§ The company had to achieve HITRUST certification due to a new requirement from their parent organization. They worked with Logicworks and AWS to rearchitect their existing HIPAA-compliant AWS environment to meet HITRUST standards within 6 months. Logicworks and AWS provided evidence for 175 of the 400 required controls, reducing the company's time and effort for compliance. After enabling controls, undergoing assessment, and completing corrective action plans, the company achieved HITRUST certification within the 6 month deadline at a cost that was approximately 20% higher than their previous HIPAA-compliant environment.

1. HIPAA and HITRUST on Amazon Web
Services (AWS)
Steve Zeller
VP, Logicworks
www.logicworks.com

2. ©2017 Logicworks. All rights reserved.
Logicworks helps software companies tackle healthcare
and healthcare companies deliver software on AWS.
About Logicworks
2
Cloud
Strategy
Cloud
Assessment
Cloud
Optimization
Cloud
Management
OUR SERVICES OUR CUSTOMERS

3. ©2017 Logicworks. All rights reserved.
Independently Validated
3
Audited by 3rd Parties to Validate Security & Compliance
Coming soon…

4. HITRUST certification is a major
initiative for many health and health
tech companies in 2018.

5. ©2017 Logicworks. All rights reserved.
Cybersecurity Frameworks
5
57.9
18.5
26.4
16.9
NIST ISO HITRUST None
Cybersecurity Frameworks Used for HIPAA Compliance in 2018
% of Healthcare Companies
Source: HIMSS Cybersecurity Survey 2018

6. ©2017 Logicworks. All rights reserved.
What is HITRUST?
6
• HITRUST is a certifiable, prescriptive
framework
• It harmonizes existing controls and
requirements applicable to healthcare
• Subsumes HIPAA Final Rule Requirements
• Required if you do business w/top insurance
companies
Source: HITRUST Alliance

7. ©2017 Logicworks. All rights reserved.
§ HITRUST is a cybersecurity framework that can be used (like NIST, ISO, etc.)
as a foundation for your HIPAA assessment
§ According to HITRUST, the HITRUST CSF™ is equal to “credible HIPAA
compliance”
§ HITRUST states that the HITRUST CSF™ certification has been previously
accepted by the OCR as supplementary evidence of compliance with HIPAA
Answer: Yes!
Q: If I’m HITRUST Certified, Am I HIPAA Compliant?
7

8. ©2017 Logicworks. All rights reserved.
HIPAA vs. HITRUST
8
HIPAA HITRUST
Regulation Security Framework
Vague Clear, prescriptive
Required by Law Certifiable
20 years old Regularly updated
Specific to ePHI and HIPAA only Can address other standards (SOC, GDPR)
Addresses compliance only Promotes security while addressing compliance
Source: Coalfire

9. ©2017 Logicworks. All rights reserved.
Why HITRUST?
9
HITRUST is a higher bar than HIPAA compliance. If you’re starting from square one,
meet HIPAA standards first.
More clear and
prescriptive than
HIPAA
Many healthcare
companies are
requiring this
certification for
vendors
Solid competitive
differentiator for
Business Associates
Focuses on
cybersecurity as well
as compliance

10. Case Study: Population Health SaaS Company

11. ©2017 Logicworks. All rights reserved.
Population Health SaaS Company
11
§ Parent organization introduced new requirement of
HITRUST compliance from subsidiaries
§ Existing relationship with AWS + Logicworks
§ AWS environment already met HIPAA compliance
requirements
§ Desire to rebuild environment to HITRUST
standards in <6 months
Company: Subsidiary of
major insurance company
Industry: Healthcare SaaS
Description: Online diabetes
and weight loss support
platform

12. ©2017 Logicworks. All rights reserved.
Process of HITRUST Certification
12
Certification
•Two possible results: Certified
Report or Validated Report
Assessment
•Formal Assessment process.
At this point, nothing can be
added or remediated
Self-
Assessment
•Provide process
documentation, evidence
•Point-in-time samples
•Ability to provide reporting
ongoing
Enable
Controls
•Identify remediation (or
improvements)
•Leverage and extend existing
automation
Plan
•Identify controls co-owned or
solely owned by each
•Data classification and
sensitivity of applications
Continuous Improvement

13. ©2017 Logicworks. All rights reserved.
1. Company chose a CSF Assessor
(Coalfire)
2. Got access to the MyCSF Portal (starts
at $12,500 for a yearly subscription)
3. Determined the set of controls that apply
to their organization
4. Signed a BAA with Amazon and
Logicworks
Step 1: Plan
13

14. ©2017 Logicworks. All rights reserved.
Step 1: Plan
14
Customer
Customer Data Applications
Cloud Native
Security Features
Regulatory
Compliance
Threat
Remediation
Monitoring &
Availability
DevOps
Pipeline
Patches &
Updates
Budget / ROI
Architecture Design Build / Migrate Train / Certify
Compute Storage Database Networking
Regions
Availability Zones
Edge Locations
AWS / Azure
SECURITY
MANAGEMENT
CLOUD ADOPTION
INFRASTRUCTURE

15. ©2017 Logicworks. All rights reserved. 15
Logicworks
Customer Data Applications
Cloud Native
Security Features
Regulatory
Compliance
Threat
Remediation
Monitoring &
Availability
DevOps
Pipeline
Patches &
Updates
Budget / ROI
Architecture Design Build / Migrate Train / Certify
Compute Storage Database Networking
Regions
Edge Locations
AWS / Azure
Availability Zones
SECURITY
MANAGEMENT
CLOUD ADOPTION
INFRASTRUCTURE
Customer
SPEED
EFFICIENCY
CONFIDENCE
Step 1: Plan

16. ©2017 Logicworks. All rights reserved.
§ The company had about 375 controls
§ Nearly half of those controls were taken care of
by AWS and Logicworks
§ AWS takes care of physical security controls,
Logicworks takes care of all infrastructure-level
security configurations, company takes care of
application and personnel controls
Who Owns Which Controls?
Step 1: Plan
16
200
175
Company AWS + Logicworks

17. ©2017 Logicworks. All rights reserved.
Step 2: Enable Controls
17
1. Information Protection Program
2. Endpoint Protection
3. Portable Media Security
4. Mobile Device Security
5. Wireless Security
6. Configuration Management
7. Vulnerability Management
8. Network Protection
9. Transmission Protection
10. Password Management
11. Access Control
12. Audit Logging and Monitoring
13. Education, Training and Awareness
14. Third-Party Assurance
15. Incident Management
16. Business Continuity & Disaster Recovery
17. Risk Management
18. Physical & Environmental Security
19. Data Protection & Privacy
CSF Domains

18. ©2017 Logicworks. All rights reserved.
Step 2: Enable Controls
18
Source: cloudauditcontrols.com

19. ©2017 Logicworks. All rights reserved.
Hub-Spoke VPC
Step 2: Enable Controls
19

20. ©2017 Logicworks. All rights reserved.
Automation: The Key to Continuous Compliance
20
Automation helps you:
§ Ensure that IT controls are maintained even as
cloud environments change
§ Reduce the manual effort of implementing and
maintaining controls
What is Continuous Compliance?
Continuous compliance is a framework of
automated procedures and toolchains that are
designed to formalize infrastructure design and
automate IT controls to protect your system from
non-compliance.
Infrastructure
Buildout
Configuration
Management
Iterative Deployment
Process
Monitoring

21. ©2017 Logicworks. All rights reserved.
The Instance Build Process
Step 2: Enable Controls
21
Every instance follows the same process.
No “snowflake” systems.

22. ©2017 Logicworks. All rights reserved.
Monitoring
Step 2: Enable Controls
22
Scanners
AWS Config
CloudWatch /
CloudWatch Logs
Amazon SNS AWS Lambda
24x7 NOC
Pulse Portal
CloudWatch
Alarms

23. ©2017 Logicworks. All rights reserved.
IDS and Vulnerability Management
Step 2: Enable Controls
23
Intrusion Detection System
• Collect and analyze ingress, egress, and lateral
network traffic even within your IaaS
environments
• Identify lateral movement, brute force, privilege
escalation, and command & control exploits
• Advanced detection logic for the riskiest 3rd
party plug-ins, services, and libraries
Vulnerability Management
• Identify internet facing vulnerabilities in web
applications
• See detailed OS, port configs, services, and
certificates for each asset

