d8 hitrust framework a practical tool for your information ... · a practical tool for your...

HITRUST FRAMEWORK

1

HITRUST FRAMEWORK –A PRACTICAL TOOL FOR YOUR INFORMATION YOUR INFORMATION SECURITY RELATED AUDITSJOHAN LIDROS, CISA, CISM, CGEIT, CRISC, ITIL-F, HITRUSTCCSFP

NPRESIDENTEMINERE GROUP

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

Contents

Introduction

2

IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase Study

2012 AHIA Annual Conference - www.ahia.org

Objectivesj

Understanding of tools to enable effective and

3

Understanding of tools to enable effective and efficient Information Security Governance.Knowledge about current IT and Information Knowledge about current IT and Information Security standards.Knowledge about specific healthcare security Knowledge about specific healthcare security standards.Understanding of the HITRUST framework.Understanding of the HITRUST framework.Understanding of the how to utilize the framework for information security audits.for information security audits.


Healthcare IT Security Characteristics y

Diversified IT environment

4

Diversified IT environmentMedical Devices and IT System coming togetherMeaningful use and HIE are changing the IT Meaningful use and HIE are changing the IT environment Many regulatory requirements Many regulatory requirements Immature IT/Information Security C l d h i i f i i Constantly new and changing information security threats/risks


IT Security Changes…y g

HIPAA security status

5

yMeaningful use requirements

IT-security risk analysis Stage 1 The CMS Meaningful Use core measure Number Fourteen requires that The CMS Meaningful Use core measure Number Fourteen requires that an eligible provider “Conduct or review a security risk analysis and correct identified security deficiencies as per 45 CFR 164.308” (HIPAA Security Rule3). The scope of this risk assessment is limited to the Electronic Health Record application and is only applicable when Electronic Health Record application and is only applicable when applying for the associated incentives under this program.

HITECH security requirementsBreach notificationBreach notificationAudits Business associates Et Etc.


IT Security Changes…y g

Audits – Regulatory Oversight6

“The Department of Health and Human Services recently awarded a $9.2 million contract to the consulting firm KPMG to launch the audit program as mandated by the HITECH Act.”Three phases Three phases

Phase 1 Creation of a comprehensive set of protocols for how audits will be conducted and what measures will be used to measure compliance. Phase 2 Pilot audits “maybe 20, in order to field test ... the protocols that have been developed,“. Phase 3 Finalize formal program for as many as 150 on-site audits will continue through the end of 2012will continue through the end of 2012.Audits will continue 2013

Other requirementsPCIPCIState requirementsEtc.

Unexpected Downtimep

Gartner *40% by operational errors40% by application errors (most often misconfigurations)20% by actual platform errors

(network, operating systems or hardware)

Stress the need for policies and procedures“Manage the process, not the technology”*


GRC

G Governance (Corporate Governance)G Governance (Corporate Governance)R Risk (Enterprise Risk Management)C C liC Compliance

IT Governance

Information Security Governanceo a o Secu y Go e a ce


Shift the IT Security Perspective: y p9

Area From To

Scope: Technical problem Enterprise problem

Ownership: IT Enterprise

Funding: Expense Investment

Goal: IT security Enterprise ycontinuity/resilience

Application: Platform/practice Process

Approach: Adhoc Managed & Strategic

IT SECURITY RISK MANAGEMENT-S C it iSuccess Criteria

10

Security strategies should be driven by

Security strategies need clear goals and should be driven by

Business Risks, not just technical risks

need clear goals and be measured on regular basis

RISKS COSTRISKS COST

PROCESSES CONTROLS/

SECURITY FRAMEWORK Well trained personnel Security should be process driven

– The “best control”

Do not invent the wheel again – Use accepted standardsstandards

Contents

Introduction

11

IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase StudyQ&A


Enterprise Governancep12

“ i f ibili i d i i d b “… is a set of responsibilities and practices exercised by the board and executive management with the goal of

“Providing strategic directiong g“Ensuring that objectives are achieved“Ascertaining that risks are managed appropriately“Verifying that the enterprise’s resources are used responsibly” “Verifying that the enterprise’s resources are used responsibly”

“… is about“Conformance: adhering to legislation, internal policies, audit g g , p ,requirements, etc.“Performance: improving profitability, efficiency, effectiveness, growth, etc.” g ,

What is IT Governance?

