Hitrust: Navigating to 2017, Your Map to HITRUST Certification

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved


HITRUST: Navigating to 2017 Your Map to HITRUST Certification


01. Background / Overview 02. CSF Expansion 03. The CSF Framework 04. Scope and Approach 05. Options 06. Steps to Certification 07. Process 08. Mapping

Contents


Background & Overview 01



Security and privacy are everyone's responsibility



HITRUST Overview • Began in 2007 • Meet demand of healthcare challenges

– Inconsistency – Inefficiencies – Increasing cost – Increasing risk


HITRUST CSF – Multiple Req’ts


HITRUST CSF – One Program

HITRUST CSF


HITRUST CSF – Assess Once Security gateways (e.g., a firewall) shall be used between the internal network, external networks (Internet and 3rd party networks), and any demilitarized zone (DMZ). An internal network perimeter shall be implemented by installing a secure gateway (e.g., a firewall) between two interconnected networks to control access and information flow between the two domains. This gateway shall be capable of enforcing security policies, be configured to filter traffic between these domains, and block unauthorized access in accordance with the organization's access control policy. Wireless networks shall be segregated networks from internal and private networks. The organization shall require a firewall between any wireless network and the covered information systems environment.

CSA CCM SA-08 HIPAA § 164.308(a)(3)(ii)(A) HIPAA § 164.308(a)(3)(ii)(B) HIPAA § 164.310(b) IRS Pub 1075 9.4.10 PCI DSS 1.1. PCI DSS 1.1.4 1 TAC § 390.2(a)(1)

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved

HITRUST CSF – Report Many


HITRUST Now • 83% of hospitals • 82% of health plans • 23,000 Common Security Framework (CSF)

Assessments (2012, 2013, 2014)


CSF Expansion 02



Announcement


Overview of Expansion • CSF Certification • Anthem/Cigna, Health Care Services Corp.,

Highmark, Humana, and UnitedHealth Group Significance

• Effective security and privacy practices


Why the Expansion? • Increasing cyber threats • Significance of Business Associates • Interconnection of healthcare industry • Beyond HIPAA • Minimize the duplicity, costs and inefficiencies


Mandatory?

YES! (For Business Associates)


7,500


24 months


Overview of the Common Security Framework 03



CSF Overview • CSF

– Defined set of requirements – Prescriptive requirements – Meet the challenges in healthcare security – Secure protected health information


Overview of the CSF • ISO 27001 • PCI-DSS • HIPAA/HITECH • Meaningful Use

• NIST 800-53 • FTC Red Flags • CMS • Privacy Laws


Organization of the CSF • Establishes a single benchmark • Increases trust and transparency • Obtains industry consensus


CSF and Privacy • CSF version 7

– Inclusion of privacy – Satisfy health care regulations in Texas (SECURETexas)


Purpose & Scope 04



Purpose • Harmonizes privacy and security standards • Establishes framework of controls • Build trust and assurance • Highlights credibility


Purpose • Effectively meet the security objectives

– Examining – Interviewing – Testing


Define Scope • Entire organization environment • Segmented portions

– Single location – Single business unit – Single application

• Covered information


Define Scope • Assessment options

– Security Assessment – Security & Privacy Assessment – Comprehensive Security Assessment – Comprehensive Security & Privacy Assessment – NIST Cyber Security Assessment


Scope of CSF • Assessment factors

– Organizational factors – System factors – Regulatory factors


Scope of CSF • 14 control categories

– 13 for Security – 1 for Privacy

• 46 control objectives • 149 control specifications

– Grouped within 19 assessment domains

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved

Scope of CSF CSF Assessment Domains

Information Protection Program Access Control Endpoint Protection Audit Logging & Monitoring Portable Media Security Education, Training and Awareness Mobile Device Security Third Party Assurance Wireless Security Incident Management Configuration Management Business Continuity & Disaster Recovery Vulnerability Management Risk Management Network Protection Physical & Environmental Security Transmission Protection Data Protection & Privacy

Password Management


MyCSF • Access to the CSF and authoritative source • Perform assessments • Reporting/Tracking compliance • Document remediation in Corrective Action Plan

(CAPs) • Benchmarking


Options 05 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved


• Self Assessment • CSF Validated

Assessment Types


• Self Assessment • CSF Validated

Assessment Types


• Self Assessment – No validation – 3rd party can facilitate assessment – 3rd party can provide review and feedback

Assessment Types


• Validated – HITRUST approved CSF Assessor – On-site fieldwork

• Interviews • Technical testing

Assessment Types


• Self-assessment • CSF Validated

– Minimum maturity rating of 3+ on a majority of assessment domains

• CSF Certified – Minimum maturity rating of 3+ for ALL

assessment domains

Report Types


Steps to Certification 06



one Initial Project Planning


• Executive support • Determining scope • Determining system boundaries • Communication with process owners

Project Planning


two Organizational and

System Scoping


• Location(s) • Application(s) • Device(s) • Regulatory requirement(s) • System boundaries

Organizational and System Scoping


three Assessment Preparation


• Project calendars • Evidence request lists

Assessment Preparation


four Examine Documentation

and Practices


• Policy documents • Documented procedures • Processes

Examine Documentation and Practices


five Conduct Interviews


• Process owners • Verify process controls • Confirmation of evidence

Conduct Interviews


six Perform and Review and

Technical Testing


• Automated control configurations • Manual control sampling

– HITRUST sampling methodology

Perform Technical Testing


• Compliance scoring – Control requirement

• Policy • Procedure • Implemented • Managed • Measured

Review Technical Testing

– Maturity rating • Non-compliant (0%) • Somewhat compliant (25%) • Partially compliant (50%) • Mostly compliant (75%) • Fully compliant (100%)


• Compliance scoring example

Review Technical Testing


seven Alternate Control

Identification and Selection


• Only if non-compliant CSF controls exist • Identify compensating controls • Residual compliance scoring

Alternate Control Identification and Testing


eight Reporting


• Prepare for submission to HITRUST – Assessor testing – Management representation letter – Remediation plans (CAPs)

• HITRUST QA Review – 4 – 6 weeks

Reporting


nine Remediation Tracking


• Corrective Action Plan (CAP) progress – CAP Owner – Implementation plan – Expected completion date

• Residual risk score adjustments

Remediation Tracking


The Certification Process 07



Issuing Certification









• Valid 2 years – Annual review

• Within 2 months following the 1-year anniversary

• Continuous monitoring requirements – CAP remediation


Mapping to Other Standards 08



• HIPAA • ISO 27001 • PCI • NIST / CMS ARS • Meaningful Use • SOC 2

Other Standards


Join Us Next Time

Surviving a Security Assessment October 9, 2015 brightline.com/webinars

Date post:	15-Jan-2017
Category:	Health & Medicine
Upload:	schellman-company
View:	820 times
Download:	0 times

Hitrust: Navigating to 2017, Your Map to HITRUST Certification

Health & Medicine