Uploaded byOnRamp
PPTX, PDF351 views

HITRUST CSF in the Cloud

The document discusses HITRUST, a certifiable framework designed to address compliance challenges and enhance cybersecurity, particularly for organizations handling sensitive data. It outlines the benefits of HITRUST, common challenges in cloud deployments, and best practices for securing cloud infrastructure. Key topics include the importance of proper data governance, security practices, and choosing the right cloud vendor to safeguard information.

Embed presentation

Downloaded 12 times
HITRUST in the Cloud Who, What, Why and How?
Agenda • Introduction • What Is HITRUST? • How Can you Benefit from HITRUST? • Challenges in Cloud Deployments • How to Deploy Secure Cloud Infrastructure • Best Practices • Q&A
Speakers Connect with Nikola on LinkedIn Toby Owen VP of Product Development OnRamp Nikola Todev Head of Information Security OnRamp Connect with Toby on LinkedIn
Current Landscape 1 RightScale-2017-State-of-the-Cloud-Report; 2 PwC 2017 CEO Survey; Ponemon Institute, 3 Cost of Data Breach Study: 2017 Global Analysis The average consolidated cost of a data breach reached $3.62 million3 in 2017 143 million+ affected by Equifax server vulnerability and broad access control. 85% 85% of CEOs said cyber threats posed the greatest threat to the growth of their organization2 Lack of Expertise, Security, and Cost tie for top cloud challenges1 $4M 2017
Audience Poll
What Is HITRUST CSF? HITRUST CSF is a prescriptive and certifiable framework specifically created in response to multiple compliance requirements, many of which are subject to interpretation. HITRUST Was Founded in 2007 to Solve Common Challenges: • Significant regulatory oversight • Constant evolving requirements • Uncertain standards – what is reasonable and appropriate? https://hitrustalliance.net
The eight most common regulation and control frameworks covered by HITRUST COBIT ISO 27001/2 FTC Red Flags HIPAA Omnibus Final Rule NIST Meaningful Use Texas Health & Safety Code PCI HITRUST FTC Red Flags ISO 27001/2 COBIT PCI HIPAA Omnibus Final Rule NIST Meaningful Use Texas Health & Safety Code What Does HITRUST Include?
How Does the HITRUST Certification Process Work? Control Categories Include: • Physical and Environmental Security • Access Control • Risk Management • Security Policy • Business Continuity
Who Can Leverage HITRUST? E-COMMERCE HEALTHCAREBANKING GOVERNMENT EDUCATION Everyone… but for industries with sensitive data, this framework is especially critical. • Alignment with national standards/requirements • Supports assessment of an organization’s current and targeted cybersecurity posture • Helps identify gaps in current programs and resources • Supports standardized assessment and reporting documentation • Helps identify opportunities to improve management processes for cybersecurity risk HITRUST CSF Offers:
Why is Compliance Not Enough? HITRUST versus HIPAA, for example:
Audience Poll
Threat Landscape Trend Micro 2005-2015 Data Breach Study; Verizon Enterprise 2016 Report Most commonly targeted organizations What are the most common threats?
State of the Cloud 2017 and Beyond Despite rising cloud adoption rates, breaches and security issues continue to rise, indicating that the cloud deployments and/or their management efforts are not properly developed. 67% Of All Cloud Adopters Use Hybrid Cloud Strategy 90% Of Healthcare organizations had 1-5 data breaches in the past 2 years Ponemon 6th Annual Study on Privacy of Healthcare Data; RightScale 2017 State of the Cloud Report; Twitter.com
Challenges in Secure Cloud Deployments • Ambiguous Delegation of Responsibilities (Internally and with Vendors) • Lack of Data Governance & Security Practices • Understand Risk Universe for Business Service and Processed Data • Insufficient Controls to Safeguard Data • Ensuring Data Availability, Reliability, & Integrity • Ability to Convey Auditable Compliance (Transparency) 50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident. 2017 Ponemon Study on Data Risk 50%
Understanding Cloud Criteria There are many types of cloud models, each with their own features and levels of security. Use this criteria to map your needs to the right cloud solution: Risk Assessment Workload & Performance Needs Security Alignment How your data is classified and how it’s used and/or accessed will determine the level of risk you’re willing to accept. Select features and configurations that meet your goals. Example: Deploy dedicated hardware for mission-critical database and a virtualized environment for applications and web services. Find a solution with a provider that fully supports your risk management objectives.
Best Practices: Technology •Data encryption in transit and at rest •Firewalls •Multi-factor authentication •Cloud encryption •Audit logs showing access to data •Vulnerability scanning, intrusion detection/prevention •Hardware and OS patching •Security Audits •Contingency Planning: regular data backups & Disaster Recovery #1 issue is maintaining data confidentiality within the cloud—so the cloud environment is accessible to authorized personnel only.
Best Practices: People and Processes Technology is just one part; proper security and compliance involves people and processes to safeguard your data and develop documentation to prove your efforts. • Audit operational and business processes • Manage people, roles, and identities • Ensure proper protection of data and information • Enforce privacy policies • Ensure cloud networks and connections are secure • Evaluate security controls: physical infrastructure and facilities • Manage security terms in the cloud service agreement • Data decommissioning process • Be prepared for incidents
Best Practices: Choosing a Cloud Vendor Security Availability & Scalability Understands Your Business Goals Credentials & Certifications Service Level Agreements (SLAs) Meets Your BAA Requirements Expertise in Your Industry
OnRamp’s Virtual Private Cloud To schedule a demo, contact sales@onr.com or call 888.667.2660 Top Benefits: ■ HITRUST-certified ■ Control costs with capped maximum resource usage ■ Get to value faster by eliminating lengthy setup times ■ Open source APIs enable simple migrations and eliminate vendor lock-in Offers the ease of use of a public cloud— including capabilities like utility billing and self- service provisioning—with the security of a private cloud.
Q&A
Thank you!!

