Date post: | 15-Jan-2017 |
Category: |
Health & Medicine |
Upload: | schellman-company |
View: | 820 times |
Download: | 0 times |
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST: Navigating to 2017 Your Map to HITRUST Certification
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
01. Background / Overview 02. CSF Expansion 03. The CSF Framework 04. Scope and Approach 05. Options 06. Steps to Certification 07. Process 08. Mapping
Contents
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Background & Overview 01
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Security and privacy are everyone's responsibility
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST Overview • Began in 2007 • Meet demand of healthcare challenges
– Inconsistency – Inefficiencies – Increasing cost – Increasing risk
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST CSF – Multiple Req’ts
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST CSF – One Program
HITRUST CSF
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST CSF – Assess Once Security gateways (e.g., a firewall) shall be used between the internal network, external networks (Internet and 3rd party networks), and any demilitarized zone (DMZ). An internal network perimeter shall be implemented by installing a secure gateway (e.g., a firewall) between two interconnected networks to control access and information flow between the two domains. This gateway shall be capable of enforcing security policies, be configured to filter traffic between these domains, and block unauthorized access in accordance with the organization's access control policy. Wireless networks shall be segregated networks from internal and private networks. The organization shall require a firewall between any wireless network and the covered information systems environment.
CSA CCM SA-08 HIPAA § 164.308(a)(3)(ii)(A) HIPAA § 164.308(a)(3)(ii)(B) HIPAA § 164.310(b) IRS Pub 1075 9.4.10 PCI DSS 1.1. PCI DSS 1.1.4 1 TAC § 390.2(a)(1)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST CSF – Report Many
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST Now • 83% of hospitals • 82% of health plans • 23,000 Common Security Framework (CSF)
Assessments (2012, 2013, 2014)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSF Expansion 02
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Announcement
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of Expansion • CSF Certification • Anthem/Cigna, Health Care Services Corp.,
Highmark, Humana, and UnitedHealth Group Significance
• Effective security and privacy practices
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Why the Expansion? • Increasing cyber threats • Significance of Business Associates • Interconnection of healthcare industry • Beyond HIPAA • Minimize the duplicity, costs and inefficiencies
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Mandatory?
YES! (For Business Associates)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
7,500
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
24 months
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of the Common Security Framework 03
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSF Overview • CSF
– Defined set of requirements – Prescriptive requirements – Meet the challenges in healthcare security – Secure protected health information
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of the CSF • ISO 27001 • PCI-DSS • HIPAA/HITECH • Meaningful Use
• NIST 800-53 • FTC Red Flags • CMS • Privacy Laws
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Organization of the CSF • Establishes a single benchmark • Increases trust and transparency • Obtains industry consensus
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSF and Privacy • CSF version 7
– Inclusion of privacy – Satisfy health care regulations in Texas (SECURETexas)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose & Scope 04
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose • Harmonizes privacy and security standards • Establishes framework of controls • Build trust and assurance • Highlights credibility
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Purpose • Effectively meet the security objectives
– Examining – Interviewing – Testing
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Define Scope • Entire organization environment • Segmented portions
– Single location – Single business unit – Single application
• Covered information
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Define Scope • Assessment options
– Security Assessment – Security & Privacy Assessment – Comprehensive Security Assessment – Comprehensive Security & Privacy Assessment – NIST Cyber Security Assessment
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope of CSF • Assessment factors
– Organizational factors – System factors – Regulatory factors
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope of CSF • 14 control categories
– 13 for Security – 1 for Privacy
• 46 control objectives • 149 control specifications
– Grouped within 19 assessment domains
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope of CSF CSF Assessment Domains
Information Protection Program Access Control Endpoint Protection Audit Logging & Monitoring Portable Media Security Education, Training and Awareness Mobile Device Security Third Party Assurance Wireless Security Incident Management Configuration Management Business Continuity & Disaster Recovery Vulnerability Management Risk Management Network Protection Physical & Environmental Security Transmission Protection Data Protection & Privacy
Password Management
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
MyCSF • Access to the CSF and authoritative source • Perform assessments • Reporting/Tracking compliance • Document remediation in Corrective Action Plan
(CAPs) • Benchmarking
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Options 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Self Assessment • CSF Validated
Assessment Types
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Self Assessment • CSF Validated
Assessment Types
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Self Assessment – No validation – 3rd party can facilitate assessment – 3rd party can provide review and feedback
Assessment Types
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Validated – HITRUST approved CSF Assessor – On-site fieldwork
• Interviews • Technical testing
Assessment Types
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Self-assessment • CSF Validated
– Minimum maturity rating of 3+ on a majority of assessment domains
• CSF Certified – Minimum maturity rating of 3+ for ALL
assessment domains
Report Types
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Steps to Certification 06
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
one Initial Project Planning
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Executive support • Determining scope • Determining system boundaries • Communication with process owners
Project Planning
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
two Organizational and
System Scoping
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Location(s) • Application(s) • Device(s) • Regulatory requirement(s) • System boundaries
Organizational and System Scoping
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
three Assessment Preparation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Project calendars • Evidence request lists
Assessment Preparation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
four Examine Documentation
and Practices
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Policy documents • Documented procedures • Processes
Examine Documentation and Practices
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
five Conduct Interviews
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Process owners • Verify process controls • Confirmation of evidence
Conduct Interviews
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
six Perform and Review and
Technical Testing
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Automated control configurations • Manual control sampling
– HITRUST sampling methodology
Perform Technical Testing
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Compliance scoring – Control requirement
• Policy • Procedure • Implemented • Managed • Measured
Review Technical Testing
– Maturity rating • Non-compliant (0%) • Somewhat compliant (25%) • Partially compliant (50%) • Mostly compliant (75%) • Fully compliant (100%)
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Compliance scoring example
Review Technical Testing
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
seven Alternate Control
Identification and Selection
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Only if non-compliant CSF controls exist • Identify compensating controls • Residual compliance scoring
Alternate Control Identification and Testing
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
eight Reporting
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Prepare for submission to HITRUST – Assessor testing – Management representation letter – Remediation plans (CAPs)
• HITRUST QA Review – 4 – 6 weeks
Reporting
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
nine Remediation Tracking
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Corrective Action Plan (CAP) progress – CAP Owner – Implementation plan – Expected completion date
• Residual risk score adjustments
Remediation Tracking
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Certification Process 07
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Issuing Certification
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Issuing Certification
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Issuing Certification
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Issuing Certification
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Issuing Certification
• Valid 2 years – Annual review
• Within 2 months following the 1-year anniversary
• Continuous monitoring requirements – CAP remediation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Mapping to Other Standards 08
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• HIPAA • ISO 27001 • PCI • NIST / CMS ARS • Meaningful Use • SOC 2
Other Standards
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Join Us Next Time
Surviving a Security Assessment October 9, 2015 brightline.com/webinars