HITRUST 101: All the basics you need to know
- 1. HITRUST Explained WHAT IT MEANS AND WHAT TO EXPECT STELLA BRIDGES, CCSFP, CISSP, GSTRT, CPA, CISA Disclaimer: This presentation, views, and opinions expressed herein are those of the author and do not represent official policy or position of any other agency, organization, employer or company. Security Practices and Controls Frameworks are constantly changing. The information contained in this presentation is provided on an “as is” basis with no guarantees of completeness or timeliness.
- 2. Outline ♦ What is HITRUST ♦ HITRUST CSF ♦ HITRUST Business Drivers ♦ Sample Certification Journey ♦ Keys for Success ♦ Sample Realized Benefits
- 3. What is HITRUST? Health Information Trust Alliance, HITRUST is a not-for-profit organization founded in 2007. HITRUST Alliance’s mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. Develops, maintains, and provides broad access to its widely adopted common risk and compliance management and de- identification frameworks. Led by a seasoned management team and governed by a Board of Directors made up of leaders from across the healthcare industry and its supporters. Actively participates in many efforts in government advocacy, community building and cybersecurity education.
- 4. HITRUST Common Security Framework (CSF) Certifications • ISO • PCI • SOC 2 and 3 Information Security Framework • PCI DSS • ISO • CIS • NIST • COBIT • SOC 2 and 3 Implementation Standards • NIST 800 Series • PCI • ISO 27000 Series • ITIL • SANS • COBIT Industry Specific Regulations • HIPAA/HITECH • PCI DSS • PSQA Regulatory Requirements • GDPR • FTC • State Specific ♦ Scalable ♦ Comprehensive ♦ Prescriptive ♦ Certifiable ♦ Always evolving ♦ Healthcare focus HITRUST CSF is a certifiable framework built upon other standards and compliance frameworks relevant to information security & privacy practices Not all information security frameworks are the same
- 5. HITRUST CSF – What is it and what is it not HITRUST CSF … ♦ Only certifies implemented systems ♦ Promotes adoption of sound compliance and risk management practices ♦ Allows for efficient and streamlined implementation of information security and privacy (Security and Privacy by default) ♦ Supports HITRUST CSF Certification; requires annual review and recertification every 2 years HITRUST CSF is NOT … ♦ Does not certify facilities, people, services or products ♦ One-and-done: o Risk management is process, not a product o People, processes, and technology are ever- changing ♦ All security requirements or industry best practices have been met ♦ Certification does not equal no risks, no vulnerabilities, or no exposure
- 6. Prescriptive statements in support of the establishment and maintenance of a control to meet the business, security and regulatory goals • Up to 3 implementation levels for each control • Each implementation level may have multiple requirement statements (149 Requirements:135 Security & 14 Privacy) Statement of the desired result or purpose to be achieved by implementing control procedures into a particular process (46 Objectives: 42 Security & 4 Privacy) Control RequirementsControl ObjectivesControl Categories HITRUST CSF – Structure *v9 High-level categories initially based on ISO27001 &27002 (14 Categories: 13 Security & 1 Privacy) ♦ Implementation levels are built upon three risk factors: I. Organizational Factors (e.g. type, size, location) II. System Factors (e.g., connection to the internet, use of mobile devices, third party access) III. Regulatory Factors (e.g., PCI / CMS/ State Requirements) ♦ Level 1 is the minimum set of security requirements for all systems and organizations regardless of size, sophistication, or complexity ♦ Level 2 and 3 are required, as appropriate, for organizations and systems of increased risk and complexity as determined by scoping factors
- 7. HITRUST CSF – Structure Sample *v9 Control Categories Implementation Levels Control Objectives Control Requirements
- 8. HITRUST CSF – Assessment Domains Based on risk, the control requirements are mapped across 19 HITRUST domains ♦ Logical groupings based on common IT organizational structure ♦ Support overall scoring Information Protection Program Endpoint Protection Network Protection Third-Party Assurance Portable Media Security Transmission Protection Incident Management Mobile Device Security Password Management Business Continuity & Disaster Recovery Wireless Security Access Control Risk Management Configuration Management Audit Logging & Monitoring Physical & Environmental Security Vulnerability Management Education, Training & Awareness Data Protection & Privacy
- 9. HITRUST CSF – Scoring and Certification Requirements 1 2 3 4 5 Is a policy or standard in place? Is there a process or procedure to support the policy? Policies Procedures Has the process been implemented? Implementation Is the process being measured and tested by management to ensure it is operating as expected? Test Are the measured results being managed to ensure corrective actions are taken as needed? Integration Control Requirement Level 25 25 25 15 10 Non- Compliant 0% Somewhat Compliant 25% Partially Compliant 50% Mostly Compliant 75% Fully Compliant 100% Level of compliance (Maturity Rating) Maturity Level Scoring/ Score to Rating Conversion Raw score greater than 0 9.99 18.99 26.99 35.99 44.99 52.99 61.99 70.99 78.99 82.99 86.99 89.99 93.99 97.99 Prisma Score 1- 1 1+ 2- 2 2+ 3- 3 3+ 4- 4 4+ 5- 5 5+ ♦ Any control requirement that scores less that a 3+ will require a CAP ♦ Each domain MUST score a 3 to achieve certification requirements ♦ Management can accept risk, but only at a control requirement level of 3.
- 10. HITRUST CSF – Evaluation Criteria
- 11. HITRUST CSF – Assessment Option Security Security & Privacy Comprehensive Security Comprehensive Security and Privacy ONLY the Required CSF Controls for Certification Required CSF Controls for Certification as well as the Privacy Controls ALL the CSF Security Controls ALL CSF Controls 233 - 1153 Possible Requirement Statements 326 - 1336 Possible Requirement Statements 353 - 1536 Possible Requirement Statements 446 - 1719 Possible Requirement Statements
- 12. HITRUST CSF – Assessment Types Self Assessment Validated Assessment Certified Assessment Intended to be used as a readiness assessment Lower degree or testing Entity completes assessment CSF Self-Assessment Report May or may not meet certification requirements Higher degree of testing Entity completes assessment Assessor validates CSF Validated Report Must meet certification requirements Higher degree of testing Entity completes assessment Assessor validates CSF Validated Report with Certification Description Fees for MyCSF Subscription or report- only* Fees for MyCSF Subscription or report- only* Assessor fees – Scope dependent Validated assessment report fees Fees for MyCSF Subscription or report- only* Assessor fees – Scope dependent Validated assessment report fees Direct Costs *Report-only access is limited to 90 days to complete assessment. Then 30 days is provided to respond to CAPS and review report.
- 13. One of the main cyber-risks is to think they don’t exist. The other is to treat all potential risks. - Stephane Nappo
- 14. HITRUST Business Drivers Leadership Around a Common Perspective • Protect stakeholders confidence and brand image • Business enablement through defined security architecture • Integrity and trust are core values Growth & Scalability • Reduce business risk • Consolidated way to manage compliance with multiple regulations • Regular updates by HITRUST to reflect changes to regulations, standards, and trends Regulatory Compliance Strategic Vision • Blueprint for a sound measureable information security program • Risk based vs. compliance “check the box” approach • Optimize return on investment – assess once, use many (i.e., security roadmap, compliance reporting, third party assessments, standardized tools etc.) Operational Excellence
- 15. HITRUST Sample Certification Journey May - JuneApril - MayDecember July - AugustJune Scope & Assessment Selection • What is the purpose of the assessment? • An assessment may include: • Business Units, Facilities, Departments • Applications, Servers and Databases, Network Infrastructure • Business Associate/ Vendor • Enter risk factors into MyCSF Validation: Submit questionnaire to Approved Assessor • Assessor examination of documentation - policies, standards, and procedures • Assessor return requirements to client for additional details or artifacts, if needed. • Respond to assessor questionnaire Readiness Assessment • Respond to all control requirements • Consider entire scope when responding to requirements • Utilize illustrative procedures • Use appropriate sampling • N/A requirements must have a rationale • Develop, track, and implement corrective action plans identified for identified gaps On-site Testing and Validation • Interview relevant personnel • Testing of technical implementation • Process operational effectiveness analysis • Control testing window before submission to HITRUST = 90 days • Assessor QA review On-going Maintenance Submission to HITRUST • Management representation letter • Submission to HITRUST • HITRUST QA process takes 4-6 weeks HITRUST Review • Review one requirement per domain • 4-6 weeks to provide draft report • 30 days after issuance of draft report • HITRUST accepts grammatical changes • Corrective Action Plans to be entered for any controls scored at a 3 or less • CAPs will be review by HITRUST and added to final report • Automatically issued as final Jan - March Ongoing Maintenance • Object unlocked after report • Compliance work continues • Interim assessment: 1 year from date of certification • Certification Window: 2- years from date of certification
- 16. The best way to start… is to start. - Pablo Picasso
- 17. Keys for Success Mutual responsibility ▪ Start with a readiness assessment ▪ Align and assign adequate resources (i.e., funding, people, etc.) ▪ Have frequent open conversations with stakeholders and assessor Effective organization and coordination of work ▪ Engage your assessor early on ▪ Identify all key stakeholders (i.e., Human Resources, Legal, Applications and Data Owners, Facilities, Business continuity, Infrastructure, Development, Privacy, Security, etc.) ▪ Develop a detailed project plan ▪ Create an assessment object early to avoid changes in certification requirements Agreement on overall goals ▪ Know your organizational culture and implement accordingly (be realistic) ▪ Accurately define business drivers ▪ Obtain buy-in and support from the top-down Vision + Skills + Incentive + Resources + Action Plan = Change Ingredients
- 18. Realized Benefits • Security and privacy policies, standards and processes for a compliant business • Culture shift - best practice and baseline considerations • Risk management and assessment process • Asset management solution • Centralized audit and logging • Privileged access manager/access control solutions • Information security strategy and roadmap • Leadership involvement • Security metric and measurement • Step-by-step procedures and clear process ownership • Organizational-wide user awareness • Vendor SLA management Operational Technical Tactical Strategic
- 19. Execution is NOT everything. There has been excellent execution of some dumb ideas. Both strategy and execution are necessary and it’s the absence of one that flaws a company’s performance. - W. Chan Kim & Renee Mauborgne Blue Ocean Strategy
- 20. THANK YOU Stella Bridges, CCSFP, CISSP, GSTRT, CPA, CISA www.secliance.com [email protected] www.linkedin.com/in/stellabridges