More Related Content

PDF
UoF - HITRUST & Risk Analysis v1
byBryan Cline, Ph.D.
 
PDF
HITRUST 101: All the basics you need to know
by➲ Stella Bridges
 
PDF
HITRUST Article
byAlexis Kennedy, CPA, CISA
 
PDF
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
bySchellman & Company
 
PDF
Hitrust csf-assurance-program-requirements-v1 3-final
byajcob123
 
PPTX
HealthCare Compliance - HIPAA and HITRUST
byKimberly Simon MBA
 
DOCX
Common Security Framework Summary
byJason Rusch - CISSP CGEIT CISM CISA GNSA
 
PDF
HITRUST CSF Meaningful use risk assessment
byVinit Thakur
 
UoF - HITRUST & Risk Analysis v1
byBryan Cline, Ph.D.
 
HITRUST 101: All the basics you need to know
by➲ Stella Bridges
 
HITRUST Article
byAlexis Kennedy, CPA, CISA
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
bySchellman & Company
 
Hitrust csf-assurance-program-requirements-v1 3-final
byajcob123
 
HealthCare Compliance - HIPAA and HITRUST
byKimberly Simon MBA
 
Common Security Framework Summary
byJason Rusch - CISSP CGEIT CISM CISA GNSA
 
HITRUST CSF Meaningful use risk assessment
byVinit Thakur
 

What's hot

PPT
It Audit Expectations High Detail
byecarrow
 
PPTX
Logging, monitoring and auditing
byPiyush Jain
 
PPTX
Its time to rethink everything a governance risk compliance primer
byEnclaveSecurity
 
DOC
Redspin HIPAA Security Risk Analysis RFP Template
byRedspin, Inc.
 
PPT
Risk Assessment And Management
byvikasraina
 
PDF
Security Framework for Digital Risk Managment
bySecurestorm
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
PPTX
Meaningful Use and Security Risk Analysis
byEvan Francen
 
PPTX
How to Use the NIST CSF to Recover from a Healthcare Breach
bySymantec
 
PPSX
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
PPTX
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
PPTX
QSA Shares PCI 3.0 Advice & Checklist
byTripwire
 
PDF
Simplifying Security for Cloud Adoption - Defining your game plan
bySecurestorm
 
PDF
Cybersecurity Preparedness Trends and Best Practices
byTony Moroney
 
PPT
RiskWatch for Financial Institutions™
byCPaschal
 
PDF
HealthCare Compliance - HIPAA & HITRUST
byKimberly Simon MBA
 
PPT
A Guide to Managed Security Services
byGraham Mann
 
PPTX
Security architecture frameworks
byJohn Arnold
 
PPTX
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
byTripwire
 
PPT
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
It Audit Expectations High Detail
byecarrow
 
Logging, monitoring and auditing
byPiyush Jain
 
Its time to rethink everything a governance risk compliance primer
byEnclaveSecurity
 
Redspin HIPAA Security Risk Analysis RFP Template
byRedspin, Inc.
 
