The HITRUST Common Security Framework Common Security Framework The most widely-adopted security...
Transcript of The HITRUST Common Security Framework Common Security Framework The most widely-adopted security...
![Page 1: The HITRUST Common Security Framework Common Security Framework The most widely-adopted security framework in the U.S. healthcare industry and an invaluable tool for healthcare](https://reader031.fdocuments.us/reader031/viewer/2022030722/5b07b3497f8b9a93418e844f/html5/thumbnails/1.jpg)
Information systems and data exchanges are considered fundamental for their potential to allow organizations to meet these objectives; however, the adoption of these technologies is highly regulated and introduces risks that require additional oversight and vigilance by the industry.
Healthcare organizations face multiple challenges relating to information security:
• Redundantandinconsistentrequirementsandstandards.
• Confusionsurroundingimplementationandacceptableminimumcontrols.
• Inefficienciesassociatedwithvaryinginterpretationsofcontrolobjectivesandsafeguards.
• Increasingscrutinyfromregulators,auditors,underwriters,customersandbusinesspartners.
• Growingriskandliability,includingdatabreaches,regulatoryviolationsandextortion.
TheHealthInformationTrustAlliance(HITRUST)believesthatdespitethesechallengesinformationsecurityiscriticaltothe broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges. HITRUST,incollaborationwithhealthcare,business,technologyandinformationsecurityleaders,workstoidentifyissuesandobstacles to protecting information and develops approaches to standardize, streamline and simplify security in a manner that is applicable to all organizations in the healthcare industry.
TheproductofthiscollaborationistheHITRUSTCommonSecurityFramework(CSF),acertifiableframeworkthatallhealthcareorganizations that create, access, store or exchange electronic health and other sensitive information can implement. By adopting theCSF,organizationscanbetterprotecttheirelectronicinformationassetsandbuildgreatertrustandefficienciesintheelectronic flow of information within the healthcare system.
TheHITRUSTCommonSecurityFramework: A revolutionary way to protect electronic health information
Organizations in the healthcare industry
are under immense pressure to improve
quality, reduce complexity, increase efficiency
and better manage medical expenses.
![Page 2: The HITRUST Common Security Framework Common Security Framework The most widely-adopted security framework in the U.S. healthcare industry and an invaluable tool for healthcare](https://reader031.fdocuments.us/reader031/viewer/2022030722/5b07b3497f8b9a93418e844f/html5/thumbnails/2.jpg)
TheCommonSecurityFrameworkThemostwidely-adoptedsecurityframeworkintheU.S.healthcare industry and an invaluable tool for healthcare securityprofessionals,theCSFprovidesorganizationswith the needed structure, detail and clarity relating to information security that is tailored to the healthcare industry. It includes a prescriptive set of controls and supporting requirements that clearly define how organizations meet the objectives of the framework. According to type, size and complexity of the organization and its systems, the controls scale through multiple levels of implementation requirements that are based on risk-contributing factors.
TheHITRUSTCSFalsoaddressesthechallengesoftheindustry by leveraging and cross-referencing existing standards and regulations. This avoids introducing redundancy and ambiguity into the industry and helps simplifyanorganization’scomplianceefforts.TheCSFnormalizes these sources in such a way that organizations can quickly understand their compliance status across a wide range of standards and authoritative sources.
ByimplementingtheCSF,organizationswillhaveacommonsecurity baseline and a method for communicating validated security controls to all of their constituents.
OrganizationoftheCSFTheHITRUSTCSFisacomprehensivetooldevelopedtoaid organizations that create, store, access or exchange electronic health and other sensitive information. The CSFiscomprisedoftwocomponents—InformationSecurityImplementationManual,andStandardsandRegulationsMapping.
Information Security Implementation Manual
TheInformationSecurityImplementationManualisa certifiable, best-practice-based specification that scales according to the type, size and complexity of an organization’s environment to provide prescriptive implementation guidance. It includes both recommended security governance practices (e.g., organization, policies, etc.)andsoundsecuritycontrolpractices(e.g.,people,process,technology)toensuretheeffectiveandefficientmanagement of information security.
Control FrameworkTheImplementationManualcontains13securitycontrolcategoriescomprisedof42controlobjectivesand135control specifications. The categories included in the Manualare:
• InformationSecurityManagementProgram • AccessControl • HumanResourcesSecurity • RiskManagement
• SecurityPolicy
• OrganizationofInformationSecurity
• Compliance
• AssetManagement
• PhysicalandEnvironmentalSecurity
• CommunicationsandOperationsManagement
• InformationSystemsAcquisition,Development andMaintenance
• InformationSecurityIncidentManagement
• BusinessContinuityManagement
Enhancements to the CSF Version 6.0HITRUSTprovidesregularupdatestotheCSFtoensureitremainsrelevanttotheorganizationsthatrelyuponittoaddressevolvingsecurityrequirementsandmaintainregulatorycompliance.Recentupdatesincludenewguidancepertainingto:•StateofTexasStandards•NIST800SeriesHarmonization•UpdatedCMSContractorRequirements•UpdatedIllustrativeProceduresandAdministrativeGuidance
![Page 3: The HITRUST Common Security Framework Common Security Framework The most widely-adopted security framework in the U.S. healthcare industry and an invaluable tool for healthcare](https://reader031.fdocuments.us/reader031/viewer/2022030722/5b07b3497f8b9a93418e844f/html5/thumbnails/3.jpg)
Alternate ControlsWith the diverse nature of today’s information systems, organizationsmayfinditdifficultornotpracticaltomeettheCSF’srequirements.Becauseofthis,theCSFsupportsaconceptofapprovedAlternateControlsasariskmitigation or compensation strategy for a system control failure.HITRUSThasdefinedanalternatecontrolprocessthat provides for the streamlined proposal, approval andimplementationofAlternateControlsacrossallorganizations. This allows the entire industry to continually improve its security and compliance stance. An Alternate Controlisdefinedasamanagement,operationalortechnicalcontrol(i.e.,safeguardorcountermeasure)thatcanbeemployedbyanorganizationinlieuofthelevel1,2or3implementationrequirementsdefinedintheCSFthat provides equivalent or comparable protection for an organization’s information system.
The tool maps each control specification and implementation requirement so that one can clearly understandthealignmentbetweenHITRUST’srequirements and those of other standards, thus aiding complianceefforts.Inaddition,theMappingidentifiesany gaps not addressed by other sets of requirements that are covered by the HITRUSTCSF.Thetoolgivesorganizationsa360°perspectiveoftheirinformationsecuritylandscape.Coveredstandards and regulations include:
• ISO/IEC27001:2005 • ISO/IEC27002:2005 • ISO/IEC27799:2008 • COBIT5 • HIPAA • NISTSP800-53Revision4 • NISTSP800-66 • PCIDSSversion2.0 • 16CFRPart681 • FTCRedFlagsRule
By implementing the CSF,
organizations will have a common
security baseline and method for
communicating validated security
controls to all of their constituents.
• HITECHAct • 21CFRPart11 • JCAHOIM • 201CMR17.00(StateofMass.) • NRS603A(StateofNev.) • CSACloudControlsMatrixv1 • CMSARS • TXHB300 • CAQHCORE
Standards and Regulations Mapping
TheStandardsandRegulationsMappingtoolreconcilestheHITRUSTCSFwithmultiplecommonandacceptedstandards and regulations applicable to healthcare organizations.
![Page 4: The HITRUST Common Security Framework Common Security Framework The most widely-adopted security framework in the U.S. healthcare industry and an invaluable tool for healthcare](https://reader031.fdocuments.us/reader031/viewer/2022030722/5b07b3497f8b9a93418e844f/html5/thumbnails/4.jpg)
6136FriscoSquareBlvd.
Suite327
Frisco,TX75034
P:(469)269-1100
F:(469)269-1101
www.HITRUSTalliance.net
ImplementingtheCSFImplementationoftheHITRUSTCSFwillvarybyorganization in both time commitment and level of effort. This can be due to several factors, including:
• Complexityoftheindividualorganization’s information systems environment.
• Maturityofthecurrentsecurityprocessesandcontrols.
• Numberofresourcesavailabletotheorganization.
Despitethesevariations,allorganizationscanfollowthe same process in preparing for and performing an assessment of their existing infrastructure against the CSF.ThisconsistentprocessallowsorganizationstofeelsecureinthesuccessoftheirCSFimplementationsandconfident that other organizations have performed equal duediligencetoachievecompliancewiththeCSF.
AccessyourcopyoftheCSFIndividualscanaccesstheCSFthroughHITRUSTCentral or withasubscriptiontoMyCSF.AccesstoHITRUSTCentralis available at no charge to individuals from qualified organizations*andincludesaccesstotheCSFinPDFformat.AsubscriptiontoMyCSFisavailableforanannualfee based on organization type and provides access for five individualsinthepurchasingorganizationtoaccessMyCSFView,MyCSFAssessmentandMyCSFBenchmarking.TheannualsubscriptionpriceforMyCSFis$6,550forqualifiedorganizationsand$10,000forallotherorganizations(i.e.,professionalservicesandtechnologyorganizations).TolearnmoreaboutasubscriptiontoMyCSF,downloadtheMyCSFdatasheet.
FormoreinformationaboutHITRUST,theHITRUSTCSFandotherHITRUSTofferingsandprograms,visitHITRUSTalliance.net.
AboutHITRUSTTheHealthInformationTrustAlliance(HITRUST)was born out of the belief that information security should be a core pillar or, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST,incollaborationwithhealthcare,business,technology and information security leaders, has establishedtheCommonSecurityFramework(CSF),acertifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishmentoftheCSF,HITRUSTisalsodrivingtheadoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities.
* A qualified organization is any organization employing a function or activity involving theuse or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.
HITRUST CSF Implementation and Assessment Activites
Step 1Project Startup
Identify personnel resources & management techniques to be used
De�ne scope of the assessment in terms of business units & identify stakeholders
De�ne scope of the assessment for each business unit, includingthose with higher risk pro�les
Gather & review the necessary information & review where necessary as de�ned by the CSF Control Audit Procedures
Conduct interviews with business unit stakeholders
Perform system tests to validatecontrol implementation
Select & document anyalternate controls
Develop the assessment reportwith all noncompliant controls & document any remediation tasks
Finalize report and track remediation activities
Step 3De�ne System Scope
Step 5Conduct Interviews
Step 6Perform System Tests
Step 2De�ne Organizational
Scope
Step 4Gather & ReviewDocumentation
Step 7Alternate Control
Identi�cation & Selection
Step 8Reporting
Step 9Remediation Tracking
Scop
ing
Ass
essm
ent
Rem
edia
tion