodist, Thien was the Associate Director of Information Security at MD Anderson Cancer Center in Houston, Texas. He held security management positions at the Kelsey-Seybold Clinic and eBaseOne.  In addition, he has experience in Oil and Gas as well as the Software as a Service industry.

                                                    Thien earned a bachelor’s degree in computer science from the Northeastern State University in Oklahoma.  He is a member of the College of Healthcare Management Executives (CHIME) and eHealth Initiative (eHI) Washington DC.

                                                     

                                                    Updated October 2017

                                                     

                                                        Mark Lantzy

                                                        SVP and CIO, Indiana University Health; President, IU Health Plans

                                                        SVP & CIO, Indiana University Health
                                                        President, IU Health Plans

                                                        Mark Lantzy is the senior vice president and chief information officer at Indiana University Health, Indiana’s leading healthcare system. He is responsible for overseeing information services, including strategic planning, operations and project delivery for the 15-hospital system. He is also the president of IU Health Plans, the 200,000-member health insurance arm of IU Health that offers Medicare Advantage, individual and family, and commercial plans.

                                                        Lantzy has more than 20 years of leadership experience in the healthcare field, and was the chief operating officer and chief information officer at Gateway Health, a managed care organization based in Pittsburgh, prior to joining IU Health in 2016. He also was a senior information technology leader at WellCare Health Plans, Aetna, and Accenture.  He holds an M.S. in defense science from George Washington University and a B.A. in mathematics from St. Vincent College.

                                                        Named among the “Best Hospitals in America” by U.S. News & World Report for 19 consecutive years, IU Health is dedicated to providing a unified standard of preeminent, patient-centered care. A unique partnership with Indiana University School of Medicine – one of the nation’s leading medical schools – gives its highly skilled physicians access to innovative treatments and the latest research and technology.

                                                            Alex Ludwinek

                                                            Director of Cyber Risk Management and IAM, Memorial Hermann Health System

                                                            Alex Ludwinek is the Director of Cyber Risk Management and IAM at Memorial Hermann Health System. In this role Alex leads governance, risk and compliance efforts along with the automated management of user accounts and access.

                                                            Prior to his current role Alex was the Cybersecurity Engagement Manager at HP, Manager in Deloitte’s Cyber Risk Services practice and Manager in Meditology’s IT Risk Management practice. In his early career he was a server and network administrator before transitioning into information security, where he has found his home for the last 9 years.

                                                            Alex holds a B.S. in Information Technology from RIT along with the CISSP, CRISC and CIPP certifications.

                                                             

                                                            Posted December 2019

                                                                Kathryn McClellan CHCIO

                                                                SVP and CIO, Froedtert Health

                                                                An outstanding senior level executive with over 20 years’ experience in nursing, healthcare operations and information technology that spans the provider, vendor and consulting sectors. She has vast experience in operations management, strategic planning, process redesign, information system design/implementation and technology solutions that enhance patient-centered care and clincial outcomes. Excels in a complex, fast-paced environment where leadership, change, and large-scale project implementations are required.

                                                                 

                                                                Posted May 2019

                                                                    Ron Mehring MBA, CISSP

                                                                    CISO, VP of Technology & Security, Texas Health Resources

                                                                    Ron Mehring serves as the Chief Information Security Officer and Vice President of Technology & Security for Texas Health Resources, one of the largest faith-based, nonprofit health care delivery systems in the United States. The system’s primary service area includes 16 counties in north-central Texas, home to more than 6.2 million people.

                                                                    At Texas health Resources, Ron leads Technology Operations, IT Risk Management & Assurance, IT BC DR program and Technology & Security Performance and Standards teams.

                                                                    Ron began his career in technology for the United States Marine Corps. After 21 years of military service, Ron retired from the Marine Corps and joined the Department of Veteran Affairs where he led Compliance Assessment teams within the newly formed Oversight & Compliance group. He also served as the Department of Veterans Affairs’ Deputy Director for Network & Security Operations.

                                                                    Ron holds a Master of Business Administration in Risk Management from NYIT and is a Certified Information Systems Security Professional (CISSP).

                                                                     

                                                                    Posted December 2019

                                                                        Brad Sanford

                                                                        CISO, Emory University, Emory Healthcare

                                                                        Chief Information Security Officer | Emory University and Emory Healthcare

                                                                        Brad Sanford currently serves as the Chief Information Security Officer for Emory University where he has overarching information security responsibilities for both Emory University and Emory Healthcare.  Brad has over 25 years of IT and information security leadership experience working for organizations such as Humana, Vanderbilt University, Hospital Corporation of America, and Emory University where he has focused on creating and leading Information Security programs and developing innovative Information Security solutions.  Brad was the recipient of the 2011 Healthcare Information Security Executive of the Year award for North America, and he presently serves on the Board of Directors for the National Health Information Sharing and Analysis Center (NH-ISAC) and the SANS Educational Advisory Board.  Brad is also an Emory University faculty member within the Rollins School of Public Health where he serves as a periodic lecturer and has taught a graduate course on Information Security and Privacy.

