With HITRUST v9.2, the Common Security Framework (CSF) continues to be a very powerful and useful security framework for any organization – both inside and outside the healthcare industry.
What is HITRUST?
Because of the number of patients seeing medical professionals every day and the nature of their visits, the healthcare industry faces unique security challenges that no other industry sees. “Understanding the HITRUST Inheritance Program”
As the data breach landscape in the healthcare industry evolves, so do organizations and their compliance with regulatory requirements. Doing ‘nothing’ to protect healthcare data is no longer an acceptable approach for small healthcare entities. “HITRUST CSFBASICs: A New Framework Designed for Smaller Healthcare Organizations”
The HITRUST Alliance has appointed Steve Simmons, Director of Compliance at A-LIGN, and Blaise Wabo, Senior Manager at A-LIGN, to the HITRUST CSF Assessor Council. “HITRUST Appoints Steve Simmons and Blaise Wabo to the HITRUST CSF Assessor Council”
The healthcare environment is extremely dynamic, forcing organizations to find the right solution to match the rising challenges. Many of these solutions introduce new and emerging technologies, leaving healthcare organizations with increased vulnerabilities. Healthcare organizations of every size and type can be breached, so exploring every security solution is critical. In 2016, major cyber-attacks on healthcare increased by 63%, resulting in 93 major cyber-attacks including:
- Banner Health – 3.6 million records
- Newkirk Products – 3.4 million records
- 21st Century Oncology – 2.2 million records
As we move closer to year-end, many organizations begin strategic planning for 2018. Security and privacy statistics within healthcare underline new trends including emerging threats and evolving regulations. Considering these potential industry challenges, which are anticipated to grow in size and severity, A-LIGN has released Future of Healthcare: The Transforming Healthcare Industry.
This whitepaper can be used as a guide to educate your organization and its employees to begin appropriately preparing for 2018 security and compliance initiatives by providing valuable insights, regarding the industry, regulations, and the security measures your organization can enact to prevent and protect against a potential cyber-attack. A-LIGN’s experienced assessors have more than 20 years of experience in the data protection and security industry, and intimately understand the environment from both the client and assessor perspective.
“As we monitor and analyze the current healthcare landscape, it’s apparent that many organizations are becoming vulnerable to new and emerging risks. Therefore, we seek to empower our clients through education and security audits, to prevent them from becoming a victim of a cyberattack and enhancing their information security,” said Steve Simmons, HITRUST Assessor Council Board Member and Director of Compliance at A-LIGN.
The Future of Healthcare: The Transforming Healthcare Industry whitepaper provides your organization:
- An overview of the security and privacy landscape within healthcare including trends, statistics, and potential risks
- A review of the evolving healthcare regulations, specifically HITRUST, it’s recent revisions and the 2017 roadmap
- A description of compliance and audit solutions configured for both the healthcare industry and HITRUST regulation
To tackle information security challenges, organizations must begin to take the first step to protecting their data. Click here to download A-LIGN’s whitepaper, Future of Healthcare: The Transforming Healthcare Industry.
A-LIGN, a global information security and cyber risk advisory, and compliance solutions provider, is committed to staying current on emerging regulations and changes in security frameworks. On September 19, A-LIGN Managing Consultant and HITRUST CCSFP, Blaise Wabo, will host a HITRUST webinar called Using HITRUST CSF v9 to Meet Your Compliance Requirements, to educate healthcare organizations on the changes announced in HITRUST CSF v9. You can register for the webinar here.
Blaise Wabo will lead this webinar by addressing the healthcare risk environment, citing the emerging trends and technologies that make standards like HITRUST necessary, review the incorporation with guidance such as the FFIEC Information Security Examination Handbook, and observe how HITRUST can be used to support regulatory need.
“As technology in the healthcare industry evolves and hackers become more sophisticated, it’s important that organizations and their business associates adapt their security programs to efficiently manage regulatory compliance and risk management. The updates to HITRUST CSF v9 helps maintain relevance by addressing new and emerging risks faced by the healthcare industry,” said Blaise Wabo.
A-LIGN has published numerous resources to assist organizations navigate the compliance lanscape, including a whitepaper called How HITRUST Mitigates the Challenges Facing Healthcare, illustrating how HITRUST can be implemented to minimize risk and alleviate pain points found in healthcare organizations.
“Our goal is to help simplify security solutions, such as HITRUST to help healthcare organizations achieve their compliance initiatives. By monitoring industry trends and providing educational resources, we can empower organizations and help them protect against the evolving information security risks within healthcare,” said Director of Compliance, Steve Simmons.
Statistics show an exponential growth in data breaches within the healthcare industry with projected continuous growth throughout 2018. To tackle information security challenges, organizations must begin to take the first step to protecting their data.
Are you looking for more information on HITRUST CSF and ways to build a security program at your healthcare organization? Contact the security professionals at A-LIGN at info@a-lign or 888-702-5446 to find out how we can help.
Register for the webinar here: http://bit.ly/2x1YOm1
On March 1, 2017, HITRUST announced its roadmap for 2017, which included improvements to the HITRUST CSF and a renewed focus on smaller healthcare organizations.
The roadmap focuses on combating cyber threats and information risks while advancing protection standards regarding healthcare data through CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and CSF Assurance Program v9.
CSF Basic Assurance and Simple Institution Cybersecurity, or CSFBASICs, makes it easier for smaller businesses to realistically meet regulatory demands, in addition to protecting against cyber threats. These requirements are streamlined and make it easier to understand, enabling smaller companies to provide regulatory assurance to regulators and third-parties.