24. ©2017 Logicworks. All rights reserved.
Data at Rest
§ AWS Key Management System (KMS) facilitates creation and control
of encryption keys used by many AWS resources (EBS, S3, Glacier)
§ Implements AES-GCM-256 with ECDSA signatures to meet NIST
standards
§ Encryption is as easy as a GUI click, an API flag, or a CloudFormation
attribute to specify that EBS volumes are encrypted (and it’s free)
§ Snapshots preserve encryption
§ However, do NOT put sensitive data on the root volume!
§ You can actually disallow the creation of unencrypted root volumes
with IAM policies
Encryption
Step 2: Enable Controls
24
Remember:
If in doubt, encrypt
everywhere!

25. ©2017 Logicworks. All rights reserved.
§ Must provide evidence that AV is not only enabled, but cannot be
disabled by users
§ Screenshots of management platform change management tickets
related to patches
§ Screenshots of firewall policies
§ Firewalls from at least 2 different vendors
§ Two DNS servers located in different subnets
§ Show if an alert will be generated if a systems stops logging
Most “gaps” between HIPAA and HITRUST are in documentation
Additional Controls for Company
25

26. ©2017 Logicworks. All rights reserved.
Process of HITRUST Certification
26
Certification
•Two possible results: Certified
Report or Validated Report
Assessment
•Formal Assessment process.
At this point, nothing can be
added or remediated
Self-
Assessment
•Provide process
documentation, evidence
•Point-in-time samples
•Ability to provide reporting
ongoing
Enable
Controls
•Identify remediation (or
improvements)
•Leverage and extend existing
automation
Plan
•Identify controls co-owned or
solely owned by each
•Data classification and
sensitivity of applications
Continuous Improvement

27. ©2017 Logicworks. All rights reserved.
Score Policy Procedure Implemented Measured Managed
0%
None of the CSF
requirements
None of the CSF
requirements
None of the CSF
requirements
No measure or metric in
place
No management action taken
25%
Some of the CSF
requirements and ad hoc
Some of the CSF
requirements are supported
by ad hoc procedures
Some of the CSF
requirements and partial
scope
Operational or independent
measure
Measure or metric AND
management are sometimes
taken on an ad hoc basis
50%
All CSF requirements and ad
hoc
All CSF requirements are
supported by ad hoc
procedures
Some of the CSF
requirements and full scope
Operational and independent
measure
Measure or metric AND
management are sometimes
taken and a formal action
management process exists
75%
Some of the CSF
requirements are
written/signed and the
remainder ad hoc
Some of the CSF
requirements are supported
by written and/or automated
procedures, And the
remainder are addressed by
ad hoc procedures
All CSF requirements and
partial scope
Operational or independent
METRIC
Metric only AND corrective
actions are always taken
AND on an ad hoc basis
100%
All CSF requirements and
written/signed
All CSF requirements are
supported by written and/or
automated procedures,
and/or are automated
All CSF requirements AND
full scope
Operational metric AND
independent measure or
metric
Metric only AND corrective
actions always taken AND a
formal remediation
management program exists
Step 4: Assessment
27
Source: HITRUST Alliance

28. ©2017 Logicworks. All rights reserved.
§ Assessment must be performed by HITRUST CSF Assessor
§ HITRUST validates the results
§ Must get a score of 71.00 or greater in each control in order to pass w/o a CAP
§ Corrective Action Plans must be accomplished by Interim Assessment
Step 4+5: Assessment + Certification
28
Year 1 Year 2
1 2 3 4 5
Self
Assessment
Remediation Validated
Assessment
Corrective
Action Plans
Interim
Assessment

29. ©2017 Logicworks. All rights reserved.
Results of Project
29
Rearchitect process
lasted 6 months
Logicworks + AWS provided evidence
of 175 out of 400 total controls
required, reducing their time-to-
compliance by 6-8 months
Passed their HITRUST
audit in March 2017
Resulting AWS
environment cost ~20%
more than their HIPAA
compliant environment
Reduced Time-
to-Compliance
6 Months HITRUST
Certified
+20% Cost

30. 155 Avenue of the Americas, Fifth Floor | New York, NY 10013
P:212.625.5300 | www.logicworks.com