risk management frameworks - hitrustalliance.net · step 4 - assess and ... rmf, • the nist and...
Post on 18-Jun-2018
226 Views
Preview:
TRANSCRIPT
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
1<< Back to Contents
Risk Management FrameworksHow HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare environment
2018
Introduction ...........................................................................................................................................................................3Background ............................................................................................................................................................................5 Overview ............................................................................................................................................................................5 HIPAA .................................................................................................................................................................................5 HITECH ..............................................................................................................................................................................6 Omnibus Rule ....................................................................................................................................................................6 Other Drivers ......................................................................................................................................................................7 Summary ............................................................................................................................................................................7Risk Management Frameworks.............................................................................................................................................7 Overview ............................................................................................................................................................................7 General RMF ......................................................................................................................................................................8 Step1-IdentifyRisksandDefineProtectionRequirements .............................................................................................8 Step2-SpecifyControls ...................................................................................................................................................9 Step3-ImplementandManageControls .........................................................................................................................9 Step4-AssessandReport ...............................................................................................................................................9 Summary ..........................................................................................................................................................................10NIST RMF ..............................................................................................................................................................................10 Step1-IdentifyRisksandDefineProtectionRequirements ...........................................................................................10 Step2-SpecifyControls .................................................................................................................................................11 Step3-ImplementandManageControls .......................................................................................................................12 Step4-AssessandReport .............................................................................................................................................13 Summary ..........................................................................................................................................................................14HITRUST RMF .......................................................................................................................................................................14 Step1-IdentifyRisksandDefineProtectionRequirements ...........................................................................................14 Step2-SpecifyControls .................................................................................................................................................15 Step3-ImplementandManageControls .......................................................................................................................16 Step4-AssessandReport .............................................................................................................................................17 Summary ..........................................................................................................................................................................20Conclusion ............................................................................................................................................................................20About HITRUST ....................................................................................................................................................................22 MyCSF ..................................................................................................................................................................................22
Contents
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
3<< Back to Contents
Figure 1
IntroductionHealthcareorganizationscontinuetofaceamultitudeofchallengeswithregardstoinformationsecurityandprivacy.Attheforefrontofthesechallengesistheneedtoapply‘reasonableandappropriate’safeguardstoprovide‘adequate’protectionofsensitiveinformationtodemonstratecompliancewithagrowingnumberofcontinuouslyevolvingfederal,stateandindustryrequirements.However,giventhegenerallackofdefinitionandprescriptivenessoftheserequirements,organizationsareleftwiththetaskofdecidingwhatactionswouldbeconsidered‘reasonableandappropriate’andwhatlevelofprotectionwouldbe‘adequate’intheeyesoffederal,stateandindustryregulators,businesspartners,patientsandtheirfamilies,andotherinterestedthird-parties.
ThiscomplexchallengeisthebasisforwhythehealthcareindustrycametogetherandformedHITRUST.HITRUSTdidthe‘heavylifting’byintegratingmultipleinternational,federal,stateandindustrylegislation,regulations,standards,andbestpracticeframeworks;adaptedthemtothehealthcareenvironmentinpartic-ular;anddeterminedanindustrystandardofduediligenceandduecarethatcanbetailoredtoanindividualorganizationbaseduponitsspecificbusinessrequirements.TheresultoftheseeffortsistheHITRUSTCSF,anindustry-wideframeworkofsecurityandprivacycontrolsthatisbasedon,andcross-referencedwith,existingrequirements.Inaddition,theHITRUSTCSFAssuranceProgramprovidesorganizationswithasingleapproachforconductinganassessmentandreportingagainstthesemultiplerequirements.BoththeHITRUSTCSFandCSFAssuranceProgramareupdatedatleastannuallytoaccountforchangesinleg-islation,regulations,standards,guidanceandbestpractices,suchaswiththe2014releaseoftheNationalInstituteofStandardsandTechnology(NIST)Framework for Improving Critical Infrastructure Cybersecurity,morecommonlyknownastheNISTCybersecurityFramework(CsF).Further,allchangestotheHITRUST
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
4<< Back to Contents
CSFareprovidedtotheindustryforreviewandcomment,ensuringtransparencyandopenness.HITRUSTprovidestheCSFfreetoqualifiedorganizationsthatwishtoimplementtheframework.
So,whydoestheHITRUSTCSFincreaseinvalueasnew/updatedrequirementsorguidancearereleased?Becausethemorecomplexthesecurityandregulatorylandscapebecomes,themoredifficultitisfororga-nizationstomaintaincompliance,protectinformation,andprotectthemselvesagainstbreaches.HITRUSTestablishedaflexiblecontrolstructurefromitsinceptionandcontinuouslyaddsandupdatestheframeworkinresponsetochanginglegislation,regulations,standardsandguidance. Partoftheprocessistoanalyzeeachnewsourceandmapitsrequirementstothecontrolstructure,whichcanalsobeperformedwiththeassistanceofacross-industryworkinggroup.Inaddition,theHITRUSTCSFwasstructuredinsuchawaythatallowsadditionaltailoringbasedonriskfactorssuchasorganizationaltypeoraspecificsystemcharacteristic.HITRUSTalsocontinuestodevelopandpublishguidanceandtoolsliketheHITRUSTCSFassessmentmethodologyandMyCSFaspartofanoverallriskmanagementframework(RMF),whichisessentiallyacommontaxonomyandstandardsetofprocesses,procedures,activitiesandtoolsthatsupporttheidentification,assessment,response,controlandreportingofrisk.Thisprovidesorga-nizationswithonesetofrequirementsirrespectiveofneworupdatedregulations,guidanceorbestpractices,andonecomplianceapproachtoimplementandmanage‘reasonableandappropriate’safeguardsthatdemonstratethelevelofduecareandduediligencerequiredtoensure‘adequate’protectionoftheinforma-tionwithwhichtheyareentrusted.
WhatwouldorganizationsneedtodowithoutHITRUSTandtheCSF?Thealternativeistocontinuallyreviewchangestolegislation,regulations,guidanceandstandardstodeterminetherequirementsthatareappropriatebasedoneachorganization’sriskprofile,identifyindustrybestpracticestoaddresstherequirements,anddevelopanapproachtoassessitscomplianceagainsttheserequirements.Becauseeachorganizationwouldbeworkingindependently,eachinterpretationandimplementationoftherequirementswouldbeuniqueifnotproprietary,impedingtheabilitytoformtrusted,third-partybusinessrelationshipsandthehealthcareindustry’sprogressinthedigitalage.
Thispaperdescribes:• Howorganizationsstrugglewiththeconstantlychangingsecurityandregulatorylandscape,• Howthemostefficientandeffectivewaytodealwiththesechangesisbyadoptionofanappropriate
RMF,• TheNISTandHITRUSTRMFsusinga4-stepriskmanagementprocess,and• HowtheHITRUSTRMFismorepracticalandprovidesmorevaluefornon-federalhealthcareentities.
Themorethesecurityandregulatorylandscapechanges,themoreanRMFisneeded,andthebettervalueHITRUSTofferstheindustry—theheavyliftingisalreadydone.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
5<< Back to Contents
Figure 2
Background
OverviewHealthcareorganizationsarefacingmultiplechallengeswithregardstoinformationsecurityandprivacy.Redundantandinconsistentrequirementsandstandardsincreasecomplexityanddriveupcosts.Confusionaroundacceptablesafeguardsandthelackofdefinedsecurityrequirementsresultincriticalsystemswithoutappropriateadministrative,physicalandtechnicalsafeguards.Further,theincreasedscrutinyfromregulators,auditors,underwriters,customersandotherthirdpartiesleavestheindustrycopingwithadditionalexposure,increasedliability,andgrowingriskstopatients,theirfamiliesandhealthcareorganizations.Inaddition,organizationsarechallengedwithappropriatelymanagingthesharingofinformationduetothewiderangeofbusinesspartnersandotherthirdpartieswithdifferentcapabilities,requirementsandriskprofiles.
Theseissuesledtoagrowingneedandbroaddesireforacommonsecurityframework—asetofcommonstandardsandsupportingmethodologies—thatwouldprovideaminimumbaselinesetofsecurityrequirements.Duetothevariednatureoforganizationsinhealthcareinparticular,thisframeworkalsoneededtobetailorabletoaspecificsizeandtypeoforganization,whichwouldimproveadoptionandimplementation,andsubsequentlyimprovestakehold-ertrustaswellasfurthermitigatepotentialliabilityfrombreachesofsensitiveinformation.
Thus,HITRUSTwasbornoutofthebeliefthatinformationsecurityandprivacyarecriticaltothebroadadoption,utilizationandcon-fidenceinhealthinformationsystems,medicaltechnologiesandelectronicexchangesofhealthinformation.TheHITRUSTCSF®
providestheneededfundamentalandholisticchangeinthewayindustrymanagesinformationsecurityandprivacy-relatedrisk.Itrationalizeslegislation,regulations,standardsandbestpracticesintoasingleoverar-chingframeworkandprovidesaconsistentapproachtocertificationandriskacceptance.
HIPAATheprincipledriverbehindsecurityandprivacyinhealthcareformanyyearswaswithoutadoubttheHealthInformationPortabilityandAccountabilityAct(HIPAA),whichincorporatesspecificprivacyandsecurityrequirementsforproviders,payersandothercoveredentitiesinthehealthcareindustry.HIPAA’sSecurityRuleprovidednumerousimplementationspecificationsthatessentiallyrequiredcoveredentitiestoimplementreasonableandappropriateadministrative,technicalandphysicalsafeguardsforprotectedhealthinformation(PHI).
Unfortunately,theimplementationspecificationsintheRulegenerallylackthelevelofprescriptivenessnecessarytodetermineastandardofduecareordiligence,i.e.,safeguardsthatwouldbeconsidered‘reasonableandappropriate.’Organizationsweresubsequentlylefttodeterminethesesafeguardsforthemselvesbutoftenfoundthemdifficulttojustifygiventhecostsassociatedwiththeirimplementation.Itis
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
6<< Back to Contents
notoriouslydifficulttoquantifyareturnoninvestmentfornewsecurityinvestmentsunlessexistingtechnolo-giesorprocessesarebeingreplaced,allowingsuchcoststobecalculated.Unlessspecificallyrequiredbyabusinesspartnerorregulator,securityinvestmentsaremostoftenjustifiedbasedon‘costavoidance’calcula-tions,orwhathasbeenreferredtobysomesecurityexpertsas‘fear,uncertaintyanddoubt.’
Tocompoundmatters,healthcareisaserviceindustryfocusedonqualityofcareaswellasefficiencyandcost.Giventhatpatientsandothershavefounditdifficulttoevaluatethisqualityofservice,itissubse-quentlydifficultfororganizationstocalculatetheirreturnoninvestmentforanyinitiative,letalonethosewithsignificantsecurityandprivacyrequirements.Fortunately,itonlytookthreeyearsaftercompliancewiththeSecurityRulewasmandatoryforthefederalgovernmenttorealizethedifficultiesengenderedwiththeRule’spracticalapplicationandissueadditionallegislation.
HITECHAspartofthenationalinitiativetoimprovequalityandlowerthecostofhealthcarethroughthemeaningfuluseofelectronichealthrecord(EHR)systemsandhealthinformationexchanges(HIEs),CongresspassedtheHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)ActaspartoftheAmericanRecoveryandReinvestmentActof2009.Inadditiontotheprivacyandsecurityrequirementsformean-ingfuluse,inwhichcoveredentitiesareexpectedtoconductorreviewasecurityriskanalysisandcorrectidentifieddeficiencies,themostsignificantchangesstemmingfromHITECHweretheestablishmentofafederalbreachnotificationrequirementandincreasedenforcementoftheHIPAASecurityRulethroughtheOfficeofCivilRights(OCR).
Unfortunately,theHITECHActdidnotprovidesignificantadditionalguidancetoorganizationsonwhatlevelsofduediligenceandduecarearereasonableandappropriate.ItwasnotuntilafewyearslaterwhenOCRandNISTbegancooperatingonprovidingguidanceontheHIPAASecurityRule’srequirementsthatcoveredentitiesbegantogetarealindicationoftheincreasedlevelofrigorthefederalgovernmentexpected.OCRandNISTbeganhostingaseriesofannualjointconferencesonsecurityandprivacy,andworkedtogethertoproducetheNISTHIPAASecurityRule(HSR)Toolkitin2011.OCRalsopublishedaddition-alguidancein2012ontheauditprotocolbeingusedaspartoftheoverallHIPAAenforcementeffort.(Noteamuchanticipatedsecondversionoftheprotocolwaspublishedin2016,providingmorespecificguidanceonthetypesofactivitiesOCRexpectedcoveredentitiestoundertakeforeachoftheRule’sstandardsandimple-mentationspecifications.)
Omnibus RuleTheHIPAAFinalOmnibusRulepublishedinJanuaryof2013—10yearsaftertheSecurityRulewasreleased—providesfinalmodificationstotheHIPAAPrivacy,SecurityandEnforcementRulesembeddedintheHITECHAct,afinalruleontieredmonetarypenalties,andaBreachNotificationRule.OneofthemostsignificantaspectsoftheOmnibusRuleisitsapplicationtobusinessassociates,whicharenowdirectlyliableforfailuretocomplywiththealltheRule’srequirements,includingtheHIPAASecurityRuleasman-dated by HITECH.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
7<< Back to Contents
Other DriversWhilelegislationandregulationarearguablytheprincipledriverforsecurityandprivacyinhealthcare,therearenumerousotherlegislative,regulatory,industryandbestpracticerequirementsthathealthcareentitiesmustaddress.ExamplesincludethePrivacyActof1974,theGeneticInformationNon-discriminationAct(GINA)of2008(laterincorporatedintotheHIPAAOmnibus),theFederalTradeCommission(FTC)RedFlagsRuleandFairInformationPracticePrinciples,FederalDrugAdministration(FDA)requirementsforEHRsandelectronicsignatures,multiplestate-levelsecurityandprivacylegislationandregulations,andthePaymentCardIndustryDigitalSecurityStandard(PCI-DSS).
SummaryOrganizationshavefaced,andwillcontinuetoface,multiplechallengeswithregardstoinformationsecurityandprivacy,includingthegrowingneedtodemonstratecompliancewithmultiplefederal,stateandindustryrequirements.However,giventhegenerallackofdefinitionandprescriptivenessoftheserequirements,organizationsareleftwiththetaskofdecidingwhatactionswouldbeconsidered‘reasonableandappropriate’andwhatlevelofprotectionwouldbe‘adequate’intheeyesoffederal,stateandindustryregulators,busi-nesspartners,customers,andotherinterestedthirdparties.Implementingtherightframework,processesandtoolsistheonlyefficientandeffectivewaytomanageinformationriskandcompliance.
TheHITRUSTCSFprovidestheneededfundamentalandholisticchangeinthewayindustrymanagesinformationsecurityandprivacy-relatedrisk.Itrationalizeslegislation,regulations,standardsandbestpracticesintoasingleoverarchingframeworktailoredforindustry—healthcareinparticular—andprovidesaconsistentapproachtoassessment,certificationandriskacceptance.