This update is scheduled for availability in Q3 of 2017.
HITRUST CSF v8.1
HITRUST CSF v8.1 was made available February 6, 2017. Updates include support for PCI DSSv3.2 and MARS-E v2.
HITRUST CSF v9
The HITRSUST CSF v9 update includes OCR Audit Protocol v2, FedRAMP Support for Cloud and IaaS Service Providers, and FFIEC IT Examination Handbook for Information Security.
The controls for HITRUST CSF version 9 will increase from 66 to 75. Clients that wish to certify against version 8.0 or 8.1 will need an assessment object already in MyCSF before the release of version 9. Then, the assessment must be submitted for processing within six months. There will be no exceptions to this policy.
HITRUST is ensuring relevant CSF control requirements align with the language of the Office for Civil Rights Audit Protocol. In addition, FedRAMP requirements will be incorporated. Version 9 includes new authoritative sources such as the Federal Financial Institutions Examination Council’s IT Examination Handbook – Information Security requirements, and the Department of Homeland Security’s Cyber Resilience Review (CPR). The HITRUST Threat Catalogue will fully integrate with v10 in 2018.
HITRUST CSF v9 is scheduled to be available in July 2017.
CSF Assurance Program v9
The CSF Assurance Program v9 changes so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification, which includes auditable documentation in addition to a HIPAA risk assessment.
This program is scheduled for availability in Q3 2017.
Addressing Your HITRUST Needs
Unsure of how these updates could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Please reach out today to discuss how CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and the CSF Assurance Program v9 could affect your organization in 2017 and beyond.
HITRUST CSF v8
To ensure the HITRUST CSF stays relevant and current with the needs of today’s healthcare organizations, the HITRUST Alliance continually updates the CSF to incorporate the changing standards and regulations associated with its authoritative sources.
The updates within v8, which was release on July 1, 2016, incorporate feedback within the HITRUST community, as well as from changes from authoritative sources that include the following:
- Incorporation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CsF).
- Addition of HITRUST De-Identification Framework assessment.
- Changes from the release of PCI DSS v3.1.
- Updated mapping for the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1.
- American Institute of Certified Public Accountants (AICPA)-approved mapping of the HITRUST CSF controls to its Trust Services Principles and Criteria, which support the CSF Assurance Program and Service Organization Control (SOC) 2 reporting.
- Mappings to and minor content updates from the Center of Internet Security (CIS) Critical Security Controls (CSC).
- Mappings to and minor content updates from Precision Medicine Initiative’s (PMI) Data Security Policy (DSP) Framework.
Organizations can expect additional updates to v8 to come in January 2017 followed by a v9 release that is planned for June 2017.
Any organization that began an assessment after July 1, 2016 will need to leverage the v8 framework. Conversely, if an organization started an assessment before July 1, 2016, that assessment must be completed by December 31, 2016. If that assessment is not submitted before the end of the year, a new assessment object must be created utilizing the v8 framework. If your organization began an assessment before July 1, 2016, it would be in your best interest to complete the assessment prior to the December 31 deadline in order to avoid starting the assessment process all over again.
Previous versions of the CSF will be permitted by HITRUST under certain circumstances. An organization working to close gaps from a self-assessment in myCSF may make a request to HITRUST to certify under the same version of the framework if that self-assessment was performed within the last six months. Organizations working toward HITRUST certification should be mindful of these key dates and timelines to implement all necessary requirements.
Two new required controls were added for certification, bringing the total number of controls to 66. The new controls are as follows:
01.e Review of User Access Right
This control adds that the organization reviews all system accounts and disables any account that cannot be associated with a business process and owner.
Additionally, the organization need to monitor for and notify the user or user’s manager of any accounts that are dormant in order to disable accounts when unneeded. Exceptions, such as vendor maintenance accounts for system recovery, need to be monitored as well. All accounts should match active employees and contractors – accounts that are not appropriately matched should be disabled.
Additional changes to 01.e incorporate CIS CSC and AICPA authoritative references.
01.t Session Time-out
HITRUST has added “bring your own device” (BYOD) rulings that require an automatic lockout screen configuration. This is required at control level 1.
Additional changes to 01.t incorporate CIS CSC, HIPAA, and AICPA authoritative references.
There have also been notable updates to the MyCSF tool:
- Organizational factors are now dynamic within the tool and are updated according to the selected organizational type. The organization types were modified to include service provider options for both IT and non-IT services.
- The inheritance program is also a new feature allowed within the tool. Service organizations can request inheritance to participate in the program by contacting HITRUST following successful certification. Once enrolled, entities that subscribe to their services will have the option to inherit controls and the testing performed in their reports. This option will likely be attractive to potential customers that have HITRUST needs.
HITRUST and SOC 2
As with previous versions, organizations can still leverage the HITRUST CSF for SOC 2 reporting. With v8, the CSF will have updated mapping to the updated SOC 2 Trust Services Principles (TSP) released in 2016 (currently in progress). Auditors will also be able to opine directly on the 66 required controls rather than all 135 controls. Finally, there are plans to map to the SOC 2 TSP’s Privacy Principle in the future.
In conclusion, v8 of the HITRUST CSF takes into account the ever-changing requirements and controls related to the sum of its parts. There have been updates that will benefit both Assessors and the organizations being assessed. It is critical to observe the posted deadlines with creating an assessment through v8.