HITRUST 2015 Breakout Session HITRUST CSF: GETTING STARTED THROUGH GETTING ASSESSED

Transcription

1 HITRUST 2015 Breakout Session HITRUST CSF: GETTING STARTED THROUGH GETTING ASSESSED

2 Gain Insight into HITRUST Certification Assessment Experience from two Perspectives HCSC HITRUST Experience Brenda Callaway, Executive Director, Information Security Compliance and Disaster Recovery Coalfire HITRUST Assessor Tom Glaser, Coalfire Consultant Key Points What to Expect How to Prepare Benefits of Certification Q&A Session Copyright Text 2

3 The HCSC HITRUST experience March 11, 2015

4 The focus is broader than HIPAA and NAIC- MAR HIPAA MARS- E NAIC- MAR Associa(on Admin SimplificaKon Compliance PCI Compliance (Retail) Members Government and Regulators Customers SOC 1 SOC 2 HITRUST

5 Health InformaKon Trust Alliance at a high level Founded in 2007 Born out of the belief that informakon proteckon should be a core pillar of, rather than an obstacle to, the broad adopkon of health informakon systems and exchanges. In collaborakon with public and private healthcare technology, privacy and informakon security leaders, HITRUST has championed programs instrumental in safeguarding health informakon systems and exchanges while ensuring consumer confidence in their use. Established : a common risk and compliance management framework (CSF); an assessment and assurance methodology; educakonal and career development; advocacy and awareness; and a federally recognized cyber InformaKon Sharing and Analysis OrganizaKon (ISAO).

6 HITRUST Common Security Framework (CSF) The HITRUST Common Security Framework is a viable alternakve to developing a custom framework HITRUST unifies all targeted frameworks and standards relevant to health care Control prackces tailored to the health care environment Self- assessment criteria for control and supporkng control prackce compliance

7 The CSF brings controls together The HITRUST CSF adds measurable value by integrakng and enhancing (adding context and/or clarifying) specific components of U.S. and internakonal standards: ISO control framework (27001/27002) NIST control implementakon and audit procedures (800-66, ) PCI prescripkve security controls (PCI DSS) CobIT business process focus (CobIT 4.0) ITIL definikons HIPAA regulatory requirements

8 Standards- based Broad and diverse membership allows the HITRUST CSF to accommodate the best industry prackces and standards Providers, health plans, pharmacies, PBM s and manufacturers Professional services firms InformaKon security and technology vendors Final result is a tailored, comprehensive, and scalable security cerkfiable framework for organizakons that handle protected health informakon

9 Benefits Standardizing on a higher level of security will build greater trust in the electronic flow of informakon through the healthcare system. The common security framework also will provide greater risk proteckon by: Reducing risk: Reducing risk, cost and confusion by incorporakng best prackces and loss experiences Increasing confidence: Increase confidence in the industry s ability to address informakon security, and streamline interackons with consumers, regulators and legislators Measuring costs: Establish a single benchmark for organizakons to facilitate internal and external measurement Reducing complexity: Reduce the number, complexity, and degree of variakon in security audits or reviews that organizakons impose upon their trading partners; in effect establishing trust through cerkficakon Being Trusted and being able to Trust business partners relating to information security

10 A Texas- sized benefit Because the HCSC family includes Blue Cross and Blue Shield of Texas, the HITRUST Texas Covered EnKty Privacy and Security CerKficaKon Program had appeal as well. HITRUST and Texas Health Services Authority (THSA) partnered to develop and implement the Texas Covered EnKty Privacy and Security CerKficaKon Program,- - the first state- recognized cerkficakon of its kind. It is a cerkficakon that Texas covered enkkes can introduce in an ackon or proceeding imposing an administrakve penalty or assessing a civil penalty related to an unauthorized disclosure.

11 HCSC s ongoing interackon with HITRUST HCSC has tracked HIRUST for several years and parkcipated in a number of ackvikes to understand its value to HCSC and the health care industry overall ParKcipaKon in HITRUST commibees Discussions with key partners who have undergone HITRUST cerkficakon process ExecuKon of pre- assessment with HITRUST- cerkfied partner ParKcipaKon in HITRUST CyberRx exercise ExecuKon of formal CSF assessment and Texas state law cerkficakon

12 The future of compliance MeeKng Compliance MiKgaKng Risks Consolida(on HIPAA Health Insurance Portability and Accountability Act NAIC/MAR NaKonal AssociaKon of Insurance Commissioners Model Audit Rule MARS- E Minimum Acceptable Risk Standards for Exchanges SOC- 1 Service OrganizaKon Control (type 1) SOC- 2 Service OrganizaKon Control (type 2) HITRUST IT- related events that could potenkally impact the business. The uncertainty, frequency and magnitude, of an event creates challenges for HCSC to meet strategic goals and objeckves. Controls are implemented to address and mikgate the risk.

13 HITRUST & SOC2 HITRUST CSF Assessment Covers security and to an extent privacy- - informakon shows that new controls for privacy will be included moving forward Pre- defined control statements that are the same across enkkes Designed for the unique requirements of the health care industry SOC 2 May carry weight with customers who are familiar with the SOC1 Provides some flexibility for enkty to design controls Offers an opportunity to review controls across five trust domains: Security, Privacy, Availability, Processing Integrity, ConfidenKality

14 Good news for HITRUST & SOC2 Combined CSF and SOC2 Reports: HITRUST and the American InsKtute of CPAs (AICPA) have partnered to enable organizakons to use the HITRUST CSF as the controls for their SSAE16 SOC2. Converged HITRUST and AICPA reporkng helps organizakons leverage the work invested in a CSF implementakon to meet their SOC2 reporkng requirements.

15 The assessment ground rules Minimize Audit Fa(gue Embed and synchronize assessments (evalua(ons) for risk and controls evaluakon processes within the COE Op(mize and synchronize controls into a Unified Control Framework Streamline Processes and Communica(on Standardize and harmonize build a common vocabulary and approach to risk and controls assessments Coordinate Risk Areas to present a complete porfolio view of risks.

16 The assessment nuts & bolts SME - Interviews HITRUST was on- site conduckng audit interviews in October 2014 InformaKon Security Data Center operakons Infrastructure Physical Security / FaciliKes Privacy Network Timelines Aggressive Kmeline

17 Understanding and interprekng the controls Covered informakon shall be cleared from the equipment, or the maintenance personnel shall be sufficiently cleared prior to all maintenance.

18 All GAPS must have CAPS Plan adequate (me to develop your Correc(ve Ac(on Plans (CAPs) You have some ability to accept risk when the gaps are iden(fied Make sure your SMEs can commit to closing the gaps HITRUST needs Kme to review your CAPs Don t be afraid to challenge or ask queskons of the HITRUST reviewers Gaps ranked as 3 or higher (on 5- point scale) Words maner Gaps related to policy somekmes seem very prescripkve in terms of the wording

19 What we learned HITRUST cerkficakon applies to specific applicakons. You can determine which ones are in scope. This is a point to stress with your SMEs. It took us a bit to adjust to when we needed to answer a control at an enterprise or applicakon- specific level. HITRUST will review the progress on our CAPs at the 1- year mark of our 2- year cerkficakon period

20 Where do we go from here Communicate with internal / external stakeholders regarding our cerkficakon Regularly check in with our SMEs on progress against the CAPs Use the CSF as the basis for our internal HIPAA Security self- assessment Prepare for 1- year HITRUST check- in Encourage our vendors to look into HITRUST cerkficakon

21 Getting Assessed: HITRUST Assessor Steps to Certification 1. Pre-assessment activities 2. Scoping 3. Documentation review 4. Interview discussions 5. Control testing 6. Remediation 7. Reporting & Certification Copyright Text 21

22 1. Pre-assessment activities Project Coordinator MyCSF Portal Select HITRUST Assessor Copyright Text 22

23 2. Scoping Business Units in scope Stakeholders Select HITRUST Assessor CSF organizational factors Copyright Text 23

24 3. Documentation review Control assessment guidance Processes and procedures Overall security policy Copyright Text 24

25 4. Interview discussions Control assessment guidance Processes and procedures Overall security policy Copyright Text 25

26 5. Control testing Control assessment guidance Configuration settings Sampling Copyright Text 26

27 6. Remediation Control exceptions Alternate control request Compensating control Copyright Text 27

28 7. Reporting Validated Certified Signed participation agreement Copyright Text 28

29 Q&A

30 HITRUST MeeKng Cyber Security May 21, 2015 Brenda Callaway

31 Discussion Topics Issue Overview Challenges PreparaKon 2

32 Words of Wisdom Benjamin Franklin: By failing to prepare, you are preparing to fail Snoopy: Five minutes before the party is a bad moment to learn how to dance 3

33 Cyber Security Data Breach Los Angeles- based Wedbush SecuriKes surveyed 1,022 consumers via the Internet both before and aler Anthem disclosed the data breach on Feb. 4. The breach has sparked nearly 100 lawsuits seeking class- ackon status. Wedbush analyst Sara James: the willingness to pay for the Anthem brand actually increased aler the breach. We believe this could reflect the. willingness to pay more for a service that addresses the breach quickly and effec(vely. 4

34 Challenges What are some of the challenges faced during a cyber security data breach? IdenKficaKon of impacted data elements, inconsistencies or unknowns Third party vendor management Data and reporkng requirements Secure storage of data and reports Government and Customer expectakons Surge capacity for team members 5

35 PreparaKon What are some ackons to take to prepare for a cyber security data breach? Create checklists and crisis management playbooks Develop CM team structure Document escalakon process Establish communicakon strategy Engage with Legal and Privacy Office Include data analyst team PreventaKve measures (Cybersecurity team) Conduct tabletop exercises 6