IT governance is a subset of enterprise governance.

13

IT governance is a subset of enterprise governance.

“Governance of IT encompasses several initiatives for board b d ti tmembers and executive management.

They must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate, measure performance, understand risk and obtain assurance.”

IT Governance Institute


Balance of IT Governance Goals14

The board must direct the balance between conformance and performance goals.

IT Governance Areas – IT Security GovernanceGovernance

IT security is a iti l d critical and

integrated part of the five IT governance areas as defined by th IT G the IT Governance Institute.

Process Maturity Rating0 Non-existent: The process (control/procedures) does not exist.

1 Initial/Ad hoc: The process is informal, undocumented and reactive.

2 Repeatable: The process is repeatable but may be applied inconsistently as needed.

3 Defined: The process is documented and communicated.

4 Managed: The process is implemented and measurable.

5 Optimizing: Managed process with continuous performance improvements utilizing best practices.

N/A Not Applicable: The process is not applicable to the review or has not been reviewed for other reasons.

15

Value of IT Governance16

How the Masters of IT Deliver More Value and Less Risk – IT Policy Compliance Group, December 2010

How High Performance Organizations Manage IT – IT Policy Compliance Group April 2011Group, April 2011

Value of IT Governance17

Mature IT Governance has a strong business value that improves the organization’s performance The most performance. The most mature organizations show:7% higher profit margins g p g

than average 7-8% higher

customer/patient satisfaction and retention satisfaction and retention than averageLess than half in

regulatory compliance spending

Profile – Masters of IT: Practices of Best Performers Best Performers

Revenue and profits that are 75 percent higher than industry peers

Customer retention-rates that are 50 percent higher than industry peers

Spending on IT budgets that is 30 percent higher than industry peers

S di i f ti it th t i 37 t hi h th Spending on information security that is 37 percent higher than peers

Business disruptions that are 100 percent lower than industry peers

Data loss or theft incidents that are 75 percent lower than industry peers

Audit deficiencies that are 65 percent less than industry peers


Best Performers – Masters of IT

IT Balanced Scorecards that are linked to business Balanced Scorecards

Ongoing IT Portfolio revision for effective management of asset use, growth strategy, value and risk

Strategic IT Maps that align value and risk between the business of the enterprise and IT

Standardization on COBIT, ISO and CIS benchmarks to preserve value, manage controls and mitigate riskg


Best Performers – Masters of IT

Electronic systems of record in IT GRC systems for values, policies, controls, risks, assets and regulatory mandates

Automation of key procedures to manage value and risk

Daily, weekly and bi-monthly assessments to manage value and risky, y y g

Dashboards, scorecards and reporting focused on operating units, business units, business functions, regulatory mandates, across silos and people


IT Governance

“you can not manage what you can not measure.”


Roles and Responsibilities

Major/Main Responsibilities

Board Strategic DirectionP

erform R

Resou

CEO D li f St t

Accounta

mance M

ea

Risk M

anag

urce Mana

CEO Delivery of Strategy

ability

asuremen

gement

agement

CIOImplementation

of Strategy

t


Roles/Responsibilities/ p

ACCOUNTABILITY Accountability applies to those who own the required resources and have the authority to approve the execution and/or accept the outcome of an activity within specific Risk IT processes.

RESPONSIBILITY: Responsibility belongs to those who must ensure that the activities are completed successfullycompleted successfully.

Legend of the table:When a cell is green the role carries responsibility and/or partial When a cell is green, the role carries responsibility and/or partial accountability for the processWhen a cell is red, the role carries main accountability for the process. Only one role can be the main accountable for a given process.


Responsibilities & Accountability


IT Governance Architecture

H dHeader25

Drivers PERFORMANCE: Business Goals

CONFORMANCEHIPAA, PCI, etc.

