The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Similar documents
Introduction to the HITRUST CSF. Version 8.1

Introduction to the HITRUST CSF. Version 9.1

HITRUST CSF: One Framework

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Model Approach to Efficient and Cost-Effective Third-Party Assurance

SECURETexas Health Information Privacy & Security Certification Program

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Risk Management Frameworks

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Altius IT Policy Collection Compliance and Standards Matrix

COBIT 5 With COSO 2013

Altius IT Policy Collection Compliance and Standards Matrix

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Achieving third-party reporting proficiency with SOC 2+

Leveraging HITRUST CSF Assessment Reports

HITRUST Common Security Framework - Are you prepared?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Updates to the NIST Cybersecurity Framework

01.0 Policy Responsibilities and Oversight

Certified Information Security Manager (CISM) Course Overview

MANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C,

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Information for entity management. April 2018

NCSF Foundation Certification

Security Management Models And Practices Feb 5, 2008

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Peer Collaboration The Next Best Practice for Third Party Risk Management

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

All Aboard the HIPAA Omnibus An Auditor s Perspective

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

TEL2813/IS2820 Security Management

Why you should adopt the NIST Cybersecurity Framework

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Business Assurance for the 21st Century

The NIST Cybersecurity Framework

Addressing the elephant in the operating room: a look at medical device security programs

PROFESSIONAL SERVICES (Solution Brief)

SOC for cybersecurity

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SOC 3 for Security and Availability

Information Security Risk Strategies. By

The Future of HITRUST

BHConsulting. Your trusted cybersecurity partner

Executive Order 13556

Cybersecurity & Privacy Enhancements

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

locuz.com SOC Services

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Avanade s Approach to Client Data Protection

Security and Privacy Governance Program Guidelines

HIPAA Security and Privacy Policies & Procedures

Effective Strategies for Managing Cybersecurity Risks

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Protecting your data. EY s approach to data privacy and information security

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Exploring Emerging Cyber Attest Requirements

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

NCSF Foundation Certification

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

MIS Week 9 Host Hardening

[DATA SYSTEM]: Privacy and Security October 2013

An Overview of ISO/IEC family of Information Security Management System Standards

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

MyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Risk Analysis Guide for HITRUST Organizations & Assessors

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Introduction to AWS GoldBase

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Compliance & Security in Azure. April 21, 2018

Policies and Procedures Date: February 28, 2012

Compliance with CloudCheckr

ISACA Cincinnati Chapter March Meeting

Best Practices & Lesson Learned from 100+ ITGRC Implementations

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

Cybersecurity in Higher Ed

Four Deadly Traps of Using Frameworks NIST Examples

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Information Technology Branch Organization of Cyber Security Technical Standard

Mapping BeyondTrust Solutions to

Transcription:

The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015

The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity, increase efficiency and better manage medical expenses. Information systems and data exchanges are considered fundamental for their potential to allow organizations to meet these objectives; however, the adoption of these technologies is highly regulated and introduces risks that require additional oversight and vigilance by the industry. Healthcare organizations face multiple challenges relating to information security: Redundant and inconsistent requirements and standards. Confusion surrounding implementation and acceptable minimum controls. Inefficiencies associated with varying interpretations of control objectives and safeguards. Increasing scrutiny from regulators, auditors, underwriters, customers and business partners. Growing risk and liability, including data breaches, regulatory violations and extortion. The Health Information Trust Alliance (HITRUST) believes that despite these challenges information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, works to identify issues and obstacles to protecting information and develops approaches to standardize, streamline and simplify security in a manner that is applicable to all organizations in the healthcare industry. The product of this collaboration is the HITRUST CSF, a certifiable framework that all healthcare organizations that create, access, store or exchange electronic health and other sensitive information can implement. By adopting the CSF, organizations can better protect their electronic information assets and build greater trust and efficiencies in the electronic flow of information within the healthcare system.