Risk Assessment And Management
byvikasraina
 
Security Framework for Digital Risk Managment
bySecurestorm
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Meaningful Use and Security Risk Analysis
byEvan Francen
 
How to Use the NIST CSF to Recover from a Healthcare Breach
bySymantec
 
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
QSA Shares PCI 3.0 Advice & Checklist
byTripwire
 
Simplifying Security for Cloud Adoption - Defining your game plan
bySecurestorm
 
Cybersecurity Preparedness Trends and Best Practices
byTony Moroney
 
RiskWatch for Financial Institutions™
byCPaschal
 
HealthCare Compliance - HIPAA & HITRUST
byKimberly Simon MBA
 
A Guide to Managed Security Services
byGraham Mann
 
Security architecture frameworks
byJohn Arnold
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
byTripwire
 
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 

Similar to HITRUST CSF in the Cloud

PDF
Cloud Infrastructure Security: Navigating Threats & Overcoming Challenges
byTeleglobal International
 
PDF
Securing the Cloud by Matthew Rosenquist 2016
byMatthew Rosenquist
 
PDF
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
byForgeahead Solutions
 
PDF
Best Practices in Cloud Security Standards.pptx.pdf
byapurvar399
 
PDF
Whitepaper: Security of the Cloud
byCloudSmartz
 
PDF
Security of the Cloud
byEpoch Universal, Inc.
 
PDF
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
byYew Weisin
 
PDF
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
PPTX
CSS17: Atlanta - Realities of Security in the Cloud
byAlert Logic
 
PDF
A Different Approach to Securing Your Cloud Journey
byCloudflare
 
PPTX
CSO CXO Series Breakfast
byCSO_Presentations
 
PDF
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
bySafeNet
 
PDF
HEALTHCARE, THE CLOUD, AND ITS SECURITY
bySilverlineCRM
 
PDF
Cloud Perspectives - Ottawa Seminar - Oct 6
byScalar Decisions
 
PDF
How We Protect Our Business in the Cloud (The Smart Way)
byCyberShield IT
 
PDF
Cloud Security Risks Challenges and Preventive Solutions - DigitDefence
byyams12611
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
PPTX
Cloud Security By Dr. Anton Ravindran
byGSTF
 
PDF
Symantec 2011 State of Cloud Survey
bySymantec
 
PPTX
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
Cloud Infrastructure Security: Navigating Threats & Overcoming Challenges
byTeleglobal International
 
Securing the Cloud by Matthew Rosenquist 2016
byMatthew Rosenquist
 
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
byForgeahead Solutions
 
Best Practices in Cloud Security Standards.pptx.pdf
byapurvar399
 
Whitepaper: Security of the Cloud
byCloudSmartz
 
Security of the Cloud
byEpoch Universal, Inc.
 
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
byYew Weisin
 
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
CSS17: Atlanta - Realities of Security in the Cloud
byAlert Logic
 
A Different Approach to Securing Your Cloud Journey
byCloudflare
 
CSO CXO Series Breakfast
byCSO_Presentations
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
bySafeNet
 
HEALTHCARE, THE CLOUD, AND ITS SECURITY
bySilverlineCRM
 
Cloud Perspectives - Ottawa Seminar - Oct 6
byScalar Decisions
 
How We Protect Our Business in the Cloud (The Smart Way)
byCyberShield IT
 
Cloud Security Risks Challenges and Preventive Solutions - DigitDefence
byyams12611
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
Cloud Security By Dr. Anton Ravindran
byGSTF
 
Symantec 2011 State of Cloud Survey
bySymantec
 
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 

More from OnRamp

PPTX
Too Small to Get Hacked? Think Again (Webinar)
byOnRamp
 
PPTX
Transform Your Business with Supply Chain AI and a Modern Infrastructure
byOnRamp
 
PPTX
Insider Secrets to Oracle License Management
byOnRamp
 
PPTX
Overcoming Hidden Risks in a Shared Security Model
byOnRamp
 
PDF
HIPAA eBOOK: Avoid Common HIPAA Violations
byOnRamp
 
PPTX
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
byOnRamp
 
Too Small to Get Hacked? Think Again (Webinar)
byOnRamp
 
Transform Your Business with Supply Chain AI and a Modern Infrastructure
byOnRamp
 
Insider Secrets to Oracle License Management
byOnRamp
 
Overcoming Hidden Risks in a Shared Security Model
byOnRamp
 
HIPAA eBOOK: Avoid Common HIPAA Violations
byOnRamp
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
byOnRamp
 

Recently uploaded

PDF
This document provides an overview of women entrepreneurs in India.
bymiui90374
 
