• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Understanding the HITRUST Common Security Framework:
 

Understanding the HITRUST Common Security Framework:

on

  • 2,151 views

 

Statistics

Views

Total Views
2,151
Views on SlideShare
2,148
Embed Views
3

Actions

Likes
0
Downloads
58
Comments
0

1 Embed 3

http://www.slideshare.net 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Understanding the HITRUST Common Security Framework: Understanding the HITRUST Common Security Framework: Presentation Transcript

    • Understanding the HITRUST Common Security Framework: Why, What and How Educational Webcast - September 16, 2008
    • Welcome
      • Welcome
      Page Page
    • Faculty
      • Moderator
        • Russell Pierce, Chief Information Security Officer
        • CVS Caremark
      • Presenters and panelists
        • Cliff Baker, Director – Health Information Technology
        • PricewaterhouseCoopers
        • Brian Fuller, Director – Information Security Practice
        • BearingPoint
        • Michael Cook, Manager – Risk Management
        • Humana
        • Michael Frederick, Director of Information Security and CISO
        • Baylor Health Care System
      Page Page
    • Need for a Common Security Framework
      • CVS Caremark perspective
        • Quick facts
          • 190,000 Employees
          • Approximately $80 billion in annual revenue
          • No. 1 provider of prescriptions in the nation – More than 1 billion prescriptions filled or managed annually
          • No. 1 Specialty Pharmacy
          • 6,300 CVS/pharmacy stores in 40 states
          • 4+ million customers per day shop at a CVS/pharmacy store
          • No. 1 Retail Medical Clinic Operator – 500+ MinuteClinic locations in 25 states
          • More than 1.8 million MinuteClinic patient visits
      Page
    • Need for a Common Security Framework
      • CVS Caremark perspective
        • Facing multiple challenges with regards to information security:
          • Costs and complexities of redundant and inconsistent requirements and standards
            • Multiple certifications (internal & external)
            • Business partner review and certification
          • Confusion around implementation and acceptable baseline controls
          • Information security audits subject to different interpretations of control objectives and safeguards
          • Increasing scrutiny from regulators, auditors, underwriters, customers
          • Growing risk and liability associated with information protection
      Page
    • Industry Needs to Take Action
      • Healthcare organizations need to better address information security
      • Industry needs to identify and adopt a single approach to information security
        • Model that meets the needs of the entire organization
        • Model that scales based on risk and complexity
          • Applicable
          • Practical
        • Model that is certifiable
          • Provides for clarity and understanding ( Prescriptive )
        • Addresses the risks and requirements associated with business partners
      Page Page
    • HITRUST member experience Health Informatics ISO 27799 NIST 800 Series Standards and Regulations Cross Reference Matrix Readiness Assessment Toolkit Information Security Implementation Manual Standards and Materials Leveraged HITRUST Common Security Framework Components Others U.S. Healthcare Industry Implementation Standards Information Security Management System Primary Ref: ISO/IEC 27001: 2008 Control Objectives Primary Ref: ISO/IEC 27002:2005 Page HITRUST NIST COBIT HIPAA Cntrl 1 X X Cntrl 2 X X Cntrl 3 X Self Assessment Process Certification Process
    • HITRUST Common Security Framework
      • The HITRUST Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access or exchange electronic health and other sensitive information in protecting their information assets and managing related risks, costs and complexities.
      • The CSF is compromised of three components:
      • The Information Security Implementation Manual: A certifiable, best-practice based specification that includes required sound security governance practices (e.g., organization, policies, etc.) and sound security control practices (e.g., people, process, technology) that scales according to the type, size and complexity of each organization to provide prescriptive implementation guidance
      • The Standards and Regulations Cross-Reference Matrix: A tool to help reconcile the framework to common and different aspects of generally adopted standards
      • The Readiness Assessment Toolkit: A toolkit that enables assessment (self or third party) and scoring of an organization’s information security environment against the Information Security Implementation Manual
      Page
    • Page HITRUST CSF Info. Sec. Implementation Manual Example
        • Design
          • Prescriptive to ensure clarity
          • Certifiable to enable common understanding and acceptance
          • Scales according to type, size, and complexity of an organization
          • Designed to address business requirements specific to each segment of the industry. These segments include:
            • Health plan/PBM, Provider
            • Pharmacy, Pharmaceutical manufacturer
            • Data network/clearing houses
          • Risk-based approach to allow organizations to identify the appropriate level of controls. This includes:
            • Risk contributing factors – elements that drive risk in an organization
            • Multiple levels of implementation requirements determined by risks and thresholds
          • Leverages existing globally recognized standards and avoids introducing additional redundancy and ambiguity into the industry
      Page
    • Page HITRUST CSF Info. Sec. Implementation Manual Example Page
    • Page HITRUST CSF Info. Sec. Implementation Manual Example Page
    • Page HITRUST CSF Info. Sec. Implementation Manual Example Page
    • Page HITRUST CSF Info. Sec. Implementation Manual Example Page
    • Page HITRUST CSF Info. Sec. Implementation Manual Example Page
    • Benefits
      • Standardizing on a higher level of security will build greater trust in the electronic flow of information through the healthcare system.
      • The common security framework also will provide greater risk protection by:
        • Reducing risk: Reducing risk, cost and confusion by incorporating best practices and loss experiences
        • Increasing confidence: Increase confidence in the industry’s ability to address information security, and streamline interactions with consumers, regulators and legislators
        • Measuring costs: Establish a single benchmark for organizations to facilitate internal and external measurement
        • Reducing complexity: Reduce the number, complexity, and degree of variation in security audits or reviews that organizations impose upon their trading partners; in effect establishing trust through certification
      Page Being Trusted and being able to Trust business partners relating to information security
    • Regulatory Conformity
      • Health Insurance Portability and Accountability Act (HIPAA)
        • Privacy Rule
          • Provides a means for covered entities to implement reasonable and appropriate safeguards for the protection of Protected Health Information (PHI)
        • Security Rule
          • Address requirements
            • Demonstrates prudent and comprehensive approach towards compliance
            • Certifiable standards that map to all elements of security rule
            • Provides a framework that matches "process" elements of security rule with measurable and effective security standards
          • Industry and regulator benefits
            • Provides a standardized approach for business associates to meet contractual obligations
            • Permits covered entities to meet due diligence standards for business associates
            • Provides a framework for health information exchange networks to use as a model
            • Provides regulators with an easy means of reviewing compliance approach, by standardizing the approach to security documentation
      • Also provides a means to meet the requirements of other regulations such as Sarbanes-Oxley
      Page
        • The HITRUST CSF adds measurable value by integrating and enhancing (adding context and/or clarifying) specific components of U.S. and international standards:
          • ISO’s control framework (27001/27002)
          • NIST’s control implementation and audit procedures (800-66, 800-53)
          • PCI’s prescriptive security controls (PCI DSS)
          • CobIT’s business process focus (CobIT 4.0)
          • ITIL’s definitions
          • HIPAA’s regulatory requirements
      • Broad and diverse membership allows the HITRUST CSF to accommodate the best industry practices and standards
        • Providers, health plans, pharmacies, PBM’s and manufacturers
        • Professional services firms
        • Information security and technology vendors
      • Final result is a tailored, comprehensive, and scalable security certifiable framework for organizations that handle personal health information
      Standards Based Page Page
    • Why HITRUST CSF over existing Information Security options?
      • Provides a benchmark for the healthcare industry’s adoption of information security
        • Provides a healthcare-specific industry implementation standard established through a comprehensive process, including best practices, regulations, and existing standards
        • Evolves based on industry practices, standards and experiences
        • Incorporates business requirements specific to each segment of the healthcare industry
      • Certifiable to ensure compliance, common understanding and acceptance
        • Prescriptive to ensure clarity and measurement
        • Provides accreditation and certification process to drive transparency and adoption of baseline information security controls
      • Follows a risk-based approach to allow security controls to be prioritized based on risk
      • Extensible to allow compliance in other areas, such as Sarbanes-Oxley, PCI
      Page
      • Questions and Answers
      • Session
      Questions and Answers Page
    • Questions and Answers Page Questions and Answers and a replay of today's session will be available within the next 3 days at www.HITRUSTalliance.org/webinars/2008-09-16-Understanding_CSF.php
      • or
      • Information on the educational webcast series is available at
      • www.HITRUSTalliance.org/webinars
      Thank you and Additional Information Page Thank you for taking the time to attend today’s webinar. Additional material on the HITRUST CSF is available at www.HITRUSTalliance.org/csf