Post on 15-Jan-2017
Get Ready Now for HITRUST 2017 | 1
Get Ready Now for HITRUST 2017 Your Map to HITRUST Certification
Get Ready Now for HITRUST 2017 | 2
01. Background / Overview 02. The CSF Framework 03. Scope and Approach 04. Options 05. Steps to Certification 06. Process 07. Q&A
Agenda
Get Ready Now for HITRUST 2017 | 3
Background & Overview 01
Get Ready Now for HITRUST 2017 | 4
HITRUST Overview • Began in 2007, first version released in 2009 • Meet demand of healthcare challenges
– Inconsistency – Inefficiencies – Increasing cost – Increasing risk
Get Ready Now for HITRUST 2017 | 5
Announcement
Get Ready Now for HITRUST 2017 | 6
Overview of Expansion • CSF Certification • Anthem/Cigna, Health Care Services Corp.,
Highmark, Humana, and UnitedHealth Group Significance
• Effective security and privacy practices
Get Ready Now for HITRUST 2017 | 7
Why the Expansion? • Increasing cyber threats • Significance of Business Associates • Interconnection of healthcare industry • Beyond HIPAA • Minimize the duplicity, costs and inefficiencies
Get Ready Now for HITRUST 2017 | 8
Mandatory?
YES! (For Business Associates of these Healthcare Organizations)
Get Ready Now for HITRUST 2017 | 9
7,500 An additional 7,500 organizations that do not currently have a CSF
Certification do so with within the next 24 months.
Get Ready Now for HITRUST 2017 | 10
Overview of the Common Security Framework 02
Get Ready Now for HITRUST 2017 | 11
CSF Overview • CSF
– Defined set of requirements – Prescriptive requirements – Meet the challenges in healthcare security – Secure protected health information
Get Ready Now for HITRUST 2017 | 12
Overview of the CSF • ISO 27001 • PCI-DSS • HIPAA/HITECH • Meaningful Use
• NIST 800-53 • FTC Red Flags • CMS • Privacy Laws
Get Ready Now for HITRUST 2017 | 13
Organization of the CSF • Establishes a single benchmark • Increases trust and transparency • Obtains industry consensus
Get Ready Now for HITRUST 2017 | 14
CSF and Privacy • CSF version 7
– Inclusion of privacy – Satisfy health care regulations in TX, MA, and NV
Get Ready Now for HITRUST 2017 | 15
Purpose & Scope 03
Get Ready Now for HITRUST 2017 | 16
Purpose • Harmonizes privacy and security standards • Establishes framework of controls • Build trust and assurance • Highlights credibility • Helps eliminate the need for redundant audits
Get Ready Now for HITRUST 2017 | 17
Define Scope • Entire organization environment • Segmented portions
– Single location – Single business unit – Single application
• Covered information
Get Ready Now for HITRUST 2017 | 18
Define Scope • Assessment options
– Security Assessment – Security & Privacy Assessment – Comprehensive Security Assessment – Comprehensive Security & Privacy Assessment
Get Ready Now for HITRUST 2017 | 19
Scope of CSF • Assessment factors
– Organizational factors – System factors – Regulatory factors
Get Ready Now for HITRUST 2017 | 20
Scope of CSF • 14 control categories
– 13 for Security – 1 for Privacy
• 46 control objectives • 149 control specifications
– Grouped within 19 assessment domains
Get Ready Now for HITRUST 2017 | 21
Scope of CSF CSF Assessment Domains
Information Protection Program Access Control Endpoint Protection Audit Logging & Monitoring Portable Media Security Education, Training and Awareness Mobile Device Security Third Party Assurance Wireless Security Incident Management Configuration Management Business Continuity & Disaster Recovery Vulnerability Management Risk Management Network Protection Physical & Environmental Security Transmission Protection Data Protection & Privacy
Password Management
Get Ready Now for HITRUST 2017 | 22
MyCSF • Access to the CSF and authoritative source • Perform assessments • Reporting/Tracking compliance • Document remediation in Corrective Action Plan
(CAPs) • Benchmarking
Get Ready Now for HITRUST 2017 | 23
Implementation Levels • Generated by myCSF • Levels are 1, 2, and 3 • Level 1 in baseline, each additional level increases
number of required controls • Adapted from NIST SP-800 series
Get Ready Now for HITRUST 2017 | 24
Options 04
Get Ready Now for HITRUST 2017 | 25
• Self Assessment • CSF Validated
Assessment Types
Get Ready Now for HITRUST 2017 | 26
• Self Assessment • CSF Validated
Assessment Types
Get Ready Now for HITRUST 2017 | 27
• Self Assessment – No validation – 3rd party can facilitate assessment – 3rd party can provide review and feedback
Assessment Types
Get Ready Now for HITRUST 2017 | 28
• Validated – HITRUST approved CSF Assessor – On-site fieldwork
• Interviews • Technical testing
Assessment Types
Get Ready Now for HITRUST 2017 | 29
• Self-assessment • CSF Certified
– Minimum maturity scoring of 3 in ALL assessment domains
• CSF Validated – Minimum maturity rating of below 3 in ANY
assessment domains
Report Types
Get Ready Now for HITRUST 2017 | 30
Steps to Certification 05
Get Ready Now for HITRUST 2017 | 31
one Initial Project Planning
Get Ready Now for HITRUST 2017 | 32
• Executive support • Assignment of a main point of contact • Determining scope • Determining system boundaries • Communication with process owners
Project Planning
Get Ready Now for HITRUST 2017 | 33
two Organizational and
System Scoping
Get Ready Now for HITRUST 2017 | 34
• Location(s) • Application(s) • Device(s) • Regulatory requirement(s) • Third party service organization(s)
Organizational and System Scoping
Get Ready Now for HITRUST 2017 | 35
three Assessment Preparation
Get Ready Now for HITRUST 2017 | 36
• Project calendars • Evidence request lists • Identification of process owners • Interview scheduling
Assessment Preparation
Get Ready Now for HITRUST 2017 | 37
four Examine Documentation
and Practices
Get Ready Now for HITRUST 2017 | 38
• Policy documents • Documented procedures • Processes
Examine Documentation and Practices
Get Ready Now for HITRUST 2017 | 39
five Conduct Interviews
Get Ready Now for HITRUST 2017 | 40
• Process owners • Verify process controls • Confirmation of evidence
Conduct Interviews
Get Ready Now for HITRUST 2017 | 41
six Perform Review and
Technical Testing
Get Ready Now for HITRUST 2017 | 42
• Perform walkthroughs • Automated control configurations • Manual control sampling
– HITRUST sampling methodology
Perform Technical Testing
Get Ready Now for HITRUST 2017 | 43
• Compliance scoring – Control requirement
• Policy • Procedure • Implemented • Managed • Measured
Review Technical Testing
Get Ready Now for HITRUST 2017 | 44
• Compliance scoring – Control requirement
• Policy • Procedure • Implemented • Managed • Measured
Review Technical Testing
– Maturity rating • Non-compliant (0%) • Somewhat compliant (25%) • Partially compliant (50%) • Mostly compliant (75%) • Fully compliant (100%)
Get Ready Now for HITRUST 2017 | 45
• Compliance scoring example
Review Technical Testing
Get Ready Now for HITRUST 2017 | 46
seven Alternate Control
Identification and Selection
Get Ready Now for HITRUST 2017 | 47
• Only if non-compliant CSF controls exist • Identify compensating controls • Residual compliance scoring
Alternate Control Identification and Testing
Get Ready Now for HITRUST 2017 | 48
eight Reporting
Get Ready Now for HITRUST 2017 | 49
• Prepare for submission to HITRUST – Assessor testing – Management representation letter – Remediation plans (CAPs)
• HITRUST QA Review – 4 – 6 weeks
Reporting
Get Ready Now for HITRUST 2017 | 50
nine Remediation Tracking
Get Ready Now for HITRUST 2017 | 51
• Corrective Action Plan (CAP) progress – CAP Owner – Implementation plan – Expected completion date
• Residual risk score adjustments
Remediation Tracking
Get Ready Now for HITRUST 2017 | 52
The Certification Process 06
Get Ready Now for HITRUST 2017 | 53
Issuing Certification
Get Ready Now for HITRUST 2017 | 54
Issuing Certification
Get Ready Now for HITRUST 2017 | 55
Issuing Certification
Get Ready Now for HITRUST 2017 | 56
Issuing Certification
Get Ready Now for HITRUST 2017 | 57
Issuing Certification
• Valid 2 years – Annual review
• Within 2 months following the 1-year anniversary
• Continuous monitoring requirements – CAP remediation
Get Ready Now for HITRUST 2017 | 58
LEARN MORE ABOUT HITRUST click here