HITRUST CSF: One Framework

Transcription

1 HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior Advisor, HITRUST Chris Halterman, CPA Executive Director, EY Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST 1

2 Topics to Cover Introduction NIST CsF Implementation for Healthcare Structure of the HITRUST CSF Leveraging the HITRUST CSF Q&A For ISO, HIPAA, & NIST Implementation and Compliance For SOC 2 Reports # 2 HITRUST One Framework

3 INTRODUCTION 3 3 HITRUST One Framework

4 Cybersecurity and Risk Management Frameworks Supported by threat intelligence, key components or functions of a robust and comprehensive cybersecurity program include Risk analysis (Identify) Control selection, implementation and maintenance (Protect) Monitor and audit (Detect) Incident management (Respond and Recover) Controls may be selected based on a traditional risk analysis, as described by NIST and DHHS, or selected and tailored from a control baseline contained in a suitable framework An information security risk management framework provides a set of principles, tools and practices to help: Ensure people, process and technology elements completely and comprehensively address risks consistent with their business objectives, including legislative, regulatory and best practice requirements Identify risks from the use of information by the organization s business units and facilitate the avoidance, transfer, reduction or acceptance of risk Support policy definition, enforcement, measurement, monitoring and reporting for each component of the security program are adequately addressed # 4 HITRUST One Framework

5 NIST CSF IMPLEMENTATION FOR HEALTHCARE 5 5 HITRUST One Framework

6 Federal Guidance for Improving Cybersecurity The NIST Framework for Critical Infrastructure Cybersecurity provides an overarching set of guidelines to critical infrastructure industries to provide a minimal level of consistency as well as depth, breadth and rigor Complements rather than replaces an organization s existing business or cybersecurity risk management process and cybersecurity program Organizations can leverage the NIST CsF to identify opportunities to improve management processes for cybersecurity risk, or if no cybersecurity program exists, use the it as a reference to establish one The NIST CsF provides critical infrastructure industries: A Framework Core set of cybersecurity activities, outcomes and references A model for the evaluation of an organization s maturity or readiness using Framework Implementation Tiers A common taxonomy and mechanism to: Describe their current and target cybersecurity posture using a Framework Profile Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process Assess progress toward the target state Communicate among internal and external stakeholders about cybersecurity risk # 6 HITRUST One Framework

7 A Model Implementation of the NIST Framework HITRUST CSF provides an implementation applicable to healthcare organizations leveraging the NIST Cybersecurity Framework HITRUST provides an RMF that is consistent with the NIST Cybersecurity Framework for the healthcare industry and either meets or exceeds the requirements, addresses non-cyber threats, and incorporates a robust assurance program. More specifically: NIST Cybersecurity Framework categorizes cybersecurity controls according to an incident response process (functions and sub-functions) as opposed to a traditional RMF HITRUST CSF provides an integrated, harmonized set of requirements specific to healthcare as compared to individual references to controls in NIST and other frameworks HITRUST CSF Assurance Program provides a harmonized set of tailorable requirements, which are fully supported by an integrated maturity model HITRUST CSF Assurance Program provides a pool of vetted assessor organizations and centralized quality assurance processes to ensure consistent and repeatable assessments # 7 HITRUST One Framework

8 STRUCTURE OF THE CSF 8 8 HITRUST One Framework

9 CSF Structure (1) The HITRUST CSF provides coverage across multiple healthcare specific standards and includes significant components from other well-respected IT security standards bodies and governance sources HIPAA Security, Data Breach Notification, & Privacy ISO/IEC 27001: , 27002:2005, 2013, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP Revision 4 NIST Cybersecurity Framework (CsF) Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Number of covered lives System Data stores External connections Number of users/transactions Included Standards NIST SP PCI DSS version 3 FTC Red Flags Rule JCAHO IM 201 CMR (State of Mass.) NRS 603A (State of Nev.) Analyzed, Rationalized & Consolidated Control Objectives (45) Control Categories (14) Control Specifications (149) CSA Cloud Controls Matrix version 1.1 CMS IS ARS version 2 Texas Health and Safety Code (THSC) 181 Title 1 Texas Administrative Code (TAC) MARS-E version 1 IRS Pub 1075 (2014) Control Categories 0. Information Security Management Program 1. Access Control 2. Human Resources Security 3. Risk Management 4. Security Policy 5. Organization of Information Security 6. Compliance 7. Asset Management 8. Physical and Environmental Security 9. Communications and Operations Management 10. Information Systems Acquisition, Development & Maintenance 11. Information Security Incident Management 12. Business Continuity Management 13. Privacy Practices # 9 HITRUST One Framework

10 CSF Structure (2) The CSF structure based on ISO 27001:2005 Adds additional CSF Categories 0.0, 3.0 and Controls, with up to three (3) levels per Control Multiple authoritative sources mapped to each Control by implementation level # 10 HITRUST One Framework

11 LEVERAGING THE HITRUST CSF FOR ISO, HIPAA & NIST IMPLEMENTATION AND COMPLIANCE HITRUST One Framework

12 Multiple Requirements PCI, CSA, State Req ts, COBIT Meaningful Use HIPAA Omnibus Final Rule ISO 27001/2 Texas Health & Safety Code FTC Red Flags PCI Initial high-level ISO content reinforced with additional, often more prescriptive language from relevant authoritative sources, harmonized, and fully integrated into the CSF NIST, CMS, MARS-E HIPAA NIST ISO # 12 HITRUST One Framework

13 One Program COBIT Meaningful Use ISO 27001/2 HIPAA Omnibus HITRUST Final Rule CSF Texas Health & Safety Code FTC Red Flags PCI CSA CCM SA-08 HIPAA (a)(3)(ii)(A) HIPAA (a)(3)(ii)(B) HIPAA (b) IRS Pub PCI DSS 1.1. PCI DSS TAC 390.2(a)(1) NIST # 13 HITRUST One Framework

14 Assess Once Assessing against the CSF necessarily implies one is assessing against the multiple regulations, standards and best practice frameworks upon which it s built The CSF s extensive mappings allow traceability from a CSF assessment to each of these multiple authoritative sources, which allows the control maturity and risk information from a single assessment to be parsed accordingly # 14 HITRUST One Framework

15 Report Many Standardized CSF-based reporting, e.g., CSF Certification Custom source-based reporting Roll up control maturity or risk based on authoritative sources Produce source-specific scorecards e.g., HIPAA, NIST CsF Support or produce sourcespecific reports e.g., NIST SSP, PCI SAQ, SecureTexas, SSAE 16 SOC 2 (Trust Principles) # 15 HITRUST One Framework

16 LEVERAGING THE HITRUST CSF FOR SOC 2 REPORTS HITRUST One Framework

17 SOC 2 HITRUST CSF Owned by the American Institute of Certified Public Accountants (AICPA) Designed to provide information on processes and controls at a service organization, together with an independent service auditor s opinion Processes do not have to be related to financial statement processing unlike SOC1 (ISAE 3402 / SSAE 16) Criteria updated in early AssuranceAdvisoryServices/Pages/SORHome.aspx Owned by HITRUST Leverages and enhances existing standards and regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements Intended to be used by any and all organizations that create, access, store, or exchange protected health information (PHI) Two major components Information security implementation requirements Mapping and regulations Updated annually currently Version 7 # 17 HITRUST One Framework

18 SOC 2 HITRUST CSF Trust Services Principles Security Availability Confidentiality Privacy Processing Integrity Select principles based on expected user needs Must then address ALL criteria for the selected principles Type 1 design Type 2 operating effectiveness CSF Framework 14 Control Categories, 45 Control Objectives 149 Control Specifications Risk factors drive control specification implementation requirements up to 3 levels Must meet all requirement specifications based on risk factors Assurance program Self Assessments Third-Party Assessments Certified Validated # 18 HITRUST One Framework

19 What Does SOC 2 / HITRUST Give Users? SOC 2 HITRUST CSF Management Assertion Independent service auditor s report Description fairly presents the in scope services Controls suitable designed to meet in scope criteria Controls have operated effectively to deliver criteria (Type 2) Description of System Description of Controls, Tests and Results of Tests Certified/validated report issued by HITRUST based on work of independent third party assessors Business/functional/organizational units that meet the associated criteria Assessment context and scope of systems included in assessment Breakdown of CSF control areas with a comparison to industry Includes maturity scores Testing summary, corrective action plans and completed questionnaire # 19 HITRUST One Framework

20 Benefits of Combining SOC 2 & CSF Assurance Leverage the HITRUST CSF controls in SOC 2 engagements Realize significant time efficiencies and cost savings by synergies between the CSF controls and Trust Services Principles and Criteria Reduce the inefficiencies and costs associated with multiple reporting requirements Service organizations controls can be considered both from the SOC2 criteria and HITRUST CSF # 20 HITRUST One Framework

21 HITRUST and AICPA Collaborating to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting. Work products Mapping of CSF to Trust Services Principles and Criteria (security, confidentiality and availability) (Completed) Overview document with frequently asked questions (Draft under review) HITRUST + SOC 2 Reporting Template (Under development) # 21 HITRUST One Framework

22 Excerpt from the CSF Trust Principles Mapping # 22 HITRUST One Framework

23 Examples of FAQs Is it mandatory that I use the supplied mapping when completing a SOC 2 + HITRUST CSF opinion? If you have two opinions do they need to stand alone or can they use the same body of testing work? Are the control activities and specificity of control design and operating effectiveness in the Trust Services Principles and Criteria sufficient to meet the HITRUST CSF requirements? Should the maturity of controls be assessed when completing the SOC 2 + HITRUST report? How should a qualification in SOC 2 opinion be considered for impact to HITRUST and vice versa? How are exceptions addressed in the reporting option with an opinion on both the TSPs and the CSFs? Can any service auditor that is a member of the AICPA issue such a SOC 2 + HITRUST report? # 23 HITRUST One Framework

24 HITRUST + SOC 2 Reporting Template Report Sections Management Assertion Independent Service Auditor s Report Entity s Description of its System Trust Services Principles/CSF Controls Tested and Results of Tests Mapping of Applicable Trust Services Principles and Criteria to the CSF # 24 HITRUST One Framework

25 Draft of Opinion Wording In our opinion, in all material respects, based on the description criteria identified in Example Health Service Organization s assertion and the applicable trust services criteria and CSF criteria, a. the description fairly presents the system that was designed and implemented throughout the period January 1, 20X1, to December 31, 20X1; b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria and CSF criteria would be met if the controls operated effectively throughout the period January 1, 20X1, to December 31, 20X1 # 25 HITRUST One Framework

26 Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior Advisor, HITRUST * Bryan.Cline@HITRUSTAlliance.net Chris Halterman, CPA Executive Director, EY * Chris.Halterman@EY.com Q&A Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * Ken.VanderWal@HITRUSTAlliance.net HITRUST One Framework

27 Visit for more information To view our latest documents, visit the Content Spotlight # 27 HITRUST One Framework