PDF
KGA - Governing administration in a consolidated market
byHenry Tapper
 
PDF
Keppel Ltd. 2H & FY 2025 Results Presentation Slides
byKeppelCorporation
 
PDF
solulab.com-Top Stablecoin Development Company.
bymeerasingh12189
 
PDF
Rami Tawasha - Specializes In High-Impact Work
byRami Tawasha
 
PPTX
Sewage Treatment Plant in Bangalore |Best STP Plant Manufacturers in Tamilna...
byKemproPumps
 
PDF
On Demand Service Provider App Development
byV3CUBE TECHNOLABS
 
PDF
Company Valuation webinar - Feb 2026.pdf
byFelixPerez547899
 
PDF
9 Best Sites to Buy Hotmail Accounts (PVA, Bulk &amp .pdf
by#marketing
 
PPTX
Strategic Workforce Planning & Talent Strategy
bySeta Wicaksana
 
PDF
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
PPTX
PUC_Centre_Machines_Presentation.pptxknjn
bysaksham9021187243
 
PDF
Top 11 Sites To Buy Verified Binance Accounts in 2026.pdf
bymarketing
 
PDF
Top 4.4 Sites To Buy Edu Emails Accounts in 2026.pdf
by8rn3l6efpnommwzc7r29
 
DOCX
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
PDF
Smart Contract Audit Readiness What to Fix Before Auditors Review Your Code (...
bySoluLab1231
 
PDF
Daily-Ads Review: Top Affiliates Are SCARED to Tell You This.pdf
bysimplefreedomwarrior
 
PPTX
Myntra Seller Commission & Fees Guide | Ecommerce Account Management by Miloy...
byMiloy And Company
 
PDF
Preparing-Iced-Petit-Fours-PPTpresent.pdf
byEcaQuino1
 
PDF
rf_mccaffrey_stocksforthelongrun_revisited_online.v2 (1).pdf
byHenry Tapper
 
This document provides an overview of women entrepreneurs in India.
bymiui90374
 
KGA - Governing administration in a consolidated market
byHenry Tapper
 
Keppel Ltd. 2H & FY 2025 Results Presentation Slides
byKeppelCorporation
 
solulab.com-Top Stablecoin Development Company.
bymeerasingh12189
 
Rami Tawasha - Specializes In High-Impact Work
byRami Tawasha
 
Sewage Treatment Plant in Bangalore |Best STP Plant Manufacturers in Tamilna...
byKemproPumps
 
On Demand Service Provider App Development
byV3CUBE TECHNOLABS
 
Company Valuation webinar - Feb 2026.pdf
byFelixPerez547899
 
9 Best Sites to Buy Hotmail Accounts (PVA, Bulk &amp .pdf
by#marketing
 
Strategic Workforce Planning & Talent Strategy
bySeta Wicaksana
 
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
PUC_Centre_Machines_Presentation.pptxknjn
bysaksham9021187243
 
Top 11 Sites To Buy Verified Binance Accounts in 2026.pdf
bymarketing
 
Top 4.4 Sites To Buy Edu Emails Accounts in 2026.pdf
by8rn3l6efpnommwzc7r29
 
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
Smart Contract Audit Readiness What to Fix Before Auditors Review Your Code (...
bySoluLab1231
 
Daily-Ads Review: Top Affiliates Are SCARED to Tell You This.pdf
bysimplefreedomwarrior
 
Myntra Seller Commission & Fees Guide | Ecommerce Account Management by Miloy...
byMiloy And Company
 
