Hitrust: Navigating to 2017, Your Map to HITRUST Certification

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST:
Navigating to 2017
Your Map to HITRUST Certification

01. Background / Overview
02. CSF Expansion
03. The CSF Framework
04. Scope and Approach
05. Options
06. Steps to Certification
07. Process
08. Mapping
Contents

Background
& Overview
01

Security and privacy are
everyone's responsibility

HITRUST Overview
• Began in 2007
• Meet demand of healthcare challenges
– Inconsistency
– Inefficiencies
– Increasing cost
– Increasing risk

HITRUST CSF – Multiple Req’ts

HITRUST CSF – One Program
HITRUST CSF

HITRUST CSF – Assess Once
Security gateways (e.g., a firewall) shall be used between the internal network,
external networks (Internet and 3rd party networks), and any demilitarized
zone (DMZ).
An internal network perimeter shall be implemented by installing a secure
gateway (e.g., a firewall) between two interconnected networks to control
access and information flow between the two domains. This gateway shall be
capable of enforcing security policies, be configured to filter traffic between
these domains, and block unauthorized access in accordance with the
organization's access control policy.
Wireless networks shall be segregated networks from internal and private
networks.
The organization shall require a firewall between any wireless network and the
covered information systems environment.
CSA CCM SA-08
HIPAA § 164.308(a)(3)(ii)(A)
HIPAA § 164.308(a)(3)(ii)(B)
HIPAA § 164.310(b)
IRS Pub 1075 9.4.10
PCI DSS 1.1.
PCI DSS 1.1.4
1 TAC § 390.2(a)(1)

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
HITRUST CSF – Report Many

HITRUST Now
• 83% of hospitals
• 82% of health plans
• 23,000 Common Security Framework (CSF)
Assessments (2012, 2013, 2014)

CSF
Expansion
02

Announcement

Overview of Expansion
• CSF Certification
• Anthem/Cigna, Health Care Services Corp.,
Highmark, Humana, and UnitedHealth
Group Significance
• Effective security and privacy practices

Why the Expansion?
• Increasing cyber threats
• Significance of Business Associates
• Interconnection of healthcare industry
• Beyond HIPAA
• Minimize the duplicity, costs and inefficiencies

Mandatory?
YES!
(For Business Associates)

7,500

24 months

Overview of the
Common Security
Framework03

CSF Overview
• CSF
– Defined set of requirements
– Prescriptive requirements
– Meet the challenges in healthcare security
– Secure protected health information

Overview of the CSF
• ISO 27001
• PCI-DSS
• HIPAA/HITECH
• Meaningful Use
• NIST 800-53
• FTC Red Flags
• CMS
• Privacy Laws

Organization of the CSF
• Establishes a single benchmark
• Increases trust and transparency
• Obtains industry consensus

CSF and Privacy
• CSF version 7
– Inclusion of privacy
– Satisfy health care regulations in Texas (SECURETexas)

Purpose
& Scope
04

Purpose
• Harmonizes privacy and security standards
• Establishes framework of controls
• Build trust and assurance
• Highlights credibility

Purpose
• Effectively meet the security objectives
– Examining
– Interviewing
– Testing

Define Scope
• Entire organization environment
• Segmented portions
– Single location
– Single business unit
– Single application
• Covered information

Define Scope
• Assessment options
– Security Assessment
– Security & Privacy Assessment
– Comprehensive Security Assessment
– Comprehensive Security & Privacy Assessment
– NIST Cyber Security Assessment

Scope of CSF
• Assessment factors
– Organizational factors
– System factors
– Regulatory factors

Scope of CSF
• 14 control categories
– 13 for Security
– 1 for Privacy
• 46 control objectives
• 149 control specifications
– Grouped within 19 assessment domains

©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope of CSF
CSF Assessment Domains
Information Protection Program Access Control
Endpoint Protection Audit Logging & Monitoring
Portable Media Security Education, Training and Awareness
Mobile Device Security Third Party Assurance
Wireless Security Incident Management
Configuration Management Business Continuity & Disaster Recovery
Vulnerability Management Risk Management
Network Protection Physical & Environmental Security
Transmission Protection Data Protection & Privacy
Password Management

MyCSF
• Access to the CSF and authoritative source
• Perform assessments
• Reporting/Tracking compliance
• Document remediation in Corrective Action Plan
(CAPs)
• Benchmarking

Options
05

• Self Assessment
• CSF Validated
Assessment Types

• Self Assessment
– No validation
– 3rd party can facilitate assessment
– 3rd party can provide review and feedback
Assessment Types

• Validated
– HITRUST approved CSF Assessor
– On-site fieldwork
• Interviews
• Technical testing
Assessment Types

• Self-assessment
• CSF Validated
– Minimum maturity rating of 3+ on a
majority of assessment domains
• CSF Certified
– Minimum maturity rating of 3+ for ALL
assessment domains
Report Types

Steps to
Certification
06

oneInitial Project Planning

• Executive support
• Determining scope
• Determining system boundaries
• Communication with process owners
Project Planning

twoOrganizational and
System Scoping

• Location(s)
• Application(s)
• Device(s)
• Regulatory requirement(s)
• System boundaries
Organizational and System
Scoping

threeAssessment Preparation

• Project calendars
• Evidence request lists
Assessment Preparation

fourExamine Documentation
and Practices

• Policy documents
• Documented procedures
• Processes
Examine Documentation and
Practices

fiveConduct Interviews

• Process owners
• Verify process controls
• Confirmation of evidence
Conduct Interviews

sixPerform and Review and
Technical Testing

• Automated control configurations
• Manual control sampling
– HITRUST sampling methodology
Perform Technical Testing

• Compliance scoring
– Control requirement
• Policy
• Procedure
• Implemented
• Managed
• Measured
Review Technical Testing
– Maturity rating
• Non-compliant (0%)
• Somewhat compliant (25%)
• Partially compliant (50%)
• Mostly compliant (75%)
• Fully compliant (100%)

• Compliance scoring example
Review Technical Testing

sevenAlternate Control
Identification and Selection

• Only if non-compliant CSF controls exist
• Identify compensating controls
• Residual compliance scoring
Alternate Control Identification
and Testing

eightReporting

• Prepare for submission to HITRUST
– Assessor testing
– Management representation letter
– Remediation plans (CAPs)
• HITRUST QA Review
– 4 – 6 weeks
Reporting

nineRemediation Tracking

• Corrective Action Plan (CAP) progress
– CAP Owner
– Implementation plan
– Expected completion date
• Residual risk score adjustments
Remediation Tracking

The Certification
Process
07

Issuing Certification

Issuing Certification
• Valid 2 years
– Annual review
• Within 2 months following the 1-year anniversary
• Continuous monitoring requirements
– CAP remediation

Mapping to Other
Standards
08

• HIPAA
• ISO 27001
• PCI
• NIST / CMS ARS
• Meaningful Use
• SOC 2
Other Standards

Join Us Next Time
Surviving a Security
Assessment
October 9, 2015
brightline.com/webinars

Hitrust: Navigating to 2017, Your Map to HITRUST Certification

More Related Content

What's hot

Similar to Hitrust: Navigating to 2017, Your Map to HITRUST Certification

More from Schellman & Company

Recently uploaded

Hitrust: Navigating to 2017, Your Map to HITRUST Certification