                                                                         

                                                                        Posted October 2017

                                                                            Pavel Slavin

                                                                            VP and CISO, Froedtert Health

                                                                            Pavel Slavin, vice president and chief information security officer for Froedtert Health, oversees the enterprise security/cybersecurity strategy to protect the health system’s information assets.

                                                                            With the health care sector increasingly the target of cyber threats, innovative cybersecurity technology helps the Froedtert & the Medical College of Wisconsin health network continue to provide uninterrupted care and protect patient information.

                                                                            Pavel has over two decades of experience developing and operating cyber security programs. He came to Froedtert Health from Cleveland Clinic Foundation, where he served as cybersecurity managing principal, creating powerful brand-differentiation through highly adaptable, business-focused security services. Pavel has also served in cyber security leadership positions at Baxter Healthcare Corporation and Health Care Service Corporation.

                                                                            Pavel holds a degree in mathematics and computer science from the University of Illinois.

                                                                             

                                                                            Posted December 2019

                                                                                Paul VanAmerongen

                                                                                VP and CISO, UW Health

                                                                                Paul VanAmerongen joined UW Health as Vice President and Chief Information Security Officer in February 2017. In this role, Paul develops and leads the strategic vision for UW Health’s enterprise information security program.

                                                                                Prior to joining UW Health, Paul served as Enterprise Risk Services Specialist Master for Deloitte Touche’s Cyber Risk Services practice in Seattle, IT Director for Harrison Medical Center, Manager of Information Security Services for MultiCare Health System, and Manager of Information Security Engineering and Administration for Premera Blue Cross. Paul also served our country in the United States Navy from 1984-2004 where he earned the rank of Chief Petty Officer (Submarines).

                                                                                He holds a CISSP certification, a master’s degree in Business Administration from the University of Washington and a bachelor’s degree in Computer Science from Chapman University.

                                                                                 

                                                                                Updated October 2018

                                                                                  Not pictured: Barry Beckett, VP and CISO, Houston Methodist

                                                                                  Sponsors

                                                                                    Raj Mehta

                                                                                    Partner, Deloitte

                                                                                    Summary

                                                                                    Raj is a Partner with Deloitte Advisory’s Cyber Risk Services.  Raj currently leads the Cyber Security Practice within the Healthcare Provider space across the US. Raj has over twenty-three (23) years of experience in the field of information governance, security, privacy, risk management and compliance within the Healthcare space. His experience includes performing risk assessments, as well as assessing, developing, and implementing strategies and solutions associated with information security and privacy matters, including:

                                                                                    • Assisting clients with developing their cyber security strategy and defining actionable roadmaps.
                                                                                    • Assisting clients with Executive reporting and Board Communication on Cyber Security.
                                                                                    • Conducting IT risk assessments and assisting internal audit departments in planning and conducting IT audits.
                                                                                    • Compliance Management Strategy and processes leveraging integrated security & privacy frameworks (example sources include HIPAA, PCI DSS, HITRUST, NIST, ISO 27002, etc.
                                                                                    • Implementing GRC solutions such as Archer and developing risk dashboards for identified target audiences (converting security metrics into meaningful information).
                                                                                    • Developing strategy, processes, and tools integration for managing cyber security against advanced threats (SOC operations, implementation of SIEM, DLP, etc.).

                                                                                    Professional Activities

                                                                                    • Raj has assisted in development of the CyberRX 2.0 playbook for HITRUST that can be leveraged for conducting table top exercises related to cyber security incidents within Healthcare environments.
                                                                                    • Assisted in the planning, designing, and execution of a cyber war game for 12 health plans in the CyberRX:HP HITRUST initiative.
                                                                                    • Raj has been a President of the Houston Chapter of the Information Systems Audit and Control Association.
                                                                                    • Raj has been an instructor at the University of Texas (Austin) in lecturing computer audit and security.
                                                                                    • Raj has given a number of presentations to organizations such as AHIA, ISACA, IIA, HFMA, as well as at the annual HITRUST conference.

                                                                                    Example Experience

                                                                                    • Assisted one of the nation’s top 10 Children’s Hospitals in assessing HIPAA security and privacy compliance as well as developing a cyber security strategy. Currently supporting remediation efforts.
                                                                                    • Conducted IT audits over several years for a Children’s Hospital.
                                                                                    • Assisted six large Health institutions with Meaningful Use Risk Analysis for security and privacy requirements. EHR environments included Cerner, EPIC, eCW, etc.
                                                                                    • Assisted a very large catholic based Health Care system with implementing and conducting compliance assessments leveraging the HITRUST framework.
                                                                                    • Developed an information security strategy and implementation roadmap for improving information security controls and compliance management for several large Health systems.
                                                                                    • Developed third-party risk assessment process for a large University System as well as Health Providers.
                                                                                    • Assisted a public sector client with FISMA (Federal Information Security Management Act) compliance – from performing the initial assessment, building a compliance roadmap, to implementation of tools and processes (e.g., Identity & Access Management, Data Leakage Prevention, Incident Response Process, etc.).
                                                                                    • Developed a vendor risk management strategy and process related to information security risk management.
                                                                                    • Development of the governance structure as well as the content for IT policies, procedures, and standards.
                                                                                    • Development of Security Awareness and Training Program
                                                                                    • Data privacy readiness assessments and building roadmaps for risk.