Preparing-Iced-Petit-Fours-PPTpresent.pdf
byEcaQuino1
 
rf_mccaffrey_stocksforthelongrun_revisited_online.v2 (1).pdf
byHenry Tapper
 

HITRUST CSF in the Cloud

  • 1.
    HITRUST in theCloud Who, What, Why and How?
  • 2.
    Agenda • Introduction • WhatIs HITRUST? • How Can you Benefit from HITRUST? • Challenges in Cloud Deployments • How to Deploy Secure Cloud Infrastructure • Best Practices • Q&A
  • 3.
    Speakers Connect with Nikolaon LinkedIn Toby Owen VP of Product Development OnRamp Nikola Todev Head of Information Security OnRamp Connect with Toby on LinkedIn
  • 4.
    Current Landscape 1 RightScale-2017-State-of-the-Cloud-Report;2 PwC 2017 CEO Survey; Ponemon Institute, 3 Cost of Data Breach Study: 2017 Global Analysis The average consolidated cost of a data breach reached $3.62 million3 in 2017 143 million+ affected by Equifax server vulnerability and broad access control. 85% 85% of CEOs said cyber threats posed the greatest threat to the growth of their organization2 Lack of Expertise, Security, and Cost tie for top cloud challenges1 $4M 2017
  • 5.
  • 6.
    What Is HITRUSTCSF? HITRUST CSF is a prescriptive and certifiable framework specifically created in response to multiple compliance requirements, many of which are subject to interpretation. HITRUST Was Founded in 2007 to Solve Common Challenges: • Significant regulatory oversight • Constant evolving requirements • Uncertain standards – what is reasonable and appropriate? https://hitrustalliance.net
  • 7.
    The eight mostcommon regulation and control frameworks covered by HITRUST COBIT ISO 27001/2 FTC Red Flags HIPAA Omnibus Final Rule NIST Meaningful Use Texas Health & Safety Code PCI HITRUST FTC Red Flags ISO 27001/2 COBIT PCI HIPAA Omnibus Final Rule NIST Meaningful Use Texas Health & Safety Code What Does HITRUST Include?
  • 8.
    How Does theHITRUST Certification Process Work? Control Categories Include: • Physical and Environmental Security • Access Control • Risk Management • Security Policy • Business Continuity
  • 9.
    Who Can LeverageHITRUST? E-COMMERCE HEALTHCAREBANKING GOVERNMENT EDUCATION Everyone… but for industries with sensitive data, this framework is especially critical. • Alignment with national standards/requirements • Supports assessment of an organization’s current and targeted cybersecurity posture • Helps identify gaps in current programs and resources • Supports standardized assessment and reporting documentation • Helps identify opportunities to improve management processes for cybersecurity risk HITRUST CSF Offers:
  • 10.
    Why is ComplianceNot Enough? HITRUST versus HIPAA, for example:
  • 11.
  • 12.
    Threat Landscape Trend Micro2005-2015 Data Breach Study; Verizon Enterprise 2016 Report Most commonly targeted organizations What are the most common threats?
  • 13.
    State of theCloud 2017 and Beyond Despite rising cloud adoption rates, breaches and security issues continue to rise, indicating that the cloud deployments and/or their management efforts are not properly developed. 67% Of All Cloud Adopters Use Hybrid Cloud Strategy 90% Of Healthcare organizations had 1-5 data breaches in the past 2 years Ponemon 6th Annual Study on Privacy of Healthcare Data; RightScale 2017 State of the Cloud Report; Twitter.com
  • 14.
    Challenges in SecureCloud Deployments • Ambiguous Delegation of Responsibilities (Internally and with Vendors) • Lack of Data Governance & Security Practices • Understand Risk Universe for Business Service and Processed Data • Insufficient Controls to Safeguard Data • Ensuring Data Availability, Reliability, & Integrity • Ability to Convey Auditable Compliance (Transparency) 50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident. 2017 Ponemon Study on Data Risk 50%
  • 15.
    Understanding Cloud Criteria Thereare many types of cloud models, each with their own features and levels of security. Use this criteria to map your needs to the right cloud solution: Risk Assessment Workload & Performance Needs Security Alignment How your data is classified and how it’s used and/or accessed will determine the level of risk you’re willing to accept. Select features and configurations that meet your goals. Example: Deploy dedicated hardware for mission-critical database and a virtualized environment for applications and web services. Find a solution with a provider that fully supports your risk management objectives.
  • 16.
    Best Practices: Technology •Dataencryption in transit and at rest •Firewalls •Multi-factor authentication •Cloud encryption •Audit logs showing access to data •Vulnerability scanning, intrusion detection/prevention •Hardware and OS patching •Security Audits •Contingency Planning: regular data backups & Disaster Recovery #1 issue is maintaining data confidentiality within the cloud—so the cloud environment is accessible to authorized personnel only.
  • 17.
    Best Practices: Peopleand Processes Technology is just one part; proper security and compliance involves people and processes to safeguard your data and develop documentation to prove your efforts. • Audit operational and business processes • Manage people, roles, and identities • Ensure proper protection of data and information • Enforce privacy policies • Ensure cloud networks and connections are secure • Evaluate security controls: physical infrastructure and facilities • Manage security terms in the cloud service agreement • Data decommissioning process • Be prepared for incidents
  • 18.
    Best Practices: Choosinga Cloud Vendor Security Availability & Scalability Understands Your Business Goals Credentials & Certifications Service Level Agreements (SLAs) Meets Your BAA Requirements Expertise in Your Industry
  • 19.
    OnRamp’s Virtual PrivateCloud To schedule a demo, contact sales@onr.com or call 888.667.2660 Top Benefits: ■ HITRUST-certified ■ Control costs with capped maximum resource usage ■ Get to value faster by eliminating lengthy setup times ■ Open source APIs enable simple migrations and eliminate vendor lock-in Offers the ease of use of a public cloud— including capabilities like utility billing and self- service provisioning—with the security of a private cloud.
  • 20.
  • 21.