3 The HITRUST CSF The most widely adopted security framework in the U.S. healthcare industry and an invaluable tool for healthcare security professionals, the CSF provides organizations with the needed structure, detail and clarity relating to information security that is tailored to the healthcare industry. It includes a prescriptive set of controls and supporting requirements that clearly define how organizations meet the objectives of the framework. According to type, size and complexity of the organization and its systems, the controls scale through multiple levels of implementation requirements that are based on risk-contributing factors. The HITRUST CSF also addresses the challenges of the industry by leveraging and cross-referencing existing standards and regulations. This avoids introducing redundancy and ambiguity into the industry and helps simplify an organization s compliance efforts. The CSF normalizes these sources in such a way that organizations can quickly understand their compliance status across a wide range of standards and other authoritative sources. By implementing the CSF, organizations will have a common security baseline and a method for communicating validated security controls to all of their constituents. Enhancements to the CSF Version 7.0 HITRUST provides regular updates to the CSF to ensure it remains relevant to the organizations that rely upon it to address evolving security requirements and maintain regulatory compliance. Recent updates include new guidance pertaining to: HIPAA Privacy Rule NIST SP 800-53 r4, Appendix J, Privacy Control Catalog Catalog of Minimum Acceptable Risk Controls for Exchanges Exchange Reference Supplement v1 IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, 2014 release CMS Information Systems Acceptable Risk Safeguards, Appendix A, CMS High Impact Level Data, v2 Organization of the CSF The HITRUST CSF is a comprehensive framework developed to aid organizations that create, store, access or exchange electronic health and other sensitive information. The CSF is comprised of two components: Information Security Implementation Requirements and a Standards and Regulations Mapping.

4 Information Security Implementation Requirements The CSF s Information Security Implementation Requirements provide certifiable, best-practice-based specifications that scale according to the type, size and complexity of an organization s environment to provide prescriptive implementation guidance. It includes both recommended security governance practices (e.g., organization, policies, etc.) and sound security control practices (e.g., people, process, technology) to ensure the effective and efficient management of information security. Control Framework The CSF contains 14 security control categories comprised of 45 control objectives and 149 control specifications. The CSF Control Categories, along with the number of Objectives and Specifications, are: Information Security Management Program (1,1) Access Control (7, 25) Human Resources Security (4, 9) Risk Management (1, 4) Security Policy (1, 2) Organization of Information Security (2, 11) Compliance (3, 10) Asset Management (2, 5) Physical and Environmental Security (2, 13) Communications and Operations Management (10, 32) Information Systems Acquisition, Development and Maintenance (6, 13) Information Security Incident Management (2, 5) Business Continuity Management (1, 5) Privacy Practices (3, 14) Alternate Controls With the diverse nature of today s information systems, organizations may find it difficult or not practical to meet the CSF s requirements. Because of this, the CSF supports a concept of approved Alternate Controls as a risk mitigation or compensation strategy for a system control failure. HITRUST has defined an alternate control process that provides for the streamlined proposal, approval and implementation of Alternate Controls across all organizations. This allows the entire industry to continually improve its security and compliance stance. An Alternate Control is defined as a management, operational or technical control (i.e., safeguard or countermeasure) that can be employed by an organization in lieu of the level 1, 2 or 3 implementation requirements defined in the CSF that provides equivalent or comparable protection for an organization s information system.

5 Standards and Regulations Mapping The Standards and Regulations Mapping helps reconcile the HITRUST CSF with multiple common and accepted standards and regulations applicable to healthcare organizations. The tool maps each control specification and implementation requirement so that one can clearly understand the alignment between HITRUST s requirements and those of other standards, thus aiding compliance efforts. In addition, the Mapping identifies any gaps not addressed by other sets of requirements that are covered by the HITRUST CSF. The tool gives organizations a 360 perspective of their information security landscape. Covered standards and regulations include: 16 CFR Part 681 Identity Theft Red Flags 201 CMR 17.00 State of Massachusetts Data Protection Act: Standards for the Protection of Personal Information of Residents of the Commonwealth Cloud Security Alliance (CSA) Cloud Controls Matrix Version 1.1 CMS Information Security ARS 2013 v2: CMS Minimum Security Requirements for High Impact Data COBIT 4.1 (with associated mappings to COBIT 5): Deliver and Support Section 5 Ensure Systems Security Federal Register 21 CFR Part 11: Electronic Records; Electronic Signatures Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements HIPAA Federal Register 45 CFR Part 164, Subpart C: HIPAA Administrative Simplification: Security Standards for the Protection of Electronic Protected Health Information (Security Rule) HIPAA Federal Register 45 CFR Part 164, Subpart D: HIPAA Administrative Simplification: Notification in the Case of Breach of Unsecured Protected Health Information (Breach Notification Rule) HIPAA Federal Register 45 CFR Part 164, Subpart E: HIPAA Administrative Simplification: Privacy of Individually Identifiable Health Information (Privacy Rule) IRS Publication 1075 v2014: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for protecting Federal Tax Returns and Return Information ISO/IEC 27001:2005: Information technology Security techniques Information security management systems Requirements ISO/IEC 27001:2013: Information technology Security techniques Information security management systems Requirements ISO/IEC 27002:2005: Information technology Security techniques Code of practice for information security management