Risk Management Frameworks
OverviewSo,howcananorganizationdetermine‘reasonableandappropriate’safeguardstoprovide‘adequate’protectionforsensitiveinformation?Orstatedanotherway,howcananorganizationselectandimplementaspecificsetofcontrolstomanageinformationsecurityandprivacy-relatedriskatanacceptablelevel?
Thetextbookansweristhroughacomprehensiveriskanalysisthat(1)includesthreatandvulnerabilityassess-ments,informationassetvaluation,andtheselectionofacomprehensivesetofinformationsecurityandprivacycontrolsthataddressestheenumeratedthreat-vulnerabilitypairs(aprocesssometimesreferredtoasthreatmodeling),(2)iscost-effective,and(3)managesriskataleveldeemedacceptablebytheorganization.
Fromaquantitativeviewpoint,thisprocessisvirtuallyimpossibleformany—ifnotmost—organizationstoperform.Forexample,unlessactuarial-typeinformationisavailable,thelikelihoodathreat-sourcewillsuc-cessfullyexploitoneormorevulnerabilitiescannotbecalculatedwithanylevelofprecision.Inthecaseofahumanactor,likelihoodisalsodependentonthemotivationofthethreatsourceandthedifficultyorcostassociatedwithexploitingoneormorevulnerabilitiestoachievethethreatactor’sobjectives.Asaresult,itissimilarlydifficulttodevelopavalidbusinesscaseforaspecificriskresponseortreatmentbasedonareturnoninvestment.Organizationscouldtakeasemi-orquasi-quantitativeapproachorevenapurelyqualitativeapproach;however,itwouldstillbedifficultforanorganizationtodevelopavalidbusinesscase,particularlyforacomprehensivesetofriskresponses.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
8<< Back to Contents
Figure 3
Analternativeapproachistorelyonotherorganizationsthatdohavetheresourcestodevelopasetofcontrolsthataddressessimilarthreatstosimilartechnologiesemployedbytheirownorganization.Thisistheapproachemployedbytheintelligencecommunity(IC),defensedepartmentandcivilianagenciesofthefederalgovernmentwiththeirrespectiveinformationsecuritycontrolframeworks,allofwhicharenowbasedontheNISTRMF.ItistheHITRUSTRMF,whichconsistsoftheHITRUSTCSFcombinedwithCSFAssurancePro-gram-relateddocumentsandtools,suchastheHITRUSTCSFAssuranceProgramrequirements,HITRUSTCSFAssessorrequirements,HITRUSTCSFassessmentmethodology,andHITRUST’scomprehensiveonlinetool,MyCSF.
General RMFRiskmanagementframeworkssupportabasic4-stepriskmanagementprocessmodel:
• Step1—Identifyrisksanddefineprotectionrequirements• Step2—Specifycontrols• Step3—Implementandmanagecontrols• Step4—Assessandreport
Step 1 - Identify Risks and Define Protection Requirements Theobjectiveofthisstepistodeterminetheriskstoinformationandinformationassetsthatarespecifictotheorganization.Riskscanbeidentifiedthroughtheanalysisofregulationsandlegislativerequirements,breachdataforsimilarorganizationsintheindustry,aswellasananalysisofcurrentarchitectures,technol-ogiesandmarkettrends.Theendresultofthisanalysisshouldbeaprioritizedlistofhigh-riskareasandanoverallcontrolstrategytominimizetherisktotheorganizationfromtheuseofsensitiveorbusinesscriticalinformationintermsofoverallimpacttotheorganization.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
9<< Back to Contents
Figure 4
Thisstepissupportedbysevensub-processes,whichrangefromtheclassificationofinformationassetstothedevelopmentofspecificrisktreatments.Asindicatedpreviously,thisisoneofthemoreproblematicaspectsofriskanalysisthatacontrol-basedriskmanagementframeworkwillhelpanorganizationaddress.
Step 2 - Specify Controls Thenextstepistodetermineasetofreasonableandappropriatesafeguardsanorganizationshouldimplementtoadequatelymanageinformationsecurityrisk.Theendresultshouldbeaclear,consistentanddetailedorprescriptivesetofcontrolrecommendationsthatarecustomizedfortheorganization.
Acontrol-basedriskmanagementframeworkwillprovideacomprehensivecontrolcatalogderivedfromthesevensub-processesoutlinedearlieraswellasspecificcriteriafortheselectionofabaselinesetofcontrols,whichisperformedinthisstep.
Step 3 - Implement and Manage ControlsControlsareimplementedthroughanorganization’snormaloperationalandcapitalbudgetandworkprocesseswithboard-levelandseniorexecutiveoversightusingexistinggovernancestructuresandprocesses.Ariskman-agementframeworkwillprovideguidanceandtoolsforimplementationoftheframework,includingthecontrolsspecifiedearlierinstep2.
Step 4 - Assess and ReportTheobjectiveofthislaststepistoassesstheefficacyofimplementedcontrolsandthegeneralman-agementofinformationsecurityagainsttheorganization’sbaseline.Theresultoftheseassessmentandreportingactivitiesisariskmodelthatassessesinternalcontrolsandthoseofbusinessassociatesbasedonwell-definedriskfactors.Itshouldalsoprovidecommon,easy-to-usetoolsthataddressrequirementsandriskwithoutbeingburdensome,supportthird-partyreviewandvalidation,andprovidecommonreportsonriskandcompliance.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
10<< Back to Contents
SummaryUnlessskilledpersonnelandotherresourcesareavailabletodetermineacomprehensivesetof‘reasonableandappropriate’safeguardstoprovide‘adequate’protectionforsensitiveinformation,healthcareorganizationsshouldleverageexistingcontrolandriskmanagementframeworks.Thisisthesameapproachusedbythefederalgovernment,anditisalsotheapproachusedbythehealthcareindustrythroughHITRUST.
Butregardlessofthesource,ariskmanagementframeworkissupportedbyariskmanagementprocess,whichatabasiclevelincorporatesfourdistinctsteps.
• Step1—Identifyrisksanddefineprotectionrequirements• Step2—Specifycontrols• Step3—Implementandmanagecontrols• Step4—Assessandreport
AlthoughstructuredonInternationalStandardsOrganizationandInternationalElectrotechnicalCommittee(ISO/IEC)Standard27001andincorporatesguidancefromISO/IEC27002,theHITRUSTCSFreliesheavilyonNISTSP800-53,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,andintegratesotherNISTandfederalsecurityguidancesuchastheCentersforMedicaidandMedicare(CMS)InformationSystems(IS)AcceptableRiskSafeguards(ARS).Assuch,therestofthiswhitepaperwillfocusontheNISTandHITRUSTriskmanagementframeworksinthecontextofthisfour-stepprocessandidentifysomeofthedifferencesbetweenthem.
NIST RMFNISTprovidesastructuredprocessandasignificantamountofguidancetohelpfederalorganizationsidentifyandassessrisktotheirinformationandinformationsystemsandtakestepstoreducerisktoanacceptablelevel.ThisisaccomplishedthroughthepublicationofvariousNISTSP800-seriesdocuments,FederalInformationProcessingStandards(FIPS)documents,andInter-agencyReports(NISTIRs),whichhelpguidefederalagenciesthroughasix-stepriskmanagementprocessdesignedtominimizetheriskofharmfromtheunauthorizedaccess,use,disclosure,disruption,modificationordestructionofsensitiveinformation.NISTSP800-37Revision1outlinestheprocessandprovidesadditionalguidancebymappingotherNISTdocumentsintheframeworktoeachstepoftheprocess.