Editor's Notes

  • #6 What are you most interested in learning about? What Is HITRUST? How Can you Benefit from HITRUST? How to Deploy Secure Cloud Infrastructure
  • #7 What is HITRUST? Who created it? Why was it developed? Objectives: Built specifically for the unique needs of healthcare Relevant ongoing updates of supporting authoritative sources and changes in the threat environment Scalable to various sizes and types of organizations or systems in a controlled manner Based on compliance with control baselines intended to manage risk to an industry-accepted level Capable of providing certifiable risk assurances to internal and external stakeholders, including regulators
  • #8 Highlight some of the most important frameworks and regulations HITRUST includes – like The National Institute of Standards and Technology (NIST).
  • #9 What kinds of organizations get certified and how does that process work? Address that the scope of the certification for each organization is different Discuss the levels of certification – must have level 3 Give examples of the control categories and examples of the controls. Discuss the difference between the self-assessment and the validated assessment.
  • #10 Discuss who should pay attention to HITRUST and why they should care What is HITRUSTs’ business impact? Alignment with national standards/requirements Supports assessment of an organization’s current and targeted cybersecurity posture Helps identify gaps in current programs and resources Supports standardized assessment and reporting documentation Helps identify opportunities to improve management processes for cybersecurity risk How can organizations gain benefits from choosing a HITRUST certified vendor? To protect their brand, critical assets, and customers/ patients
  • #11 Why is being compliant not enough? How does HITRUST compare? Discuss the maturity model--you must validate, evolve and analyze the outcome Differences between HIPAA Differences between PCI DSS, since there’s a certification for that, too
  • #12 What are your goals for IT moving into 2018? Is the cloud part of that plan?
  • #13 Trend Micro conducted a study over 10 years to find out which industries were the most targeted victims of data breaches. It’s no coincidence that those with valuable, sensitive data are top targets. As you can see, these are also the same industries that should leverage the HITRUST framework. Discuss top 3 threats
  • #14 Toby As organizations transition into the cloud, they should place workloads where they perform best – Results in hybrid cloud approach. 67% of all cloud users are currently adopting multiple clouds. Discuss challenges of multi-cloud management Nikola Regulatory organizations like the Office for Civil Rights, the Cloud Council are one-step behind hackers and malicious threats. So it’s really up to you and your vendors to be responsible for your compliance and security. In the healthcare industry for example, 90% of organizations have experienced 1-5 breaches in the past two years. Discuss learning curve associated with implementing security in a physical environment versus cloud and virtualization
  • #15 Ambiguous Delegation of Responsibilities (Internally and with Vendors) Limited time and resources makes it difficult for organizations to have a robust vendor management program to manage 3rd party relationships, including knowing if their security posture is sufficient to respond to a data breach  Lack of Data Governance & Security Practices Need to create policies AND enforce them Need ongoing training Insufficient Controls to Safeguard Data Ensuring Data Availability, Reliability, & Integrity Ability to Convey Auditable Compliance (Transparency) Documentation of your security and compliance efforts
  • #16 Discuss the process of choosing the right cloud for your workload needs. 1) Risk assessment – how valuable is the data? 2) Assess workload and performance needs. What features and functionality do you need/ want? 3) Security Alignment– some vendors have limitations on vulnerability and penetration testing, while others limit access to audit logs and monitoring. Ensure your cloud vendor is aligned with your risk management procedures.
  • #17 Discuss how technology plays a role in security and compliance best practices. Discuss how many of these controls match up to HITRUST. Discuss common misconceptions associated with security in the cloud.
  • #18 Discuss how people and process play a role in secure cloud deployments. Discuss how the requirements for HITRUST match up to the development and enforcement of these policies. Example – if your team needs to travel often, you must develop appropriate security practices.
  • #20 Introduce the VPC product, discuss how it’s HITRUST certified Discuss the use cases for the VPC cloud -- I.e. healthcare apps for medical devices, patient portal development, etc.