Q&A with Todd Fisher, Founder and CEO of Intraprise Health

By December 11, 2018CEO Spotlight

In April, HEP III made an investment in Intraprise Health (https://intraprisehealth.com/), a Certified HITRUST Assessor and award-winning eHealth technology firm. The company provides health information security products and services to assess, remediate, and monitor customers’ cyber security risk, regulatory compliance programs, organizational resilience, and third-parties’ security posture.

Todd Fisher, Founder and CEO of Intraprise Health, has spent over 25 years as a health information technology innovator, focusing most heavily on the sensitive information needs and relationship between providers, patients, and communities. He is the former CEO of MobileMD, a HEP I portfolio company that was sold to Siemens Healthcare (now Cerner) in 2011.

What are the biggest threats to privacy and security facing the healthcare community today?
In short, the healthcare industry is its own biggest threat.  Compared to other data-intensive industries, healthcare’s lack of preparedness and relative immaturity with respect to cyber-security, organizational resilience, and privacy programs pose a real threat.

The do-it-yourself approach to information security, organizational resilience, and health data integrity is rapidly becoming inadequate to meet the needs of healthcare organizations. The imperatives of protecting patient privacy and seizing the enormous benefits of eHealth and mHealth opportunities bring increasingly complex security and privacy considerations. Healthcare leaders should not view security requirements as sunk costs associated with regulatory compliance and instead should see the tremendous value in well-designed health information security programs.

When and why should an organization engage Intraprise Health for a BluePrint Security Risk Assessment (“SRA”)?
All healthcare organizations are obligated, by law, to perform and document health information risk assessments “as needed” and to identify when updates are necessary to accommodate the security and privacy ripple-effect caused by inevitable changes. For most healthcare organizations, contractual terms and/or specific regulatory requirements dictate the frequency of conducting SRAs to meet their “as needed” (minimum) requirement – e.g., annually, semi-annually, quarterly, or some other measure of regularity. Security Risk Assessments are an important element of responsible compliance. As healthcare engages more in the digital economy, SRAs will serve an increasingly critical role in eHealth innovation and adoption.

Organizations often can and do conduct their own risk assessment (aka self-assessment).  But, just as it is reasonable and appropriate to engage an objective third-party to conduct regular reviews of a company’s financials, engaging Intraprise Health to conduct a BluePrint SRA provides several benefits: objectivity, a team of subject matter experts with a keen awareness of HITRUST, NIST, ISO, and other recognized framework considerations, and access to full service remediation support (including technology design, engineering, and implementation). Should the same organization seek HITRUST certification in the future, an Intraprise Health BluePrint SRA offers a solid foundation from which to enter into a HITRUST Validated Assessment engagement.

A metaphorical perspective: Consider a running coach who trains elite marathon runners. The first step is a training plan tailored to the specific needs of each runner.  Such a plan demands a full understanding of each runner’s unique attributes, strengths, and weaknesses. To acquire such understanding, a thorough, structured assessment is necessary. The result is an action plan – a tailored training plan executed as a continuous program that has been designed to achieve predetermined performance goals, avoid injury and other unnecessary disruptions, and reach an optimum level of fitness. When race day arrives, no matter the conditions, the runner is confident, resilient, and prepared.

Given a healthcare organization’s limited resources, if you had to choose just one aspect of a health information security and privacy program, how would you spend those resources?
In a phrase, Organizational Resilience. Healthcare is changing rapidly. With respect to health information security, my observations over the past several years suggest that many organizations engage in their day to day work unaware of the lines that bound compliance – lines that, when crossed, can be costly and damaging.

I encourage our customers to focus on the development of cyber and organizational resilience, business continuity, health data security and privacy restoration. This approach demands an on-going program, rather than intermittent “projects.” To highlight this point, documentation of policies, procedures, actions, activities, and assessments under the Security Rule of HIPAA must be maintained for six (6) years.  Regulators clearly want a sustained and continuous commitment to health information security.

How to get started? … I’m reminded of my time on active duty in the Army. Prior to the execution of a mission, a Special Forces A-team enters a period of time sequestered in a designated location – this period is known as “Isolation.” One of the most critical components of Isolation, if not the most critical, is contingency planning. No matter how well-trained, hardened, and security-minded, those benefiting from the wisdom of experience anticipate the unanticipated by answering “What if?” and “What next?”

“Our greatest glory is not in never failing, it is in rising every time we fall” – Confucius

 What occupies your free time?
Is this a trick question? Joking aside, I’m a curious, fidgety person with a passion for learning what makes people tick. Simply stated, my hobbies are reading, writing and running. I read non-fiction books covering a wide range of topics. My writing generally follows the same path as my reading.  I read to learn, to answer questions, and learn new questions to ask.  I write about what I learned, and I capture the questions I have yet to ask. That process informs my next iteration of reading and writing.  When I’m truly just trying to reenergize, I watch Seinfeld reruns. As the decades pass, my intolerably incessant references to Seinfeld episodes are getting old for or lost on those around me. Nevertheless, I am amazed at how a “show about nothing” seems to apply to everything.