Thesix-stepNISTriskmanagementprocesscanbemappedtothebasicfour-stepprocessasfollows:CategorizeInformationSystemtostep1;SelectSecurityControlstostep2;ImplementSecurityControls,AssessSecurityControlsandAuthorizeInformationSystemtostep3;andMonitorSecurityControlstostep4.(Note,weconsiderthesecurityassessmentperformedaspartofsystemauthorizationtobediffer-entfromtheongoingassessmentandmonitoringofsecuritycontrolspost-implementation.)
Step 1- Identify Risks and Define Protection RequirementsThefirststepofNIST’sriskmanagementprocess,CategorizeInformationSystems,categorizesaninfor-mationsystemandtheinformationbeingprocessed,storedandtransmittedbythesystembasedonthepotentialimpacttotheorganizationshouldathreat-sourcesuccessfullyexploitavulnerability.FIPS199requiresorganizationstocategorizetheirinformationsystemsaslow-impact,moderate-impact,orhigh-im-pactforthesecurityobjectivesofconfidentiality,integrityandavailability.Thepotentialimpactvalues
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
11<< Back to Contents
assignedtotherespectivesecurityobjectivesarethehighestvalue(high-watermark)fromamongthesecuritycategoriesdeterminedforeachtypeofinformationprocessed,stored,ortransmittedbytheinfor-mationsystem(s)consideredinscope.RelatedpublicationsincludeNISTSP800-60.
Noteforhealthcareorganizations:althoughnottechnicallypartoftheNISTRMFpublications,NISTSP800-66provideslinksfromtheNISTRMFtotheHIPAASecurityRule’simplementationspecifications.However,thepublicationdoesn’tspecifyasecuritycategorizationforePHI;thisexerciseislefttothefeder-alhealthcareorganization.
Step 2 - Specify ControlsThefirststepinselectingsecuritycontrolsfortheinformationsystemistochooseaninitialsetofbaselinesecuritycontrolsfromNISTSP800-53basedontheimpactleveloftheinformationsystemasdeterminedbythesecuritycategorizationperformedinstep1.Theorganizationselectsoneofthreesetsofbaselinesecuritycontrolsfromthesecuritycontrolcatalogcorrespondingtothelow-impact,moderate-impact,orhigh-impactratingoftheinformationsystem.Note,NISTforegoesthetraditionalsecurityobjectivesofconfidentiality,integrityandavailabilityusedinFIPS199,Standards or Security Categorization of Federal Information and Information Systems,andusessensitivityandcriticalityinstead.NISTIR7298r2,Glos-sary of Key Information Security Terms,definessensitivityasa“measureoftheimportanceassignedtoinformationbyitsowner,forthepurposeofdenotingitsneedforprotection,”andcriticalityasa“measureofthedegreetowhichanorganizationdependsontheinformationorinformationsystemforthesuccessofamissionorofabusinessfunction.”FortheprotectionofPHIandsystemsprocessingePHI,HITRUSTconsidersconfidentiality(andprivacy)requirementsanindicationofsensitivity,andintegrityandavailabilityrequirementsanindicationofcriticality.
Afterselectingtheinitialsetofbaselinesecuritycontrols,theorganizationstartsthetailoringprocesstoappropriatelymodifyandmorecloselyalignthecontrolswithspecificconditionswithintheorganization(i.e.,conditionsspecifictotheinformationsystemoritsenvironmentofoperation).Thetailoringprocessincludes:
• Applyingscopingguidancetotheinitialbaselinesecuritycontrolstoobtainapreliminarysetofapplica-blecontrolsforthetailoredbaseline;
• Selecting(orspecifying)compensatingsecuritycontrols,ifneeded,toadjustthepreliminarysetofcontrolstoobtainanequivalentsetdeemedtobemorefeasibletoimplement;and
• Specifyingorganization-definedparametersinthesecuritycontrolsviaexplicitassignmentandselec-tionstatementstocompletethedefinitionofthetailoredbaseline.
Althoughthesecuritycontrolselectionprocessisgenerallyfocusedontheinformationsystem,NISTstatestheselectionprocessisalsoapplicableattheorganizationalandmission/businessprocesslevels.GeneralguidanceinapplyingtheNISTRMFattheselevelsmaybefoundinNISTSP800-39,Managing Informa-tion Security Risk: Organization, Mission, and Information System View.However,thetailoringprocessdescribedinNISTSP800-53isneitherprescriptivenormanaged,whichdoeslittletoguaranteetailoringisperformedconsistentlyfromoneorganizationtothenextor,moreoftenthannot,thattailoringisperformedatall.RelatedpublicationsincludeFIPS200,Minimum Security Requirements for Federal Information and Information Systems.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
12<< Back to Contents
AdditionalguidanceforhealthcareorganizationscanbefoundinNISTSP800-66, An Introductory Resource Guide for Implementing the [HIPAA] Security Rule,asitaddresseskeyactivitiesforeachoftheRule’sstandardsandimplementationspecifications,e.g.,section4.1.1is“IdentifyRelevantInformationSystems,”whichsupportsHIPAA§164.308(a)(1),SecurityManagementProcess.AnorganizationmayalsolookuptheassociatedNISTcontrolsandNISTRMFdocumentsreferencedineachsectionformoreinformation.Forexample,NISTSP800-66§4.1.1maps164.308(a)(1)toNISTSP800-53controlRA-1andcrosswalkstothefollowingpublications:FIPS199,NISTSP800-37,NISTSP800-39,andNISTSP800-53,amongothers.However,it’suptotheorganizationtoparsethereferencesamongtheninekeyactivities,aswellasreadthroughandapplyinformationfromeachofthereferencedpublications.
AhealthcareorganizationcanuseNISTSP800-66todetermineallthepossibleNISTcontrolsthatsupporttheimplementationspecificationandcomeupwithadditionalcontrolsthatmaptotheimplementationspec-ificationsbutnotexplicitlyprovidedintheNISTtool-kit.However,itissimilarlylefttotheorganizationtoparsethroughtheNISTSP800-53controlsanddeterminethesubsetofrequirementsthatdirectlysupporttheHIPAASecurityRule’simplementationspecifications.
NISTSP800-66alsoprovidessomeadditionaltailoringrecommendationsforhealthcareorganizationsbymappingcontrolsfromNISTSP800-53totheHIPAASecurityRule’sstandardsandimplementationspecificationsanddescribingkeyactivitiesforeach;however,thiswouldonlyaddressanorganization’sobligationsundertheRule.Othercontrolsmaybeneededtosupportotherlegislative,regulatory,industryorbestpracticerequirements.
Inaddition,thereislittleifanyprescriptiveguidanceoncontrolselectionbasedonriskfactorssuchasorganizationalsize/capabilityorassignmentofacceptableorganization-definedparameters.However,healthcareorganizationsmayrefertotheCMSISARSforadditionalguidanceontheselectionoforganiza-tion-definedparametersforlow-,moderate-andhigh-levelNISTcontrolbaselines.
Step 3- Implement and Manage ControlsNISTprovidesguidanceonvariousinformationsecuritycontrolsinanextensivelibraryofNISTSP800-series,FIPSandNISTIRdocuments,andprovidesaguideforselectingdocumentsorganizedbyspe-cifictopicssuchasbiometrics(e.g.,FIPS201-1andNISTSP800-116,A Recommendation for the Use of PIV Credentials in Physical Access Control Systems)andcryptography(e.g.,FIPS198-1,The Keyed-Hash Message Authentication Code)orspecificNISTcontrolfamiliessuchasaccesscontrol(e.g.,FIPS200andNISTSP800-114,User’s Guide to Securing External Devices for Telework or Remote Access)andCon-tingencyPlanning(e.g.,NISTSP800-34,Contingency Planning Guide for Federal Information Systems).NISTalsoprovidesguidanceoncapitalplanninginNISTSP800-65,Integrating IT Security into the Capital Planning and Investment Control Process,andsystemdevelopmentinNISTSP800-64,Security Consid-erations in the System Development Life Cycle;however,thereislittleinthewayofspecificguidanceortoolsupportonhowtheNISTcontrolframeworkcanbeimplementedinindustry.RelatedRMFpublicationsincludeNISTSP800-37and800-70,National Checklist Program for IT Products: Guidelines for Checklist Users and Developers,amongothers.
NISTSP800-66doesnotprovideinformationonhowtoimplementormanagesecuritycontrolsinahealthcareenvironment.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
13<< Back to Contents
Step 4 - Assess and ReportNISTprovidesgeneralassessmentguidancefortheNISTSP800-53controlcataloginNISTSP800-53A,Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,atechnicalassessmentguidanceinNISTSP800-115,Technical Guide to Information Security Testing and Assessment,andtargetedassessmentguidanceindocumentslikeNISTIR7316,Assessment of Access Control Systems.NISTalsoprovidesaprocessmaturity-basedsecu-rityassessmentmethodologyinNISTIR7358,Program Review for Information Security Management Assistance (PRISMA).AlthoughnotformallyincorporatedintheNISTRMF,PRISMAprovidesanintuitiveapproachtotheevaluationofinformationsecuritycontrolsbyconsideringwhethertherequirementisspecifiedinpolicy,supportedbyformalprocesses,implementedacrosstheorganization,testedtoensurecontinuedeffectiveness,andthatactivitiessupportingthefirstfourlevelsarefullyintegratedwitheachotherandtheorganization’scontrolenvironment.TheNISTIRalsoprovidesguidanceonhowtoprepareforandexecuteaPRISMA-basedassessmentaswellasinformationaroundthepracticalapplicationoftheformalreport.RelatedRMFpublicationsincludeNISTSP800-37.
NISTSP800-66providesspecificquestionsforhealthcareorganizationstoconsiderwhenassessingone’sinformationprotectionprogram,organizedbyHIPAASecurityRulestandardandimplementationspecifica-tion,butprovideslimitedguidanceontheriskassessmentprocessthatcouldhelpaddressrequirementsthatmaynotbedirectlyrelatedtotheHIPAASecurityRulestandardsandimplementationspecifications.
In2011,NISTpublishedtheHIPAASecurityRule“HSR”Toolkit,whichprovides472questionsfor“stan-dard”organizationsand809questionsfor“enterprise”-levelorganizations.NISTalsoreferencesothersourcesforeachquestion:491questionsmaptoNISTSP800-66sectionsaddressingtheHIPAAimple-mentationspecifications,290maptoaspecificNISTSP800-53control,and28arenotmapped.Whileanexcellentresource,NISTcautionsusersthat“theHSRToolkitisnotintendedtomakeanystatementofanorganization’scompliancewiththerequirementsoftheHIPAASecurityRule.”
Andin2014,HHSpublishedtheSecurityRiskAssessment(SRA)tooltohelpsmallandmedium-sizedbusinessesgothroughtheriskanalysisprocess.ThetooldoesamuchbetterjobthantheoriginalOCRAuditProtocolinhelpingorganizationsaddresssalientelementsoftheHIPAASecurityRule’sstandardsandimplementationspecifications;however,questionsarespecifictotheRule’srequirementsandsub-sequentlyhassomeofthesamelimitationsastheNISTHSRToolkit.HHSalsohassimilardisclaimers,stating:
• Useofthistoolisneitherrequiredbynorguaranteescompliancewithfederal,stateorlocallaws.• Theinformationpresentedmaynotbeapplicableorappropriateforallhealthcareprovidersandorgani-
zations.• Thetoolisnotintendedtobeanexhaustiveordefinitivesourceonsafeguardinghealthinformation
fromprivacyandsecurityrisks.
OrganizationsmayalsoleveragethesecondOCRAuditProtocolpublishedin2016todeterminehighinterestareastheyshouldensureareaddressedintheirsecurityprogram,andwhichshouldbeassessedaccordingly.However,organizationsmustunderstandthat,likeallaudits,theProtocolisnarrowlyfocusedandmaynotaddressallthesecuritycontrolrequirementsthatwouldbeimplementedbytheorganizationtosupportitsobligationsundertheHIPAASecurityRule.Theauditproceduresalsofocusheavilyonpolicy
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
14<< Back to Contents
andprocessrequirementsbut,unliketheoriginal,provideguidanceonspecificactivitiesthathelpaddresstheintentofaparticularstandardorspecification.However,neitherthetoolsortheauditprotocolsprovideamechanismtoevaluateandscoretherelevantmaturityofthecontrol,computeriskestimatesorsupportriskreporting.Thisisleftfortheorganizationtodetermine.
Organizationsshouldnotethat,whiletheNISTHSRToolkit,HHSSRAToolOCRAuditProtocolandDHS/OCRSRAtoolwillsupportHIPAA-specificassessments,theydonotnecessarilysupportamoregeneralassessmentthatincludesotherlegislative,regulatory,industryorbestpracticerequirementsthatshouldbeaddressedbyanorganization’sinformationprotectionprogram,includingtheprovisionofthird-partyassurancesaboutitsprogramtorelevantinternalandexternalstakeholders.
SummaryNISTpublishesacomprehensivesetofcontrolsdesignedforusebyfederalagencies,anextensivelibraryofguidancedocumentsfortheNISTRMF,andspecialinterestdocumentsonspecificinformationsecuritytopicsandcontrolareas.NISTalsopublishesanexcellentresourceontheimplementationofNISTSP800-53securitycontrolstosatisfyHIPAArequirements.However,private-sectororganizationsarenotsub-jecttoallthesamelegislativeandregulatoryrequirementsasafederalhealthcareorganization(e.g.,theFederalInformationSecurityManagementAct),nordotheyhavethesameskilledpersonnelandresourc-esavailabletosupporttheirinformationsecurityprogram.ItcanbedifficultformanyorganizationstoadapttheNISTRMFtotheirspecificneeds,i.e.,todeterminewhatcontrolsare“reasonableandappropriate”foranon-federalorganization.Inparticular,NISThealthcareguidanceisfocusedoncompliancewiththeHIPAASecurityRuleanddoesnotspecificallyaddresstheselectionandimplementationofcontrolsneces-sarytosatisfyotherlegislative,regulatory,industryandbestpracticerequirements.
HITRUSTwasformedtoaddressthegrowingneedandbroaddesirewithintheindustryforacommonframework—asetofcommonstandardsandsupportingmethodologies—thatwouldprovideaminimumbaselinesetofsecurityrequirements,tailorabletoaspecificsizeandtypeoforganization,whichwouldimprovetrustaswellasmitigatepotentialliabilityfrombreachesofsensitiveinformation.HITRUSTbelievesthatimprovementsinthestateofinformationsecurityandprivacyarecriticaltothebroadadoption,utilizationandconfidenceinhealthinformationsystems,informationtechnologiesandelec-tronicexchangesofinformation.TheHITRUSTRMFprovidesaconsistentapproachtocertification,riskacceptanceandsharedtrustthroughtheHITRUSTCSF,CSFAssuranceProgram,andsupportingmeth-odologiesandtoolssuchastheHITRUSTCSFAssessmentMethodologyandMyCSF.
HITRUST RMF
Step 1 - Identify Risks and Define Protection RequirementsTheHITRUSTCSFprovidesafundamentalandholisticchangeinthewayindustrymanagesinformationsecurityandprivacy-relatedriskbyrationalizingrelevantregulationsandstandardsintoasingleoverarchingframeworkdesignedforindustryandtailorabletoanorganization.
Figure5isintendedtoshowhowvariousframeworksandstandardsaremutuallyreinforcing,canbetailoredtoanorganization’sneeds,andintelligentlyappliedintheintendedenvironmenttohelpensureorganizationsmeetbusinessgoalswhileachievingregulatorycompliance.Itshowsthatoverarching
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
15<< Back to Contents
Figure 5
governanceframeworkssuchasCOBITcanbeintegratedwithriskmanagementframeworksliketheNISTRMFandISO/IEC27000-seriespublications,aswellasotherframeworkslikeITILforservicedeliveryandISO9000forcapabilityorprocessmaturity.Thisconceptappliestomanyotherstandardsthatanenterprisemaywishtoadopt.Thekeyistoadoptspecificframeworksandstandardsthatmeetone’sneeds,tailorthemappropriatelyandimplementthemsmartly.
HITRUSTstructuredtheCSFontheISO/IEC27001controlframeworkandbaselinedtheinitialcontrolrequirementsfromNISTSP800-53aswellassecurity-andprivacy-relevantrequirementsfromlegisla-tive,regulatory,industryandbestpracticeguidancesuchasISO/IEC27002,HIPAA,HITECH,CMS,FTCRedFlags,PCI-DSS,ISO27799andCOBIT.Staterequirementsspecifictoinformationsecurityarealsointegratedintotheframework.Thisallowsorganizationstoleverageasingleindustrycontrolframeworktomeetitsbusinessobjectivesandsatisfymultipleregulatoryandothercompliancerequirements.
TheHITRUSTCSFisfreelyavailabletoqualifiedorganizationsthroughtheHITRUSTwebsiteorbypaidsubscriptiontoMyCSFforaninteractiveversiontailorabletothesubscribingorganization.
Step 2 - Specify ControlsLikeNIST,HITRUSTbuilttheCSFtoaccommodatemultiplecontrolbaselines.However,unlikeNIST,HITRUSTassignscontrolsusingthreeriskfactors:organizational(e.g.,holdsfewerthan60milliontotalrecords),systemrequirements(e.g.,thesystemstoresePHI,isaccessiblefromtheInternet,andprocess-
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
16<< Back to Contents
Figure 6
esfewerthan6,750transactionsperday),andregulatoryrequirements(e.g.,subjecttoFTCRedFlagsRuleandPCI-DSScompliance).Theresultisasemi-custom,industry-specificinformationsecuritycontrolbaseline,i.e.asetofcontrolsthatispartiallytailoredtoanorganization’sclinical,businessandcompliancerequirements,asshownbelow.
Thecapabilitytotailorcontrolstoaspecificorganization’sneedsisavailableinMyCSF.TrainingontheCSFandtheMyCSFassessmentsupporttoolisprovidedtoanyoneseekingtheHITRUSTCertifiedCSFPractitioner(CCSFP)credential.
Step 3 - Implement and Manage ControlsHITRUSTtrainsthird-partyconsultingandassessmentfirmsintheCSFandCSFAssuranceProgrammethodologiesandtoolssothattheymayofferCSFimplementationsupporttohealthcareproviderorga-nizationsthatlackthecapabilitytoimplementandassessinformationsecurityandprivacycontrols,asrecommendedbyHHS.
HITRUSTalsorecommendsthedevelopmentofaninformationsecurityandprivacyriskmanagementarchitectureinwhichstrategicplanningandinformationsecurityarchitecture,policiesandstandardsformthefoundationforspecificcustomer-facinginformationsecurityandprivacyservices,whichshouldbedocumentedinsecurityandprivacyservicecataloguesconsistentwithrecommendationsintheInforma-tionTechnologyInfrastructureLibrary(ITIL).Examplesofthesecustomer-facingservicesincludesecurityoperations,incidentmanagementandinvestigations,businesscontinuityanddisasterrecovery,identity
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
17<< Back to Contents
andaccessmanagement,andeducation,trainingandawareness.CSFcontrolsandavailableresourcescanthenbemappedtoeachservice.Theresultistheabilitytodevelopoperationalandcapitalprojectplansfordefinedsecurityservicesbasedondeficienciesforspecificcontrolrequirementsidentifiedviariskassessmentaswellascontinuousmonitoringactivitiessuchasvulnerabilityassessment,penetrationtesting,controlmaturityassessmentsandincidentrootcauseanalysis.
Step 4 - Assess and ReportTheHITRUSTCSFAssuranceProgramprovidessimplifiedandconsistentcomplianceassessmentandreport-ingagainsttheCSFandtheauthoritativesourcesitincorporates.Thisrisk-basedapproach,whichisgovernedandmanagedbyHITRUST,isdesignedfortheuniqueregulatoryrequirementsandbusinessneedsthatprovideorganizationswithaneffective,standardizedandstreamlinedassessmentprocesstomanagecompli-ance.Thissolutionoffersamoreeffectiveprocessthanthatusedbyotherassessmentapproachesandtoolkits,whichsupportonlylimitedrequirementsandcheckboxapproachestoassessmentandreporting.
AnintegralcomponentoftheCSFAssuranceProgramistheHITRUSTriskassessmentmethodology,whichisbuiltaroundtheconceptofresidualrisk,i.e.,theriskthatisleftafterthecontrols,whichareintendedtomitigaterisktoaleveldeemedacceptablebytheorganization,havebeenfullyimplemented.Thus,excessiveresidualriskoccurswhenoneormorecontrolsarenotfullyimplemented,anditisthisrisktheorganizationmuststrivetominimizeinitsday-to-dayoperations.
Sinceexcessiveresidualriskmaybeestimatedbytheriskofacontrolfailure,wemustestimatethelikelihoodthecontrolwillfailaswellastheimpacttotheorganizationwhenafailureoccurs.Somepuristsmightarguethatonlyquantitativeassessmentsprovidevalue;however,inreality,decisionsareoftenmadewithincompleteinformation.Thereasonsaremanyandvaried.Forexample,theremaybealimitedamountoftimeinwhichtomakeadecision,ortheinformationsimplyisnotavailable.Inmanycases,expertjudgmentisappliedsuchaswhenauditorsscopeworkormakejudgmentsabouttheeffectivenessoffinancialcontrols.(Decisionmakingunderconditionsofuncertaintyisacentralfocusofthebodyofknowledgeknownas‘decisiontheory.’)
Thelevelofprecisiononeneedstomakeadecisionmayalsodependonthetypeofproblemorquestionbeingaddressed.Forexample,triageinanemergencyroomfollowinganaturaldisasterrequiresagenerallevelofinformation.Isthepatientbreathingorbleeding?Istheinjurylifethreatening?Medicaldiagnoses,ontheotherhand,generallyrequireamuchmoregranularlevelofinformationtodetermineifthepatientissufferingfromoneparticulardiseaseoranotherwithsimilarsymptoms.However,noneofthedecisionsdescribedaremadewithoutsomesortofframeworkormethodologytosupportthedecision-makingprocess.
HITRUSTleveragestheNISTPRISMAmethodology,whichincorporatestheconceptofcapabilitymaturitytodeterminelikelihoodofacontrolfailurebutexpressesthelevelsinawaythat,whileroughlyequivalentwiththeirCapabilityMaturityModel-Integrated(CMMI)counterparts,ismuchmoreintuitivefortheevaluationofinformationsecurity,asopposedtothetraditionallanguageusedaroundprocessmaturity.HITRUSTalsoleveragesthePRISMAquasi-quantitativescoringmodeltofacilitatetheassessmentprocessandprovideastandardizedestimateofthematurity(effectiveness)ofacontrol’simplementation.
Theotherpartoftheriskequation—theimpactofaspecificcontrolfailure—isoftenhardertoassessthantheefficacyofthecontrolimplementation,especiallyinthecontextoftheentirecontrolenvironment.Onewaytomakethismoretractableistomapcontrol-levelimpactsfrom,andthrough,establishedinformationsecurity
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
18<< Back to Contents
controlframeworkstoprovideanon-contextualestimateoftherelativeimpactofonecontrolfailurewithrespecttoanother.HITRUSTleveragedworkdonebytheDoDtoassignnon-contextualimpactvaluestoindividualcontrolscontainedinDoDInstruction8500.2.BymappingthroughtheNIST800-53controlstotheISO27001informationsecuritycontrolclauses,estimatesoftherelativeimpactforthefailureofeachcontrolwereobtained.Thisprovidesacommonpointofreferencefororganizationstouseinacontextualanalysis,e.g.,onethatmightbeperformedonasmallersub-setofcontrolsfounddeficientinanaudit,whichisarguablymoretractablethantryingtodeterminetheimpactofallthecontrolsimplementedintheenvironmentatthesametime.HITRUSTbelievesthisapproachisjustifiedasitwasusedextensivelybytheDoDinitsinformationsystemsecuritycertificationandaccreditationmethodology,whendevelopingaresidualriskanalysisafterasecuritytestandevaluation.
Onceestimatesareobtainedforimpactandlikelihood,thecomputationofestimatedresidualriskisrela-tivelystraightforward.However,ratherthanrepresentriskintermsof“heatmaps,”itispossibletopresentrisktoexecutivemanagementinamoreintuitiveway.BymakingadjustmentstothePRISMAscoringmodelandnormalizingtheriskcomputationsonascaleofzeroto100,excessiveresidualriskmayberepresentedasacademic-stylegrades.Inthismodel,anythingbelow60wouldbeafailinggrade(an‘F’)andpresentasevererisk.Similarly,scoresfrom60to70wouldrepresentahighrisk(a‘D’),from70to80amediumrisk(a‘C’),from80to90alowrisk(a‘B’),andfrom90to100asaminimalrisk(an‘A’).(Inthismodel,ascoreof75wouldmostlikelyindicatetheorganizationhadpoliciesandproceduresinplaceandthecontrolwasfullyimplemented.)HITRUSTessentiallyinterpretsa‘C”astheminimumacceptable‘passinggrade’forthepurposedofcertification.Bettergrades,i.e.,betterassurancesacontroliseffectiveandwillcontinuetobeeffective,areprovidedthroughcontinuousmonitoringofthecontrol,i.e.,keepingtrackofhowwellthecontrolisperformingandaddressinganydeficienciesastheyarise.
Althoughnotatruequantitativeestimateoftherisk,thescoresprovidesufficientinformationinaveryintuitivewayfororganizationstomakedecisionsundernormalconditionsofuncertaintyabouttherelativecontrol-relatedrisksthesescoresrepresent.
Agraphicalrepresentationofthecontrolobjectivesandthecontrolcategoriestheysupport(suchastheonethatfollowsinfigure7)canbeprovidedforspecificsystemsand/orbusinessunitswithinanorganization.vInthecaseofahealthcareentity,thiscouldbeanelectronichealthrecordsystem,organizationssuchassinglehospitalswithinahealthsystem,orcommondepartmentswithinhealthsystemssuchasemergencyroomsorpharmacies.Thesescorescanalsobeusedforinternalandindustry-levelbenchmarking.
HITRUSTCSFassessmentsarenowsupportedbyafullyintegrated,optimized,anduser-friendlytoolwhichmarriesthecontentandmethodologiesoftheCSFandCSFAssuranceProgramwiththetech-nologyandcapabilitiesofagovernance,riskandcompliance(GRC)tool.MyCSFprovideshealthcareorganizationsofalltypesandsizeswithasecure,Web-basedsolutionforaccessingtheCSF,performingassessments,managingremediationactivities,andreportingandtrackingcompliance.MyCSFisalsomanagedandsupportedbyHITRUST,providingorganizationswithup-to-datecontent,accurateandcon-sistentscoring,reportsvalidatedbyHITRUSTandbenchmarkingdataavailablenowhereelsewithintheindustry,thusgoingfarbeyondwhatatraditionalGRCtoolprovides.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
19<< Back to Contents
Figure 7
TheCSFAssuranceProgramenablestrustinhealthinformationprotectionthroughanefficientandman-ageableapproachbyidentifyingincrementalstepsforanorganizationtotakeonthepathtobecomingHITRUSTCSFValidatedorCSFCertified.
Thecomprehensivenessofthesecurityrequirementsspecifiedforanassessedentityisbasedonthemul-tiplelevelswithintheHITRUSTCSF,whicharedeterminedbyitsriskfactors.Thelevelofassurancefortheoverallassessmentoftheentityisbasedonmultipletiersorlevelsofassessment,fromself-assess-mentquestionnairestoon-siteanalysis/testingperformedbyanindependentCSFAssessor.Theresultsoftheassessmentaredocumentedinastandardreportwithacompliancescorecardandremediationactivitiestrackedinacorrectiveactionplan(CAP).OncevettedbyHITRUSTandperformedforalllevelsofassurance,theassessedentitycanusetheassessmentresultstoreporttoexternalpartiesinlieuofexistingsecurityrequirementsandprocesses,savingtimeandminimizingcosts.
Thefollowingdiagramoutlinestherelationshipbetweenthecomprehensivenessofanassessmentanditslevelofassuranceprovidedbytheassessmentfororganizationsofvaryingcomplexitybasedontheriskofthethird-partyrelationshipasdeterminedbytherelyingorganization:AHITRUSTCSFassessmentallowsanorganizationtocommunicatetorelyingentitiesitscompliancewiththeCSFand,optionally,withotherrequirementssuchasHIPAA.HITRUSTreviewstheassessmentresultsandCAPstoprovideaddedassurancetothoseexternalentitiesrelyingontheassessedentity’sresults.AndtheHITRUSTCSFAssuranceProgrameffectivelyestablishestrustininformationprotectionthroughanachievableassessmentandreportingpathfororganizationsofallsizes,complexitiesandrisks.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
20<< Back to Contents
Figure 8
SummaryHITRUSTintegratedmultipleinternational,federal,industryframeworksandbestpracticestandardsandframeworks,adaptedthemtothehealthcareenvironment,andprovidedanindustrystandardofduediligenceandduecarethatcanbetailoredtoanindividualorganizationbaseduponitsspecificbusi-nessrequirements.TheHITRUSTCSFandCSFAssuranceProgramprovideorganizationswithasingleapproachtoassessmentandreportingagainstthesemultiplerequirements,andbothareupdatedatleastannuallytoaccountforchangesinlegislation,regulation,standards,guidanceandbestpractices,suchaswiththereleaseoftheNISTSP800-53revision4,theNISTCybersecurityFramework.Further,allchangestotheHITRUSTCSFareprovidedtotheindustryforreviewandcommenttoensureanopenandtransparentframeworkthatisfreelyavailabletoqualifiedorganizationsthatwishtouseit.
ConclusionTheonlythingconstantaboutinformationsecurityandprivacyinischange.Newregulations,standards,guidanceandtoolscontinuetocomplicatethelandscape,andorganizationsarelefttodeterminehowbesttoachievecomplianceandprovidean‘adequate’levelofprotection.
Healthcareorganizationsoftendonothavetheskilledpersonnelorresourcestodevelopacustomsetof‘reasonableandappropriate’safeguardsandchoosetoadoptandadaptexternalinformationsecuritycontrolandriskmanagementframeworks.Buteventhiscanbedifficultformanyorganizationstodo.So,ratherthanindependentlyperformingtheworkofintegratingmultipleinternational,federalandindustryframeworksandbestpracticestandardsandthenadaptingthemtotheirspecificorganization,HITRUSTwasformedtoperformthisworkonbehalfoftheindustryandestablishastandardofduediligenceandduecarethatcanbetailoredtoanindividualorganizationbasedupontheirspecificbusinessrequire-ments—theHITRUSTCSF.
TheHITRUSTCSFAssuranceProgramalsoprovidesorganizationsasingleapproachtoassessmentandreportingagainstthesemultiplerequirements,andboththeCSFandCSFAssuranceProgramareupdatedatleastannuallytoaccountforchangesinlegislation,regulation,standards,guidanceandbestpractices,
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
21<< Back to Contents
suchaswiththe2014releaseoftheNISTCybersecurityFramework.Further,allchangestotheCSFareprovidedtotheindustryforreviewandcomment,ensuringtransparencyandopenness.AndHITRUSTprovidestheCSFfreetoqualifiedhealthcareorganizationsthatwishtoimplementtheframework.
GiventhattheCSFisanintegrated,harmonized,healthcarecentric,transparent,prescriptive,tailorable,scalableandcertifiableframeworkthatprovidesacommonmechanismforthesharingofriskinformation,whyhasn’titbeenadoptedby100percentofhealthcareorganizations?Unfortunately,manyorganizationshavenotyetcome-to-termswiththelevelofduediligenceandduecarerequiredtosafeguardePHIandmeetregulatorycompliancerequirements.
Forexample,theNISTHSRtoolkitappealstosomeorganizationsbecauseitprovidesa“check-the-box”approachtoaddressingspecificsafeguards;however,theyoftenfailtodigdeeperintothereferencestodeterminewhatisactually“in-the-box”theyarechecking.Theymaystopwiththeresultsofthiscontrolgapanalysisandfailtofullyevaluatethelikelihoodandimpactcomponentsnecessarytocompletetheriskanalysis.OtherorganizationsmaygoevenfurtherandrelyontheOCRAuditProtocoltosatisfytheirHIPAAriskanalysisrequirementswithoutrealizingtheprotocolisincomplete;itdoesn’taddresseveryimplementationspecificationintheSecurityRuleanddoesnotintegratewellwiththeNISTHSRToolkitortheNISTRMF.Thefocusison“passing”anauditratherthanonthespiritandintentoftheircompliancerequirements.TheHITRUSTCSFontheotherhand,istightlyintegratedwiththeCSFAssuranceProgramand MyCSF.
Fortunately,mostoftheindustryunderstandstheneedtoprovide‘reasonableandappropriate’safeguardsandsatisfytheirregulatoryobligationtoprovide‘adequate’protection,whichiswhytheHITRUSTCSFisdemonstrablythedefactostandardinthehealthcareindustry.The2018HealthcareInformationandManagementSystemsSociety(HIMSS)CybersecuritySurveyindicatestheHITRUSTCSFistheleadinginformationsecuritycontrolframeworkinhealthcare,andtheNIST Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT)recognizestheHITRUSTCSFasanindustry-ledsecuritystandardthataddressesmultipleareasofconcernwiththeuseofIoTdevices.TheGovernmentAccountabilityOffice(GAO)Report to Congressional Committees on Critical Infrastruc-ture ProtectionalsocitestheHITRUSTCSFasameansofdemonstratingcompliancewiththeNISTCybersecurityFrameworkintheHPHsector,asdemonstratedintheHealthcare Sector Cybersecurity Implementation Guide—adocumentproducedundertheauspicesoftheCriticalInfrastructureProtectionAdvisoryCouncil(CIPAC).
ForthosethathavenotyetfullyadoptedtheHITRUSTCSF,manyareleftwiththetaskofchoosing,adapt-ingandimplementinganexistinginformationsecuritycontrolframework.EventhosethathavedecidedtofullyadopttheCSFcansometimesstrugglewithitsimplementation.ThisiswhyHITRUSTcontinuestodevelopandpublishguidanceandtoolsliketheCSFassessmentmethodologyandMyCSFaspartofanoverallriskmanagementframeworktohelporganizationsimplementandmanage‘reasonableandappro-priate’safeguardsthatdemonstratethelevelofduecareandduediligencerequiredtoensure‘adequate’protectionofthesensitiveinformationwithwhichtheyareentrusted.
So,whenHITRUSTisaskedhownewregulations,standards,guidanceandtoolsaffectthevalueoftheCSFandCSF-relatedtools,theanswerissimple.TheCSF,CSFAssuranceProgramandrelatedmethod-ologiesandtoolsthatmakeuptheHITRUSTRMFareneededmorenowthaneverbefore.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
22<< Back to Contents
About HITRUSTFoundedin2007,HITRUSTAllianceisanot-for-profitorganizationwhosemissionistochampionpro-gramsthatsafeguardsensitiveinformationandmanageinformationriskfororganizationsacrossallindus-triesandthroughoutthethird-partysupplychain.Incollaborationwithprivacy,informationsecurityandriskmanagementleadersfromboththepublicandprivatesectors,HITRUSTdevelops,maintainsandpro-videsbroadaccesstoitswidelyadoptedcommonriskandcompliancemanagementandde-identificationframeworks;relatedassessmentandassurancemethodologies;andinitiativesadvancingcybersharing,analysisandresilience.
HITRUSTactivelyparticipatesinmanyeffortsingovernmentadvocacy,communitybuildingandcyberse-curityeducation.
HITRUSTisledbyaseasonedmanagementteamandgovernedbyaBoardofDirectorsmadeupoflead-ersfromacrossthehealthcareindustryanditssupporters.Theseleadersrepresentthegovernanceoftheorganization,butotherfoundersalsocomprisetheleadershiptoensuretheframeworkmeetstheshort-andlong-termneedsoftheentireindustry.
Formoreinformation,visitwww.HITRUSTalliance.net.
MyCSFMyCSFisafullyintegrated,optimized,andpowerfultoolthatmarriesthecontentandmethodologiesoftheHITRUSTCSFandCSFAssuranceProgramwiththetechnologyandcapabilitiesofagovernance,riskandcompliance(GRC)tool.Theuser-friendlyMyCSFtoolprovideshealthcareorganizationsofalltypesandsizeswithasecure,Web-basedsolutionforaccessingtheCSF,performingassessments,manag-ingremediationactivities,andreportingandtrackingcompliance.ManagedandsupportedbyHITRUST,MyCSFprovidesorganizationswithup-to-datecontent,accurateandconsistentscoring,reportsvalidatedbyHITRUSTandbenchmarkingdataunavailableanywhereelseintheindustry,thusgoingfarbeyondwhatatraditionalGRCtoolcanprovide.Formoreinformation,visitwww.hitrustalliance.net/MyCSF.
HITRUST Risk Managment Framework
Copyright 2018 © HITRUST Alliance.
23<< Back to Contents
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
top related