6 ISO/IEC 27002:2013: Information technology Security techniques Code of practice for information security controls ISO/IEC 27799:2008: Health informatics Information security management in health using ISO/IEC 27002 Joint Commission (formerly the Joint Commission on the Accreditation of Healthcare Organizations, JCAHO) MARS-E v1.0: Catalog of Minimum Acceptable Risk Controls for Exchanges Exchange Reference Architecture Supplement NIST Framework for Improving Critical Infrastructure Cybersecurity v1.0: Framework Core Subcategories NIST Special Publication 800 53 Revision 4 (Final), including Appendix J Privacy Control Catalog: Security Controls for Federal Information Systems and Organizations NIST Special Publication 800 66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NRS: Chapter 603A State of Nevada: Security of Personal Information Payment Card Industry (PCI) Data Security Standard Version 3.0: Information Management (IM) Standards, Elements of Performance, and Scoring Texas Health and Safety Code 181 State of Texas: Texas Medical Records Privacy Act Title 1 Texas Administrative Code 390.2 State of Texas: Standards Relating to the Electronic Exchange of Health Information Implementing the CSF Implementation of the HITRUST CSF will vary by organization in both time commitment and level of effort. This can be due to several factors, including: Complexity of the individual organization s information systems environment. Maturity of the current security processes and controls. Number of resources available to the organization.

7 Assessing Against the CSF Despite these variations, all organizations can follow the same process in preparing for and performing an assessment of their existing infrastructure against the CSF. This consistent process allows organizations to feel secure in the success of their CSF implementations and confident that other organizations have performed equal due diligence to achieve compliance with the CSF. HITRUST CSF Assessment Activities Inputs Outputs - Resource requirements - Project management tools - Available resources Step 1: Project Startup - Staffed project - Project management processes - Organization chart - Business unit contact information - Asset inventory list - Information classification - Policies and procedures - Prior assessment reports - Auditing and monitoring records and logs - Observable practices - Management - System owners - Key stakeholders - Detailed configuration settings - Vulnerability scans - Penetration tests - Noncompliant CSF controls - Analysis of results with observations - Final report - Remediation plan Step 2: Define Organizational Scope Step 3: Define System Scope Step 4: Examine Documentation & Practices Step 5: Conduct Interviews Step 6: Perform/Review Technical Testing Step 7: Alternate Control Identification and Selection Step 8: Reporting Step 9: Remediation Tracking Remediation Assessment Scoping - Identified key stakeholders including site coordinator - Identified business unit information entered into tool - Identified system owners - Identified information system information entered into tool - Identified high risk areas (storage, processing or transmission of ephi) - Policies, procedures and supporting documents for each bus. unit system - Documented findings, if any - Inherent compliance score - Documented findings, if any - Inherent compliance score - Documented findings, if any - Inherent compliance score - Data entered into MyCSF assessment - Residual compliance score - Final report - Remediation plan - Management response - Remediation of highest risk areas of noncompliance - Residual compliance score

8 Access your Copy of the CSF MyCSF is a full-featured, user-friendly, fully-integrated and managed tool that streamlines the entire information compliance and risk management process, from policy creation, approval and publication to risk assessment and remediation as well as incident and exception management. The optimized and powerful tool marries the content and methodologies of the CSF and CSF Assurance Program with the technology and capabilities of a governance, risk and compliance (GRC) tool. Offered as a service, MyCSF provides healthcare organizations of all types and sizes a fully integrated, web-based solution for accessing the HITRUST CSF. In addition, it incorporates content and features for managing policies, performing assessments, streamlining remediation activities, reporting and tracking compliance and servicing exceptions and incidents. There are two ways to access MyCSF; purchase a self/validated assessment report or purchase a subscription. Self/Validated Assessment Reports: This access, known as assess only is limited to 90 days and grants an organization access to perform an assessment and receive their report. After 90 days, an organization no longer has access and the information is no longer available. Any subsequent assessments will then be performed from scratch. MyCSF Subscription: With a subscription to MyCSF, organizations receive complete access to the CSF and authoritative sources, as well as the expanded benefit of having a complete picture of not only their current state of compliance, but also the support and direction needed to track and manage their remediation efforts and to report on their progress. Subscriptions vary in relation to users, assessments and functionality. To learn more about a subscription to MyCSF, contact sales@hitrustalliance.net to best determine which configuration will best meet your needs. For more information about HITRUST, the HITRUST CSF and other HITRUST offerings and programs, visit HITRUSTalliance.net. About HITRUST The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar or, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the CSF, a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities.

855.HITRUST (855.448.7878) www.hitrustalliance.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback