Track Session #1 – Nov 4, 10:45 – 11:30 am

Cyber Risk Management & The Medical Device Dilemma

With increased focus from both cyber criminals and OCR, medical devices present one of the greatest unmitigated risks to hospital security. Not only is confidentiality of data at risk for those devices that create and process PHI, but also the integrity and availability of all critical health IT systems when medical devices are used as an attack foothold on the network. This presentation will discuss the challenges associated with risk analysis of medical devices and in particular determinations of likelihood and impact of a threat occurrence, which is required under OCR guidance.  A high level process for risk analysis for medical devices will be presented along with a general lifecycle approach to medical device security.

Learning Objectives:

  • Review of the risk analysis process and definitions under the Security Rule
  • Gain a greater understanding of the IoT and medical device risks impacting healthcare delivery
  • Embedding IT Security in the Medical Device lifecycle
  • Gain insights of how to approach asset inventory, assessment, and remediation IoT devices while conducting an OCR-quality risk analysis
  • Understanding the need for an integration of Risk Management, Patient Safety and Cybersecurity



Mark Sexton MPA, CISSP, HCISPP, CISA, CCSK Principal Consultant, Clearwater

 Fernando Blanco,
VP and Chief Information Security Officer, CHRISTUS Health




The State of Healthcare Analytics

The everyday delivery of healthcare services is generating more and more data. What is your healthcare organization doing to turn that data into value? Leveraging data as an asset in improving business and clinical outcomes is more important than ever, helping CIO’s and healthcare leaders move their institutions forward. 

This session will discuss data and analytics trends in healthcare, explore frameworks for understanding the tools and technologies necessary, and present best practices and practical guidance for benefiting from data and analytics. Additionally, this session will cover the skills, data governance understanding, and accountability needed for healthcare leaders to advance data and analytics use in their organization.

Learning Objectives:

  • Understand the top 5 trends in data/analytics in healthcare
  • Be able to articulate your role as a leader in improving data/analytics effectiveness in your organization
  • Learn the balance between EMR and other transactional system-provided analytic solutions, and the other internal investments necessary to achieve analytic success
  • Understand and be able to support, or even champion, data governance and use in your organization


  Lee Pierce BS, MIS, Chief Data Officer,
Sirius Healthcare 



Track Session #2 – Nov 4, 12:45 – 1:30 pm

A Zero-Trust Approach to Healthcare Information Security

A simulated mass malware outbreak will be presented along with how it impacted a healthcare organization and provided the impetus for going for a zero trust approach to network security.  This talk will discuss taking network segmentation to the next level and implementing a zero trust approach to security whereby every device on the network is restricted to just essential communications.

Learning Objectives:

  • Learn how to simulate a mass malware attack
  • Learn about simulating and testing incident response plans
  • Learn about establishing a zero trust network
  • Learn about combating ransomware
  • Learn about securing medical devices


  Christopher Frenz
AVP of Information Security, Interfaith Medical Center




Implementing Electronic Prescribing of Controlled Substance (EPCS) To Meet Regulatory Requirements

Healthcare organizations increasingly want to understand EPCS regulations and implement EPCS systems that are both compliant and seamless for providers. Healthcare leaders are implementing EPCS to drive profits and help combat opioid and substance abuse. But meeting EPCS requirements, while delivering a seamless workflow, is a challenge.

This panel explains EPCS regulations for understanding and action, while providing best practices for EPCS program implementation. It explains EPCS benefits beyond safety and security — including bottom-line savings. Panelists provide a view of how implementing EPCS, in conjunction with other safety and security measures, can help health systems reduce overall opioid prescribing while saving money.

Learning Objectives:

  • Spread awareness and understanding of requirements for electronic prescribing of contolled substances (EPCS) set forth in various state statutes and in the Federal Opioid Package (SUPPORT for Patients and Communities Act (H.R. 6))
  • Share on-the-ground experience implementing DEA-compliant EPCS at hospitals, ambulatory sites, and other facilities in record time in order to meet the requirements of federal and/or state mandates
  • Provide a blueprint for EPCS success


   Sean Kelly M.D.
Chief Medical Officer, Imprivata; FACEP, Beth Israel Deaconess Medical Center; Assistant Clinical Professor of Emergency Medicine, Harvard Medical School, Imprivata

Carole Ettinger PMP, CPHIMS, CHCIO-eligible,
Senior Director, Information Services Division Akron Children’s Hospital

Leslie Krigstein,  
VP, Congressional Affairs,




Track Session #3 – Nov 4, 1:45 – 2:30 pm

How to Build a Quantitative Cyber Risk Analysis

If you were to be asked by your board, “What are the chances of our organization being hit with a ransomware attack, and what would the probable range of financial loss be in such an event?”, how would you derive an objectively measurable answer to these questions?

