What can HITRUST do for me?
Dr. Bryan Cline
CISO & VP, CSF Development & Implementation
Jason Taule
Chief Security & Privacy Officer
Introduction
•
Purpose
– Discuss HITRUST support for information protection in the healthcare industry and utility for CMS & CMS contractor organizations
•
Learning Objectives
– Attendees will:
• Understand regulatory and business drivers for an industry- wide information protection and assurance framework
• Understand resultant issues and outstanding “pain points” for healthcare entities, including CMS contractor organizations • Understand the role of HITRUST in promoting the adoption of
sound risk management practices by healthcare organizations
– HITRUST RMF (CSF, CSF Assurance Program, Tools such as MyCSF)
– Other industry support (HITRUST C3, HITRUST Academy, professional
certifications)
•
Introduction
•
Background
•
Health Information Trust Alliance (HITRUST)
– Overview
– HITRUST Risk Management Framework (RMF)
• Common Security Framework (CSF) • CSF Assurance
• Tool Support (HITRUST Central / MyCSF)
– Healthcare Industry Support
• Cyber Threat Intelligence & Incident Coordination Center (C3) • HITRUST Academy
• Professional Certification
•
Summary/Conclusion
•
Q&A
•
HIPAA
– Established RA requirement for covered entities
•
HITECH
– Expanded scope to BAs
– Incentives and penalties
• Meaningful Use & data breach
notification (“harm” provision)
• Increased penalties &
enforcement
•
Omnibus Rule
– Expanded definition of BA
– Strengthened “harm” provision
•
Other regulatory drivers
– PCI, FTC Red Flag, FDA, etc.
Background – Regulatory Drivers
Requires a fundamental and holis2c change in the way healthcare manages informa2on
security and privacy-‐related risk
•
Evolving business relationships and increased complexity
– Increasingly more data shared with business partners
– Data dispersed through a complicated web of relationships
– Multiple/varied assurance requirements from a variety of parties – Inordinate level of effort being spent on assurance
• Negotiation of requirements, data collection, assessment and reporting
•
Covered Entities
– Increasingly more data shared with business partners
– Complex contracting process due to unique security requirements – Low response rate of questionnaires
– Inaccurate and incomplete responses
– Inadequate due diligence of questionnaires
– Costly and time-intensive data collection, assessment and reporting processes
– Inability to proactively identify and track risk exposures at BA – Lack of visibility into downstream risks related to BA
(i.e., BAs own business partners and sub-contractors) – Lack of consistent reporting to management on BA risks
•
Business Associates
– Complex contracting process due to unique security requirements – Broad range / inconsistent expectations for questionnaires
• Cannot effectively leverage responses between organizations
– Complexity with:
• Maintaining broad range of reporting requirements • Expensive and time-intensive audits by organizations • Lack of focus on high risk issues and actual remediation
• Inability to consistently and effectively report to and communicate with organizations
•
Common Pain Points:
– Change, Change, Change
– Customer Demands
– Audit Fatigue
– Third Party / Partner Risk Exposure
•
HITRUST Value Proposition:
– Increased Customer Engagement Ease
– Lower Cost to Partner Assurance
– HIPAA Police Defense – Tipping Point Insight
– Ecosystem Entrance Criteria
– Threat Intelligence – Information Sharing
•
Health Information Trust Alliance
– Born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges
– Led by a seasoned management team and governed by a Board of Directors made up of leaders from across the healthcare industry and its supporters
– Driving adoption and widespread confidence in sound risk management practices through education, advocacy and other outreach activities
HITRUST – RMF (1)
•
Multitude of challenges
– Significant Oversight – Evolving requirements – Complex business
relationships
– Uncertain standard of care
• Reasonable & appropriate? • Adequate protection?
•
HITRUST Risk Management Framework (RMF)
– Provides healthcare industry standard of due care and diligence – Components include:
• Common Security Framework (CSF) • CSF Assurance Program
• Related methodologies, services and tools
HITRUST – RMF (2)
•
Healthcare-centric RMF
– Rationalizes healthcare-specific requirements – Leverages international & U.S. RMFs
– Single industry approach
• Current, prescriptive & relevant
• Free to qualified healthcare organizations • Risk-based vs. compliance-oriented
– Baselines tailored based on multiple risk factors
– Managed alternate control process
• Consumable by organizations with limited resources
– Provides industry standard of due diligence and due care
• Specifies “reasonable and appropriate” controls • Defines “adequate” protection
•
Rationalized framework
– ISO provides the foundation
– NIST provides additional prescription
•
Three risk-based control baselines
– Organizational, system & regulatory factors
•
Managed tailoring via alternate controls
– One-time or general use
HITRUST RMF – CSF Assurance (1)
•
CSF Assurance Program
– Cost-effective risk assessment
• High-risk controls (based on breach data analysis) & HIPAA implementation requirements
• Certified assessor organizations provide consistency / repeatability The CSF Assurance Program balances the cost
of assurance with the risk exposure. The program is designed to cost effec?vely gather the informa?on about security controls that is required to appropriately understand and mi?gate risk.