                                                                                    Raj Mehta

                                                                                    Partner

                                                                                    Houston Office

                                                                                    Tel:  713.982.2955

                                                                                    e-mail: rmehta@deloitte.com

                                                                                     

                                                                                    Specialization

                                                                                    Information & Technology Risk Management

                                                                                    Enterprise Security Strategy

                                                                                    Information & Technology Governance, Risk and Compliance

                                                                                     

                                                                                    Education

                                                                                    MBA (MIS), University of Houston

                                                                                    BS in Accounting, University of New Orleans

                                                                                     

                                                                                    Certifications

                                                                                    Certified Information Privacy Professional (CIPP)

                                                                                    Certified Information Systems Security Professional (CISSP)

                                                                                    Certified Public Accountant (CPA) – Licensed in State of Texas

                                                                                    Certified Information Systems Auditor (CISA)

                                                                                    Health Care Information Security & Privacy Practitioner (HCISPP)

                                                                                    HITRUST (Health Information Trust Alliance) CSF (Common Security Framework) Assessor

                                                                                        Anant Sethi

                                                                                        Advisory Manager, Deloitte

                                                                                        Anant Sethi is a Manager with Deloitte Advisory’s Cyber Risk Services, specializing in the health care industry. He has more than 9 years of experience in designing and executing cyber security and governance initiatives. His expertise includes development and maintenance of large enterprise cyber security programs, identification and prioritization of initiatives under the program, design of people, process and technology capabilities for implementing the program, and driving all aspects of planning, organizing, budgeting, and execution for completing projects and initiatives. 

                                                                                        Anant has superior technical and analytical aptitude, balanced by highly developed interpersonal, leadership, training, presentational and written skills. He joined Deloitte Advisory in June’13 and specializes in conducting cybersecurity program maturity assessments and readiness assessments for various standards and regulations such as PCI DSS, HITRUST CSF, HIPAA (security & Privacy), NIST 800-53, NIST CSF, ISO 27001, ISO 22301, SSAE16 (SOC1 & SOC2), etc. He also has experience in managing and executing PCI DSS remediation activities, developing Third Party Risk Management programs and designing security governance programs. 

                                                                                        Prior to joining Deloitte & Touche, Anant served as a Security Consultant with Accenture; where he provided subject matter expertise and handled enterpriAnant Sethi is a Manager with Deloitte Advisory’s Cyber Risk Services, specializing in the health care industry. He has more than 9 years of experience in designing and executing cyber security and governance initiatives. His expertise includes development and maintenance of large enterprise cyber security programs, identification and prioritization of initiatives under the program, design of people, process and technology capabilities for implementing the program, and driving all aspects of planning, organizing, budgeting, and execution for completing projects and initiatives. 

                                                                                        Anant has superior technical and analytical aptitude, balanced by highly developed interpersonal, leadership, training, presentational and written skills. He joined Deloitte Advisory in June’13 and specializes in conducting cybersecurity program maturity assessments and readiness assessments for various standards and regulations such as PCI DSS, HITRUST CSF, HIPAA (security & Privacy), NIST 800-53, NIST CSF, ISO 27001, ISO 22301, SSAE16 (SOC1 & SOC2), etc. He also has experience in managing and executing PCI DSS remediation activities, developing Third Party Risk Management programs and designing security governance programs. 

                                                                                        Prior to joining Deloitte & Touche, Anant served as a Security Consultant with Accenture; where he provided subject matter expertise and handled enterprise risk management activities related to outsourcing engagements for Fortune 500 clients.

                                                                                         

                                                                                        Professional Affiliations & Certifications

                                                                                        •Certified Information Systems Security Professional (CISSP), (ISC)²

                                                                                        •Certified Common Security Framework Practitioner (CCSFP), HITRUST

                                                                                        •ISO 27001 – Lead Implementer, BSI

                                                                                        •BS 25999 – Lead Auditor, BSI

                                                                                        •Industry Proficiency Program (IPP) – Level 2 (LSHC), Deloittese risk management activities related to outsourcing engagements for Fortune 500 clients.

                                                                                        Professional Affiliations & Certifications

                                                                                        •Certified Information Systems Security Professional (CISSP), (ISC)²

                                                                                        •Certified Common Security Framework Practitioner (CCSFP), HITRUST

                                                                                        •ISO 27001 – Lead Implementer, BSI

                                                                                        •BS 25999 – Lead Auditor, BSI

                                                                                        •Industry Proficiency Program (IPP) – Level 2 (LSHC), Deloitte

                                                                                         

                                                                                        Posted December 2019

                                                                                         

                                                                                          Not pictured: Anand Dedhia, Manager, Deloitte