The current popular structured methodologies for rating cyber risks that use ordinal scales and risk scoring matrices are inherently flawed, and offer no means to capture and encode uncertainty, or measurably model and reduce risks.

This presentation is a tutorial on how to build a better, more useful Quantitative Cyber Risk Analysis that quantifies uncertainty, supports improved decisions, and results in unambiguous measurement of our risk reduction investments.

Learning Objectives:

  • What’s wrong with popular structured methodologies for rating cyber risks?
  • Key concepts and definitions that form the basis of quantitative risk assessment.
  • The three main building blocks of a Quantitative Cyber Risk Analysis


  Richard Schaaf MSEE, CISSP
Regional CISO, The University of Vermont Health Network






How to Activate the Superpower of Innovation

Let’s be honest, most of us cannot say that innovation in healthcare is one of our superpowers. Why is it so hard to innovate in healthcare?  How can you activate the superpower of innovation to tackle the biggest challenges faced by your organization and industry in an effective and game-changing method?  Four regional CIOs / VPs from different parts of the healthcare eco-system – will compare and contrast different innovative approaches to (a) building and executing a playbook for IT innovations to generate value (b) the role of the CIO and IT leadership in engaging stake-holders and (c) how a deep understanding of industry drivers can create a competitive edge in a time of significant change and unpredictability.

Learning Objectives:

  • How you can activate the superpower of innovation to tackle the biggest challenges faced by your organization and industry in an effective and game-changing method
  • Distill challenges into actionable solutions that position your organization as a strategic differentiator in the market
  • Understand core strategies covering the impact of culture, governance, sponsorship, and results that demonstrate value to the business
  • Discuss lessons learned in the journey to building a credible business-focused IT innovation team
  • Apply the methods to your own organization


  David Chou,
CHIME Board Member & VP, Prinicpal Analyst, Constellation Research
Aaron Miri,
CIO, Dell Medical School & UT Health 
Sarah Richardson
VP of IT Change Management, OptumCare


AEHIS Breakout: Building a Connected Asset Security Program – Lessons from the Field Nov 4, 4:00 – 4:45 pm

Security leaders know that legacy devices connected to the network remain a major blind spot in many healthcare organizations.  An accurate inventory is an early step in building a more comprehensive program to manage the overall lifecycle and risk of connected assets.  Greater Baltimore Medical Center is devoted to improving visibility, resiliency, and overall governance of their device ecosystem.  GBMC will share their ongoing journey and vision for this program with the AEHIS Summit attendees and looks to learn from others during this education session.

Learning Objectives:

  • Discuss supporting technologies that enhance a connected asset management program
  • Identify interdepartmental and device ownership challenges that should be addressed
  • Describe policy and process influences on a comprehensive program
  • Discuss success factors as a comprehensive device security program matures
  • Review successful risk classification and risk mitigation approaches


   Rodney Graves
Information Security Officer, Greater Baltimore Medical Center
 Toby Gouker Dr.
CISO, First Health Advisory Solutions




AEHIA & AEHIT Breakout: Expanding the Care Continuum Through Digital Platforms

In an age of consumerism, digital disruption, and emerging technologies, this program will show how an organization can impact healthcare on a social scale by advancing a care delivery platform through partnerships and digital mediums.

This program will show how Memorial Hermann has been able to facilitate clinical integration across the care continuum by connecting disparate electronic health record systems to then connect records from the region’s hospitals, health systems, integrated delivery networks, community clinics, physician office practices, and service providers across South East Texas.

Learning Objectives:

  • Identify lessons learned in developing partnerships across health care to advance patient care.
  • Explain how to scale current platforms to meet the long-term needs of digital engagement.
  • Understand how to expand the care continuum through digital platforms.


   Ryan Walsh M.D., Chief Medical Information Officer, Ambulatory Care and Population Health, Memorial Hermann Health System Diane Hibbs D.O., Senior Physician Executive,
Cerner Corporation