Ri sk E xp os ur
e
Cost of Assurance
Compliance with HIPAA
CSF Assurance (3rd Party)
Compliance with ISO
HIG
H
M
ED
IUM
LO
W
Compliance
with PCI Compliance with NIST CSF Assurance
(Self)
HITRUST RMF – CSF Assurance (2)
•
CSF Assurance Program
– Standardized reporting
• Supports third-party assurance for entities, BAs and regulators
• Maturity /risk scores support internal baselines / external benchmarking
HITRUST RMF – CSF Assurance (3)
•
Degrees of Assurance
– Self-assessments conducted by low risk BA or other partner – Third-party assessments provide independent assurances
• Certified report issued when minimal compliance is demonstrated • Validated report results when certification requirements aren’t met
HITRUST RMF – CSF Assurance (4)
•
Significant risks from sharing health data
– Smaller practices (1 to 100 physicians) accounted for >60% of reported breaches
– As of mid-2012, BA’s were implicated in only 21%
of breaches but accounted for 58% of the records breached – Many breaches may be under reported or remain undiscovered
– HITRUST report, “A Look Back: U.S. Healthcare Data Breach Trends” (http://www.hitrustalliance.net/breachreport/)
•
Addressing shared risk thru the CSF Assurance Program
– Many healthcare entities accept CSF validated and certified reports – Six (6) major institutions now require CSF validated or certified reports
– HITRUST news (http://www.hitrustalliance.net/news/index.php?a=129)
HITRUST RMF – Tool Support
•
HITRUST Central
– User portal
– HITRUST RMF content – News / updates
– Blogs / chats
•
MyCSF
– GRC-based platform – CSF controls
– Illustrative procedures – Assessment scoping
– Workflow management for assessments and remediation
– Documentation repository for test plans, CAPs, and supporting documentation
– Dashboards and reporting
– Automated submission of assessments for HITRUST validation & certification
•
Cyber Threat Information and Incident Response
Coordination Center (C3)
– Created to protect the U.S. healthcare industry from cyber attacks – Relies upon a community defense approach
– Enables industry’s preparedness and response to cyber threats – Facilitates knowledge sharing and enhanced preparedness
• Early identification, coordinated response and incident tracking
– Works with the U.S. Department of Health and Human Services
• Shares incident-related information and participates in the Critical Infrastructure Information Sharing and Collaboration Program
–
Provides integrated Cyber Threat Analysis Service (C-TAS)
• General and sector-specific cyber intelligence
• Real-time collaborative platform for healthcare cyber defense
– http://www.hitrustalliance.net/C_TAS_Datasheet.pdf
• Educate healthcare professionals on the concepts and principles of information protection and the utilization of the HITRUST CSF to manage risk (http://www.hitrustalliance.net/programs/certification/)
• Practical Applications for Health Information Protection
– Overview of the healthcare including analysis of industry trends
• Regulatory landscape for healthcare organizations
• Market dynamics & challenges facing healthcare
– Introduction to HITRUST and the CSF
• Discussion of risk management and the CSF
• Review of the CSF Assurance Program
• Practical Applications for the CSF & CSF Assurance Program
– Introduction to the tools and methodology for utilizing the CSF
– Thorough review of the CSF structure and detailed explanation of MyCSF
• Includes discussion of components with case studies illustrating each component
– Overview of the CSF Assurance Program
• Program review, including specific requirements for CSF Certification
• Review of CSF Validated and Certified Reports and their value to relying organizations
•
HITRUST Certified CSF Practitioner (CCSFP)
– Certifies assessor personnel to conduct independent, third- party HITRUST CSF assessments for validation/certification – Requires successful completion of both HITRUST Academy
courses with a minimal passing score
•
(ISC)2 Healthcare Information Security & Privacy
Professional (HCISPP)
– Certifies minimum requirements for entry-level information protection professionals in the healthcare industry
– HITRUST began work on initiative with (ISC)2 in Jan 2012 – (ISC)2 Board approved development in Sep 2012
– Anticipated delivery to market in late Fall, early Winter 2013 – HITRUST will provide training and education materials
Summary / Conclusion
•
Healthcare security & privacy
– Constant change in the threat & regulatory landscape – Complex business and clinical relationships increase risk – Lack of funding and skilled resources for custom programs
“Organizations can use targeted risk assessments, in which the scope is narrowly defined, to produce answers to specific questions … or to inform specific decisions[,] … have maximum flexibility on how risk assessments are conducted, … [and] are encouraged to use [NIST] guidance in a manner that most effectively and cost-‐effectively
provides the information necessary to senior leaders/executives to facilitate informed decisions.”
•
HITRUST Risk Management Framework
– CSF provides harmonized set of tailorable safeguards – CSF Assurance provides:
• Standardized, cost-effective assessment
• Risk-based vs. compliance “check-the-box” approach
– Tools support healthcare information protection community
• HITRUST Central supports information sharing
• MyCSF supports automated risk assessment & management
Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, ASEP, CAP-II, MCIATT, NSA-IAM/IEM
( (469) 269-1118 | * [email protected]
Jason Taule, CMC, CPCM, C|CISO, CISM, CGEIT, CRISC, CHSIII, CDPS, NSA-IAM
( (443) 393-2686 | * [email protected]
Questions?
“The CSF, CSF Assurance Program and related methodologies and tools that make up the HITRUST RMF are needed more now than ever before.”
