Transcription
HITRUSTguide
table of contentsINTRODUCTION.3CHAPTER 1: WHAT IS HITRUST?.4CHAPTER 2: THE BENEFITS OF USING HITRUST.6CHAPTER 3: THE CHALLENGES OF DEPLOYING THE HITRUST CSF.10CHAPTER 4: THE HITRUST ASSURANCE PROGRAM –HOW IT WORKS.11CONCLUSION.18ABOUT.19
If you are a healthcare organization, or a service provider that handleselectronic protected health information, you know the critical importanceof maintaining patient privacy and complying with HIPAA.With the wave of highly publicized cyberattacks on healthcare, the ITchallenges of data security and compliance have only multiplied. Fortunately,the HITRUST CSF can assist in meeting those challenges, and it is rapidlygaining acceptance in the healthcare security ecosystem. In this guide, we’llexplore what HITRUST is, the benefits of deploying it, and how organizationscan clear the high bar it can present in implementation.HITRUST GUIDE 3introduction
what is HITRUST?HITRUST is actually 3 things: An organization formed to advancethe state of information security in thehealthcare industry An industry-recognized securityframework that can be adopted byany organization An Assurance Program that uses a proprietary assessment methodology forself-assessments or third party validated assessments to determine how wellan organization is using the HITRUST CSFHITRUST ORIGINSIn 2007, representatives of the healthcare industry came together to formHITRUST, with the goal of ensuring that information security would be a pillar ofthe industry. The HITRUST Board, with representatives from healthcare providers,insurers and vendors, understood that information security was necessary forthe broad adoption of technologies that are important to patient care.The following year, work began on a common security framework, or HITRUSTCSF, to incorporate best standards in information security with the specializedneeds of the healthcare industry.HITRUST also developed a CSF Assurance Program to provide a standard way toevaluate and score information security controls either through self-assessmentor by an outside assessor organization, and to set the bar for outside assessors onhealthcare and information security expertise. Through the HITRUST AssuranceProgram, organizations can become HITRUST CSF certified.HITRUST GUIDE 4CHAPTER 1:
WHAT THE HITRUST CSF IS, AND ISN’TBuilt specifically for healthcare organizations -- and relevant third parties -- theHITRUST CSF provides a standardized guide for organizations to assess theirinformation security risks, take corrective action, document the process, andmaintain best practices. The HITRUST CSF also allows organizations to tailor theprogram to an organization’s size or areas of specialization, while still providingan adequate level of protection.HITRUST offers HITRUST CSF certification to organizations through its AssuranceProgram, although it’s important to note that no regulatory bodies require HITRUSTcertification. However, the U.S. Department of Health and Human Services andthe Office of Civil Rights consider mitigating factors such as an organization’s useof a certification process, like HITRUST, in the event of a security breach. When itcomes to state or other compliance issues surrounding electronic protected healthinformation, HITRUST CSF certification incorporates many of these requirementsand thereby fulfills an organization’s regulatory obligations. Certification alsoconveys to business associates that a recognized system of IT security controlstailored to the healthcare industry is in place.HITRUST GUIDE 5CHAPTER 1: WHAT IS HITRUST?
the benefits ofusing HITRUSTHIPAA (the Health Insurance Portabilityand Accountability Act) is perhaps one ofthe best known acronyms in healthcare,in part due to the ubiquitous “Notice ofPrivacy Practices” forms given to patientsat doctor visits. But when it comes to information security requirements foroperators in the healthcare space (covered entities) and the companies theywork with (business associates), HIPAA is notoriously -- and intentionally -- vaguein terms of providing specific, prescriptive guidance to organizations seekingto comply. This lack of specifics was meant to provide flexibility given the largevariety of types and sizes of entities that deal with electronic protected healthinformation (ePHI).But since HIPAA was passed in the mid-1990s, the unintended consequences ofits vagueness surrounding security requirements have caused an informationvacuum -- it’s like giving an archer a target without any real bullseye. That has ledto an immature IT security environment in many parts of the healthcare industryprecisely at a time when identity theft, medical fraud and other cybercrimeshave skyrocketed.The HITRUST CSF and the HITRUST CSF Assurance Program address the problemscreated by this vagueness by providing a standardized, prescriptive guidefor healthcare organizations, with the flexibility to customize for the uniquecircumstances of each entity.HITRUST GUIDE 6CHAPTER 2:
HITRUST has a mechanism for keeping up with the rapidly changing cybersecuritylandscape. HITRUST has a cyber threat working group that, in collaboration withthe HITRUST Cybersecurity Threat Intelligence and Incident Coordination Center,maintains a threat catalog tied to the HITRUST CSF controls. By identifying thecontrols intended to address a particular threat, organizations can more easilyconsume threat intelligence and proactively address active and emerging threats.HITRUST issues additional guidance to organizations regarding the HITRUST CSFcontrols or any additional requirements when needed.HITRUST BENEFITS FOR PROVIDERSTo illustrate the benefits of the HITRUST CSF to healthcare providers who contractfor services from third-parties that need access to protected patient informationto do their jobs, let’s consider a hypothetical, but common, scenario.Let’s say you are a medium-sized regional health system, and you have establisheda security program to the best of your ability using the required and addressablesafeguards outlined in the HIPAA Security Rule.You likely have a compliance officer and in-house counsel who provide someoversight to make sure you are doing your best to meet the baseline regulatoryrequirements. Security is by no means perfect or completely impenetrable, butyou get the picture -- you are for the most part “normal.”HITRUST GUIDE 7CHAPTER 2: THE BENEFITS OF USING HITRUST
Like most healthcare organizations, you rely on a bevy of third parties to assistyou in your mission to provide care for your communities. Just to name a few,you contract with several billing/collection companies for different claim types,have agreements with contract physician groups, medical transcription services,reference labs, technology support providers, financial audit firms, as well as manyothers. The list of organizations that work with the protected health informationof your patients certainly isn’t endless, but it’s pretty long.Some of those organizations are covered entities in their own right; others arepurely business associates who, for one reason or another, need to access yourpatient data. There are contracts in place with all of these organizations, butyou know in your heart of hearts that some do a much better job with securingdata than others. You also know that while they will ultimately be liable from acontractual and regulatory standpoint for any breach they cause, your organizationis still on the hook as the upstream covered entity, and will face significantreputational harm if your organization’s name ends up on the HIPAA “Web Wallof Shame” for data breaches exceeding 500 records, even if it was the fault ofone of your business associates.The HITRUST program offers you the opportunity to reduce heartburn overpotential breaches, both by deploying it in your own health system and requiringHITRUST CSF certification from these third parties.HITRUST BENEFITS FOR BUSINESS ASSOCIATESLet’s flip things around in this next hypothetical scenario for a different perspective.HITRUST GUIDE 8CHAPTER 2: THE BENEFITS OF USING HITRUST
Let’s say you are a company that prepares billing statements for hospitals -- inother words, you are one of those business associates mentioned in the previousexample. Fortunately for your business, you have hundreds of customers justlike the health system we previously described. Some are smaller, some larger,but all have concerns about how well you are protecting their ePHI.Security requirements formerly glossed over in their contracts and businessassociate agreements are now expanding as they adopt more formal vendormanagement programs. About half of those clients want you to either providesome type of independent audit report or answer their questionnaire aboutinformation security.Since there isn’t a government-approved HIPAA certification report, and youhaven’t engaged with a firm to perform another security-focused audit like aSOC 2, and because your customers don’t have a single audit reporting format,you are left with filling out their security questionnaires. Unfortunately, thatleaves you with dozens of questionnaires to fill out. Each asks some of the samequestions, but usually in different ways. Some are 50 questions; some are 300or more. It’s beginning to feel like you spend more time responding to customerquestionnaires than you do maintaining the security of your systems.Obtaining certification under the HITRUST CSF has the potential not only toreassure you about the strength of your information security, but also to provideyou with credentials that are accepted by many healthcare providers withoutthe need to muck through the questionnaire swamp.HITRUST GUIDE 9CHAPTER 2: THE BENEFITS OF USING HITRUST
the challenges ofdeploying the HITRUST CSFThere is no way around it — deploying theHITRUST CSF and being reviewed under theAssurance Program is complex and time-consuming.The HITRUST CSF is prescriptive – in some cases,very prescriptive. If you are just using HITRUST CSFas a good framework, you can certainly pick andchoose what works best within your organization to adequately address yoursecurity risks. But if you are looking to be certified against the HITRUST CSF (seeChapter 4), you will need to be prepared to make some tweaks to your existingpolicies, procedures, and control activities.How major those tweaks are will depend on the maturity of your securityprogram and the framework upon which it is built. Our experience tells us thateven organizations that have obtained certifications around ISO or PCI areoften surprised that there is still some heavy lifting to do as they dig into therequirements of the HITRUST CSF.Third Party Management is a great example of where the prescriptive requirementsof the HITRUST CSF often out-pace the current practices of many organizations.The implementation guidance related to some of the required controls in thisdomain go to the level of describing language that should be included in contractsand agreements with third party vendors, and often require enhancements toboth existing policies and those legal documents.HITRUST GUIDE 10CHAPTER 3:
the HITRUST assuranceprogram – how it worksSince many organizations who adopt HITRUST will wantto communicate their compliance with the HITRUSTCSF to various internal and external stakeholders,HITRUST developed their HITRUST Assurance Program.Self-Assessment reports are available from HITRUSTfor organizations that do not have a need to provideindependent assurance of their compliance. For others whose customers requirea higher level of assurance, validated reports are used. Validated assessmentsare performed by independent assessor organizations that have been vettedand approved by HITRUST. A validated report can also be a “certified” report ifthe target organization achieves a minimum level maturity score in each of thedomains in the HITRUST CSF.HITRUST CSF assessments, whether they be a self-assessment or a validatedassessment performed by a third party, utilize HITRUST’s portal application calledHITRUST MyCSF . HITRUST My CSF is built on top of a Governance, Risk, andCompliance software platform that serves as a multi-purpose portal, giving theorganization access to the entire CSF library as well as the option to create different typesof assessments.To access the My HITRUST CSF portal, the organization must pay HITRUST a feefor either a subscription or for a one-time assessment. To create an assessment,the organization will identify the in-scope business units, locations, and systemsalong with a number of organizational, system, geographic, and regulatory factors.Based on that input (particularly system and regulatory factors), the My HITRUSTCSF tool builds a customized assessment.Rather than provide the control requirement as published in the framework,a series of baseline security statements are generated. They break down thebroader requirements of the HITRUST CSF into more manageable chunks. To putthis in concrete terms, while there are roughly 66 HITRUST CSF controls requiredfor certification, an organization could easily have 250 to 300 (or more) baselinestatements generated as part of their assessment.HITRUST GUIDE 11CHAPTER 4:
It probably goes without saying, but to do this right takes time. HITRUST providesvery prescriptive guidance on how to properly score each category using illustrativeprocedures that serve as a “floor” for guiding how an assessor will evaluate yourcompliance. If you are being assessed for the first time, be aware of consultantswho claim they can “get you certified” in a few weeks. It’s just not possible. Evenwithout all the work that goes into scoring, HITRUST’s own review period afteryour assessment is turned in for adjudication, and report issuance is 4-6 weeks.Formal HITRUST CSF certification can take six months to a year to complete, andmultiple years for larger organizations. Once certification is complete, it lasts fortwo years, with a less intense assessment occurring in year two.ASSESSMENT IS NOT PASS/FAILOne common misconception about becoming HITRUST CSF certified is that it isa binary, pass/fail endeavor. Rather, each baseline statement is evaluated on a 1to 5 scale that equates to a percentage of compliance in five maturity categories.Those categories are Policy, Process, Implemented, Measured, and Managed.EVALUATING REQUIREMENTS STATEMENTSThe following table provides a minimum generic set of criteria (questions) basedon the general requirements for full compliance, which assessors should considerwhen evaluating a requirements statement at each level of the model, as theyprovide the necessary context for scoring against the specific evaluation criteriacontained in HITRUST’s illustrative procedures, which are discussed at morelength in the next section.HITRUST GUIDE 12CHAPTER 4: THE HITRUST ASSURANCE PROGRAM – HOW IT
LEVEL1 – Policy2 – Procedures3 – ImplementedGENERIC EVALUATION CRITERIA Do formal, up-to-date policies or standards exist that contain “shall” or “will” statementsfor each element of the requirement statement? Do the policies and standards that exist for each element of the requirement statementcover all major facilities and operations for the organizations and/or systems/assets inscope for the assessment? Are the policies and standards that exist for each element of the requirement statementapproved by management and communicated to the workforce? Do formal, up-to-date, documented procedures exist for the implementation of eachelement of the requirement statement? Do the procedures clarify where the procedure is to be performed, how the procedure isto be performed, when the procedure is to be performed, who is to perform the procedure,and on what the procedure is to be performed? Do the procedures address each element of the requirement statement across all applicablefacilities, operations and/or systems/assets in scope? Are procedures for the implementation of each element of the requirements statementcommunicated to the individuals who are required to follow them? Is each element of the requirements statement implemented in a consistent mannereverywhere that the policy and procedure applies? Are ad hoc approaches that tend to be applied on an individual or on a case-by-casebasis discouraged?4 – Measured Are self-assessments, audits and/or tests routinely performed and/or metrics collectedto evaluate the adequacy and effectiveness of the implementation of each elementof the requirements statement? Are evaluation requirements, including requirements regarding the type and frequencyof self-assessments, audits, tests, and/or metrics collection documented, approved andeffectively implemented? Does the frequency and rigor with which each element of the requirements statementis evaluated depend on the risks that will be posed if the implementation is notoperating effectively?5 – Managed Are effective corrective actions taken to address identified weaknesses in the elementsof the requirements statement, including those identified as a result of potential or actualinformation security incidents or through information security alerts? Do decisions around corrective actions consider cost, risk and mission impact? Are threats impacting the requirements periodically re-evaluated and the requirementsadapted as needed?Table 2. Generic Evaluation Criteria by Maturity LevelHITRUST GUIDE 13CHAPTER 4: THE HITRUST ASSURANCE PROGRAM – HOW IT
HITRUST’s scoring methodology can be a little daunting for both the initiatedand uninitiated alike. To achieve certification without any noted corrective actionplans, the organization must score a “3 ” on the PRISMA scale (a maturity modelbased scoring system) in each of the 19 domains that make up the HITRUST CSF.An organization can still be certified with a PRISMA score of 3 in one or moredomains, but corrective action plans will be included in the report for thosedomains falling below a 3 . If any domains score below a 3, the organization canreceive a validated report, but cannot be certified.Scoring is performed at the baseline security statement level for each of thecategories (Policy, Process, Implemented, Measured, Managed). The scores atthis level are done as percentages as follows:1 0% (non-compliant)2 25% (somewhat compliant)3 50% (partially compliant)4 75% (mostly compliant)5 100% (fully compliant)One key to understanding (or not mis-understanding) scoring is that the 1-5 scalelisted above does not correlate to the PRISMA score. PRISMA scores are derivedfrom the computed percentages using a weighted average. The weighting forthe control categories is as follows: Policy – 25% Process – 25% Implemented – 25% Measured – 15% Managed – 10%HITRUST GUIDE 14CHAPTER 4: THE HITRUST ASSURANCE PROGRAM – HOW IT
The calculation of the weighted average of all of the control statements requiredfor certification within a domain are then mapped to the PRISMA scale. As areference point, a PRISMA score of 3 is achieved at a weighted average ofgreater than 70.99.As a practical matter, the weighting that HITRUST has placed on the first 3 maturitycategories means your most rapid path to certification is achieving high scores(preferably 5 / 100%) for Policy, Process, and Implemented. With scores of 5 ineach of these categories, even if Measured and Managed score 0, the weightedaverage would be 75%, placing the organization above the certification threshold.At a high level,
domains in the HITRUST CSF. HITRUST CSF assessments, whether they be a self-assessment or a validated assessment performed by a third party, utilize HITRUST’s portal application called HITRUST MyCSF . HITRUST My CSF is built on top of a Governance, Risk, and Compliance software p
