Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)

Size: px

Start display at page:

Download "Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)"

Ginger Stafford
5 years ago
Views:

1 Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite) David Finn, CISA, CISM, CRISC Health IT Officer, Symantec 1

2 Objec1ves for today s session Understand what HITRUST is Appreciate the Regulatory Impact to Health Care Recognize HITRUST s Common Security Framework Know that CCS goes beyond mandates and beyond quessonnaires Comprehensive and automated IdenSfy how this soluson can benefit your customer Explain how we can address healthcare challenges 2

3 What is HITRUST? HITRUST Alliance is a collaborason among the healthcare industry, business, technology, and informason security. The Alliance is made up of leaders across the healthcare industry and include: 3

4 HITRUST Mission Establish a fundamental and holissc change in the way the healthcare industry manages informason security risks: RegulaSons and standards rasonalized into a single overarching framework tailored for the healthcare industry Prescrip(ve, Scalable, Cer2fiable Address inconsistent approaches to cersficason, risk acceptance and adopson of compensasng controls to eliminate ambiguity in the process Provide support and enable sharing of ideas, feedback, experiences among and across the industry 4

5 HITRUST, simplified To increase trust in the way health informason is safeguarded. This can be achieved by: Following a prescrip2ve approach AdopSng a de- facto industry standard* *PercepSon & reality of HITRUST HITRUST CSF is not a new standard; this is a misconcepson. The CSF supplements the exissng controls with the industry knowledge and leading pracsces of HITRUST s community and provides the clarity and consistency lacking in many standards and regulasons. The CSF is the only framework that is built to provide scalable security requirements based on the different risks and exposures of organizasons in the healthcare industry. 5

6 HITRUST Standards & Regula1ons Overlap COBIT ISO /2 HIPAA Security HITECH Act HITRUST CSF PCI FTC Red Flags Meaningful Use PresentaSon IdenSfier Goes Here 6

7 Compliance Challenges 7

8 Healthcare Industry Informa1on Security Challenges The Risk Assessment Costs and complexises of redundant and inconsistent requirements and standards MulSple cersﬁcasons (internal & external) The (C)EHR vs HIPAA Business partner review and cersﬁcason Confusion around implementason and acceptable baseline controls InformaSon security audits subject to diﬀerent interpretasons of control objecsves and safeguards Increasing scrusny from regulators, auditors, underwriters, customers Growing risk and liability associated with informason protecson Symantec Healthcare SYMANTEC VISION

9 Overview of the Common Security Framework (CSF) 9

10 HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template Control Assessment Assessment Reports HITRUST Assessor Audit HITRUST CerSficaSon 10

11 HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template Control Assessment Assessment Reports HITRUST Assessor Audit HITRUST CerSficaSon 11

12 HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template Control Assessment Assessment Reports HITRUST Assessor Audit HITRUST CerSficaSon 12

13 HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template Control Assessment Assessment Reports HITRUST Assessor Audit HITRUST CerSficaSon 13

HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template HITRUST Assessor Audit Conducted by formally

14 HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template HITRUST Assessor Audit Conducted by formally cersfied CSF Assessors hfp:// assessors/ Control Assessment Assessment Reports HITRUST Assessor Audit HITRUST CerSficaSon 14

HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template HITRUST CerSficaSon Based on inspecson

15 HITRUST Compliance Assurance Process Scope Assessment Applicable Controls CHIP/CSF Assessment Template HITRUST CerSficaSon Based on inspecson of all CSF control audit reports Sample cersficason report Control Assessment Assessment Reports HITRUST Assessor Audit HITRUST CerSficaSon 15

16 HITRUST / Control Compliance Suite (CCS) Implementa1on 16

17 Where does CCS fit it? Automa(on of HITRUST CSF Assurance Program Scope Assessment Applicable Controls CHIP/CSF Assessment Template Control Assessment Assessment Reports Control Compliance Suite automates: - CSF framework management - Assessment, RemediaSon & Monitoring of CSF Controls - CSF Assessment ReporSng - ConSnuous Risk Assessment - Asset Management HITRUST Assessor Audit HITRUST CerSficaSon 17

CCS Structure: GRC Framework for Healthcare Industry Mandates

Threats to the Info Sec assets of the Healthcare organizason

securing the Info Sec assets of the healthcare organizason

Standards - Industry best plakorm coverage Vulnerabili1es

through patching and updates Ques1ons - - HITRUST CHIP

18 CCS Structure: GRC Framework for Healthcare Industry Mandates HIPAA, HITECH, PCI DSS, US Privacy Statues, FISMA, etc Risks Threats to the Info Sec assets of the Healthcare organizason that should be misgated Policies Internal objecsves for securing the Info Sec assets of the healthcare organizason Controls Framework HITRUST CSF Controls Checks CIS/SE Standards - Industry best plakorm coverage Vulnerabili1es Threats to systems via known attack vectors usually mitigated through patching and updates Ques1ons - - HITRUST CHIP Assessment CCS quessonnaires 3 rd Party Data - CCS Connectors for leading security products 18

19 Summary Compliance for Mul1ple Mandates 19

20 HIPAA Compliance Repor1ng & Remedia1on Drill down to inves1gate low compliance score View evidence for failed controls Drill down on asset to iden1fy failed controls 20

21 Proac1ve Risk Assessment based on HITRUST Controls Access Control Risk for hospitals Dallas hospital has the central hospital database! High risk with SQL server Create remedia1on plan 21

22 CCS Support for HITRUST CSF Controls Framework 22

23 Mapping of CSF Controls to Assessment Ques1ons 23

24 Mapping of HIPAA Mandate to CSF Controls 24

25 HIPAA Compliance Audit Report 25

26 HITRUST CSF Applicable Controls Based on Scope Assessment 26

27 Key Takeaways - - What CCS Delivers Beyond mandates - Risk focus! Beyond quessonnaires Automated Technical Assessments! 50+ Standards - Broadest plakorm coverage End- to- end automason for HITRUST CSF implementason Audit- ready reports for HITRUST cersficasons Full support for HITRUST CHIP assessments IntegraSon with popular security products for 360 degree InfoSec posture 27

28 References 28

29 References HITRUST CSF Official WebSite hfp:// HITRUST CSF Tutorials/Webinars hfp:// Symantec Control Compliance Suite hfp:// compliance- suite 29

30 Thank You Discussion David S. Finn, CISA, CISM, CRISC Health IT Officer

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HITRUST CSF Assurance Program HITRUST CSF Assurance Program The Need Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated