As the data breach landscape in the healthcare industry evolves, so do organizations and their compliance with regulatory requirements. Doing ‘nothing’ to protect healthcare data is no longer an acceptable approach for small healthcare entities. “HITRUST CSFBASICs: A New Framework Designed for Smaller Healthcare Organizations”
The HITRUST Alliance has appointed Steve Simmons, Director of Compliance at A-LIGN, and Blaise Wabo, Senior Manager at A-LIGN, to the HITRUST CSF Assessor Council. “HITRUST Appoints Steve Simmons and Blaise Wabo to the HITRUST CSF Assessor Council”
The healthcare environment is extremely dynamic, forcing organizations to find the right solution to match the rising challenges. Many of these solutions introduce new and emerging technologies, leaving healthcare organizations with increased vulnerabilities. Healthcare organizations of every size and type can be breached, so exploring every security solution is critical. In 2016, major cyber-attacks on healthcare increased by 63%, resulting in 93 major cyber-attacks including:
- Banner Health – 3.6 million records
- Newkirk Products – 3.4 million records
- 21st Century Oncology – 2.2 million records
As we move closer to year-end, many organizations begin strategic planning for 2018. Security and privacy statistics within healthcare underline new trends including emerging threats and evolving regulations. Considering these potential industry challenges, which are anticipated to grow in size and severity, A-LIGN has released Future of Healthcare: The Transforming Healthcare Industry.
This whitepaper can be used as a guide to educate your organization and its employees to begin appropriately preparing for 2018 security and compliance initiatives by providing valuable insights, regarding the industry, regulations, and the security measures your organization can enact to prevent and protect against a potential cyber-attack. A-LIGN’s experienced assessors have more than 20 years of experience in the data protection and security industry, and intimately understand the environment from both the client and assessor perspective.
“As we monitor and analyze the current healthcare landscape, it’s apparent that many organizations are becoming vulnerable to new and emerging risks. Therefore, we seek to empower our clients through education and security audits, to prevent them from becoming a victim of a cyberattack and enhancing their information security,” said Steve Simmons, HITRUST Assessor Council Board Member and Director of Compliance at A-LIGN.
The Future of Healthcare: The Transforming Healthcare Industry whitepaper provides your organization:
- An overview of the security and privacy landscape within healthcare including trends, statistics, and potential risks
- A review of the evolving healthcare regulations, specifically HITRUST, it’s recent revisions and the 2017 roadmap
- A description of compliance and audit solutions configured for both the healthcare industry and HITRUST regulation
To tackle information security challenges, organizations must begin to take the first step to protecting their data. Click here to download A-LIGN’s whitepaper, Future of Healthcare: The Transforming Healthcare Industry.
A-LIGN, a global information security and cyber risk advisory, and compliance solutions provider, is committed to staying current on emerging regulations and changes in security frameworks. On September 19, A-LIGN Managing Consultant and HITRUST CCSFP, Blaise Wabo, will host a HITRUST webinar called Using HITRUST CSF v9 to Meet Your Compliance Requirements, to educate healthcare organizations on the changes announced in HITRUST CSF v9. You can register for the webinar here.
Blaise Wabo will lead this webinar by addressing the healthcare risk environment, citing the emerging trends and technologies that make standards like HITRUST necessary, review the incorporation with guidance such as the FFIEC Information Security Examination Handbook, and observe how HITRUST can be used to support regulatory need.
“As technology in the healthcare industry evolves and hackers become more sophisticated, it’s important that organizations and their business associates adapt their security programs to efficiently manage regulatory compliance and risk management. The updates to HITRUST CSF v9 helps maintain relevance by addressing new and emerging risks faced by the healthcare industry,” said Blaise Wabo.
A-LIGN has published numerous resources to assist organizations navigate the compliance lanscape, including a whitepaper called How HITRUST Mitigates the Challenges Facing Healthcare, illustrating how HITRUST can be implemented to minimize risk and alleviate pain points found in healthcare organizations.
“Our goal is to help simplify security solutions, such as HITRUST to help healthcare organizations achieve their compliance initiatives. By monitoring industry trends and providing educational resources, we can empower organizations and help them protect against the evolving information security risks within healthcare,” said Director of Compliance, Steve Simmons.
Statistics show an exponential growth in data breaches within the healthcare industry with projected continuous growth throughout 2018. To tackle information security challenges, organizations must begin to take the first step to protecting their data.
Are you looking for more information on HITRUST CSF and ways to build a security program at your healthcare organization? Contact the security professionals at A-LIGN at info@a-lign or 888-702-5446 to find out how we can help.
Register for the webinar here: http://bit.ly/2x1YOm1
On March 1, 2017, HITRUST announced its roadmap for 2017, which included improvements to the HITRUST CSF and a renewed focus on smaller healthcare organizations.
The roadmap focuses on combating cyber threats and information risks while advancing protection standards regarding healthcare data through CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and CSF Assurance Program v9.
CSF Basic Assurance and Simple Institution Cybersecurity, or CSFBASICs, makes it easier for smaller businesses to realistically meet regulatory demands, in addition to protecting against cyber threats. These requirements are streamlined and make it easier to understand, enabling smaller companies to provide regulatory assurance to regulators and third-parties.
This update is scheduled for availability in Q3 of 2017.
HITRUST CSF v8.1
HITRUST CSF v8.1 was made available February 6, 2017. Updates include support for PCI DSSv3.2 and MARS-E v2.
HITRUST CSF v9
The HITRSUST CSF v9 update includes OCR Audit Protocol v2, FedRAMP Support for Cloud and IaaS Service Providers, and FFIEC IT Examination Handbook for Information Security.
The controls for HITRUST CSF version 9 will increase from 66 to 75. Clients that wish to certify against version 8.0 or 8.1 will need an assessment object already in MyCSF before the release of version 9. Then, the assessment must be submitted for processing within six months. There will be no exceptions to this policy.
HITRUST is ensuring relevant CSF control requirements align with the language of the Office for Civil Rights Audit Protocol. In addition, FedRAMP requirements will be incorporated. Version 9 includes new authoritative sources such as the Federal Financial Institutions Examination Council’s IT Examination Handbook – Information Security requirements, and the Department of Homeland Security’s Cyber Resilience Review (CPR). The HITRUST Threat Catalogue will fully integrate with v10 in 2018.
HITRUST CSF v9 is scheduled to be available in July 2017.
CSF Assurance Program v9
The CSF Assurance Program v9 changes so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification, which includes auditable documentation in addition to a HIPAA risk assessment.
This program is scheduled for availability in Q3 2017.
Addressing Your HITRUST Needs
Unsure of how these updates could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Please reach out today to discuss how CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and the CSF Assurance Program v9 could affect your organization in 2017 and beyond.
HITRUST CSF v8
To ensure the HITRUST CSF stays relevant and current with the needs of today’s healthcare organizations, the HITRUST Alliance continually updates the CSF to incorporate the changing standards and regulations associated with its authoritative sources.
The updates within v8, which was release on July 1, 2016, incorporate feedback within the HITRUST community, as well as from changes from authoritative sources that include the following:
- Incorporation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CsF).
- Addition of HITRUST De-Identification Framework assessment.
- Changes from the release of PCI DSS v3.1.
- Updated mapping for the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1.
- American Institute of Certified Public Accountants (AICPA)-approved mapping of the HITRUST CSF controls to its Trust Services Principles and Criteria, which support the CSF Assurance Program and Service Organization Control (SOC) 2 reporting.
- Mappings to and minor content updates from the Center of Internet Security (CIS) Critical Security Controls (CSC).
- Mappings to and minor content updates from Precision Medicine Initiative’s (PMI) Data Security Policy (DSP) Framework.
Organizations can expect additional updates to v8 to come in January 2017 followed by a v9 release that is planned for June 2017.
Any organization that began an assessment after July 1, 2016 will need to leverage the v8 framework. Conversely, if an organization started an assessment before July 1, 2016, that assessment must be completed by December 31, 2016. If that assessment is not submitted before the end of the year, a new assessment object must be created utilizing the v8 framework. If your organization began an assessment before July 1, 2016, it would be in your best interest to complete the assessment prior to the December 31 deadline in order to avoid starting the assessment process all over again.
Previous versions of the CSF will be permitted by HITRUST under certain circumstances. An organization working to close gaps from a self-assessment in myCSF may make a request to HITRUST to certify under the same version of the framework if that self-assessment was performed within the last six months. Organizations working toward HITRUST certification should be mindful of these key dates and timelines to implement all necessary requirements.
Two new required controls were added for certification, bringing the total number of controls to 66. The new controls are as follows:
01.e Review of User Access Right
This control adds that the organization reviews all system accounts and disables any account that cannot be associated with a business process and owner.
Additionally, the organization need to monitor for and notify the user or user’s manager of any accounts that are dormant in order to disable accounts when unneeded. Exceptions, such as vendor maintenance accounts for system recovery, need to be monitored as well. All accounts should match active employees and contractors – accounts that are not appropriately matched should be disabled.
Additional changes to 01.e incorporate CIS CSC and AICPA authoritative references.
01.t Session Time-out
HITRUST has added “bring your own device” (BYOD) rulings that require an automatic lockout screen configuration. This is required at control level 1.
Additional changes to 01.t incorporate CIS CSC, HIPAA, and AICPA authoritative references.
There have also been notable updates to the MyCSF tool:
- Organizational factors are now dynamic within the tool and are updated according to the selected organizational type. The organization types were modified to include service provider options for both IT and non-IT services.
- The inheritance program is also a new feature allowed within the tool. Service organizations can request inheritance to participate in the program by contacting HITRUST following successful certification. Once enrolled, entities that subscribe to their services will have the option to inherit controls and the testing performed in their reports. This option will likely be attractive to potential customers that have HITRUST needs.
HITRUST and SOC 2
As with previous versions, organizations can still leverage the HITRUST CSF for SOC 2 reporting. With v8, the CSF will have updated mapping to the updated SOC 2 Trust Services Principles (TSP) released in 2016 (currently in progress). Auditors will also be able to opine directly on the 66 required controls rather than all 135 controls. Finally, there are plans to map to the SOC 2 TSP’s Privacy Principle in the future.
In conclusion, v8 of the HITRUST CSF takes into account the ever-changing requirements and controls related to the sum of its parts. There have been updates that will benefit both Assessors and the organizations being assessed. It is critical to observe the posted deadlines with creating an assessment through v8.
For more information on how the new version of the HITRUST CSF affects your organization, please reach out to email@example.com to speak with one of our HITRUST Practitioners.
A-LIGN’s HITRUST Assessors are often asked: What is HITRUST and why do I need it? As healthcare organizations face stricter regulatory needs in light of an increase in healthcare-related breaches, many organizations are considering HITRUST as an option for risk management and mitigation.
What is HITRUST?
HITRUST, or the Health Information Trust Alliance, was created in order to develop a consistent system for healthcare organizations and business associates to manage information security. The scalable framework is valuable to any organization that creates, accesses, stores or exchanges personal health information or financial information.
HITRUST uses many existing standards and regulations as a framework, such as HIPAA, HITECH, PCI DSS, COBIT, NIST, ISO and more. By utilizing a variety of standards, the HITRUST Common Security Framework (CSF) offers extensive certification options for organizations. These include a variety of different implementation requirements that depend on the risks that your organization faces, as well as prescriptive requirements that ensure clarity. Controls can be modified based on organization size and type, system and regulatory requirements.
Who requests that I become HITRUST certified?
Organizations are typically asked by their partners and/or business associates to provide a CSF Assurance report. For example, large healthcare organizations such as Anthem Inc., Health Care Services Corp., and Highmark Inc., are requiring that their business associates take steps to become HITRUST CSF compliant.
Why do I have to do it?
Many organizations require that their business associates and partners utilize HITRUST as a consistent information security system. As a result, becoming HITRUST compliant allows your organization a point of differentiation amongst competition.
Additionally, becoming HITRUST compliance allows your organization to minimize the risk of a potential breach, which can be damaging to client relationships and the reputation of your organization. Click here to learn more about our HITRUST services.
Interested in learning more about HITRUST? Contact one of our certified HITRUST practitioners at firstname.lastname@example.org or 1-888-702-5446.
Which HITRUST Assesment Scope is Right for My Organization?
There are 14 different control categories, each with their own number of objectives and requirements. These include the following:
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of Information Security
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Privacy Practices
These control categories are high-level groupings that are based on ISO 27001 and 27002. There are then 46 control objectives that fall within these categories, which essential state what the control is trying to achieve. For example, requirement 0.01 requires that organization implement and manage and Information Security Management Program. These controls are then broken down by implementation level, which is used to support the control that needs to be met and prescribes what level your organization needs to be at dependent on particular risk factors.
The CSF has 135 controls with 3 levels of implementation. Which control level is necessary is dependent on organizational, system and regulatory factors. Which of these controls are relevant to your organization is dependent on the scope of assessment that you receive: security, comprehensive or an assessment with privacy.
Formerly known as the baseline assessment, the security assessment is a set of questions drawn from the MyCSF library across a variety of different assessment domains. This can be used as an initial compliance assessment to determine where your organization is able to meet satisfactory security levels to third-parties. This assessment is designed to measure against 64 of the 149 implementation requirements, thereby providing a minimum set of requirements that covers each of the HIPAA Security Rule’s standards and implementation specifications. The scope of this assessment supports self-assessment and third-party validated assessments.
A comprehensive assessment pulls questions from the MyCSF library and spans 19 different assessment domains. This assessment is able to measure where your organization is in more detail, and is used to show satisfactory security levels to third-parties. This is because it is designed to measure your organization against all of the implementation requirements, providing a higher level of assurance for each of HIPAA’s Security Rule standards and implementation specifications.
The scope of this assessment also supports self-assessment and third-party validated assessments.
Assessment with Privacy
An assessment with privacy adds the 14th domain, privacy, to your assessment. This can be added onto your security assessment or your comprehensive assessment.
This is mandatory for companies operating within Texas, Massachusetts or Nevada, and could be mandatory for organizations doing business within these states, including both covered entities and business associates. However, organizations who are not doing business in these states can also select privacy if there is a contractual obligation to do so.
Need help deciding which HITRUST assessment scope is right for your organization?
Reach out to one of A-LIGN’s HITRUST Practitioners today at email@example.com or 1-888-702-5446.
Because of the unique challenges facing the healthcare industry, companies are considering their options to mitigate and manage their risk. HITRUST offers a framework that allows for consistent implementation of the HIPAA requirements, but generates many questions that need to be answered. Below are a few frequently asked questions that A-LIGN Partner, Gene Geiger, answers as he speaks with companies seeking HITRUST certification, including your firm’s options for HITRUST Certification.
What are my options to become HITRUST Certified? Are there any other options?
To become certified against the HITRUST Common Security Framework (CSF) you must undergo a validated assessment by a HITRUST Assessor Firm, and submit that assessment results using the MyCSF tool to the HITRUST Alliance for review and final Certification. The HITRUST Alliance will evaluate the submission and the scores received during the assessment to issue a certified report based on the scoring of your company. You can find out more about scoring here. You may also undergo a self-assessment using the MyCSF tool or perform a SOC 2 + HITRUST CSF audit. The SOC 2 + HITRUST CSF audit is an assessment performed by a CPA firm who is also a HITRUST Assessor Firm. The Self-Assessment and the SOC 2 + HITRUST do not enable a company to become HITRUST Certified, but they do offer an option to demonstrate compliance against the HITRSUT CSF.
Do I have to purchase the MyCSF tool from the HITRUST Alliance to become HITRUST Certified? Can I purchase that from you?
To become HITRUST Certified you must purchase and use a MyCSF subscription through the HITRUST Alliance. You cannot purchase the subscription though A-LIGN or other assessor firm.
I’m a small to medium sized business; how am I expected to pass the same certification and meet the same controls of these large corporations? Are there any ways to reduce the cost of certification for a company of my size?
The HITRUST CSF was designed for organization of all sizes. Compliance of each control is scored evenly and is either Non-Compliant (0), Somewhat Compliant (25), Partially Compliant (50), Mostly Compliant (75), or Fully Compliance (100). However, the HITRUST controls are assessed using a weighted scoring system. The scoring for the system follows a concept of “one can’t manage what one can’t measure” and its risk-based approach directly applies to small or medium sized organizations.
How do I know if I will pass the test and receive certification from the HITRUST Alliance? What happens if I fail?
Your team and the assessor firm will know if a control has met the passing score for certification. The MyCSF tool is scoring you as your assessor is evaluating each control throughout the process. You will know if you have received a passing score prior to the submission of A-LIGN’s assessment to HITRUST. If you did submit prior to meeting a 3 out of 5, the passing score for certification, you would still receive a validated HITRUST assessment report, however you would not receive a certification from the HITRUST Alliance. If you do not reach certification as part of the first submission, you may be able to resubmit.
Will this assessment meet my requirements for my HIPAA compliance? What about my PCI-DSS Certification and NIST 800.53 compliance?
While HIPAA compliance is still a priority in healthcare, the HITRUST CSF can be used to translate HIPAA and HITECH requirements into a step-by-step compliance roadmap. HITRUST was built upon the ISO 27001 framework using controls from HIPAA, NIST 800.53, PCI-DSS, various state requirements (Nevada, Massachusetts, and Texas), and COBIT. Because of the variety of standards that are cross-referenced with HITRUST, your organization is able to mitigate risk more broadly than solely meeting HIPAA compliance requirements. Although you are able to assess and audit yourself against various audit and security standards under the HITRUST CSF Certification, you will not receive additional certifications from PCI, ISO 27001, or NIST 800-53.
Still looking for additional information on HITRUST? Check out our HITRUST resources:
- The Challenges Facing Healthcare & How HITRUST Can Help
- Understanding the HITRUST Specification and Scoring
- HITRUST Assessment Types & HITRUST Integration with SOC 2
- An Overview of the HITRUST CSF and Related Frameworks
- HITRUST Assessment Scoping Guidelines