Enterprise Governance COSOBalanced Scorecards

IT Governance

RISK

COBIT

Best Practice Standards

Processes and

RISKIT

IT Risk

ITIL ISO27000/HITRUST

IT S i Security/Risk

PMI CMMi

Project S t

(adapted from ITGI, 2007, p. 12)

Processes and Procedures

IT RiskManagement

IT Service Management

Security/RiskPrinciples

jManagement

PrinciplesSystem

Development

Contents

Introduction

26



ISACA 2010 IT Governance Global Study

W ll k f k d l tiWell-known frameworks and solutions.

Selected IT governance frameworks27


IT Governance Framework28

COSO

COBIT

ISO 9000NIST

WHAT HOW

ITIL

SCOPE OF COVERAGE

IT , IT Security Standards & Reference tools , y

IT

29

ITCOBITRISK ITITIL ITIL Unified Compliance Framework

Information SecurityISO 27000-serieBITSNIST HITRUST


COBIT 530

Governance of Enterprise IT

IT Governanceope

Management

C t ltion

of s

co

Val IT 2.0(2008)

Control

AuditEvo

lut

Risk IT(2009)

COBIT 5COBIT4.0/4.1COBIT3COBIT2COBIT1

2005/7200019981996 2012

An business framework from ISACA, at www.isaca.org/cobit

COBIT 531

COBIT Principles and Enablers

COBIT 5 Enterprise Enablers


COBIT – Principle 5p33

COBIT 5 Processes

34

COBIT 5 – Information Securityy35

Business Model for Information Security (BMIS)

The focus on information security management system (ISMS) in the align, plan and organize (APO) management domain APO13 Manage (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework.

Enterprise Risk Management – RISK IT

Enterprise Riskp

Strategic Risk Environmental Risk Market Risk Credit Risk Operational Risk Compliance Risk

IT-related Risk

IT Benefit/Value Enablement IT Program and IT Operations and /Risk Project Delivery Risk Service Delivery Risk

•Technology enabler for new business i iti ti

•Project relevance•Project qualityP j t

•IT Service interruptions•Security issuesinitiatives

•Technology enabler for efficient operations

•Projects overrun•…

•Security issues•Compliance issues•…

•…


Risk to Controls37

What is ITIL38

ITIL is a set of booksDocuments best practices for IT servicesConsidered de facto standard

Creates a framework for IT Service Management – how you respond to customer needsD l d i th l t 1980 b th Offi f Developed in the late 1980s by the Office of Government Commerce in the UKIncorporates both public and private sector best Incorporates both public and private sector best practicesV2 currently in wide-spread useV3 is here, but not fully adopted yet

ISO 27000 Serie

ISO/IEC 27000 - introduction to the family of standards plus a glossary of common terms (published in 2009)

39

terms (published in 2009) ISO/IEC 27001 - standard for the establishment, implementation, control and improvement of the Information Security Management System ISO/IEC 27002 - code of practiceISO/IEC 27003 — Information security management system implementation guidanceISO/IEC 27003 Information security management system implementation guidanceISO/IEC 27004 - standard on information security management measurements (security metrics) (published at the end of 2009) ISO/IEC 27005 - designed to assist the satisfactory implementation of information security based on a risk management approachISO/IEC 27006 - a guide to the certification/registration process (published in 2007). ISO 27011 - information security management guidelines for the telecommunications industryISO/IEC 27031 - Guidelines for information and communications technology readiness f b

/for business continuityISO/IEC 27033 - Network security overview and conceptsISO/IEC 27035 - Security incident managementISO 27799 – Information Security Management - Healthcarey g


ISO 27000 – in works

ISO/IEC 27007 — Guidelines for information security management systems f

40

auditing (focused on the management system)ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC ISO/IEC 27013 Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001ISO/IEC 27014 — Information security governance frameworkISO/IEC 27015 — Information security management guidelines for the finance and insurance sectorsand insurance sectorsISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)ISO/IEC 27034 — Guideline for application securityISO/IEC 27036 — Guidelines for security of outsourcingISO/IEC 27037 G id li f id tifi ti ll ti d/ i iti d ISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence


BITS

Risk management Information security policy

41

Information security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition Development and maintenance I id t d t t Incident and event management Business continuity management Compliance Privacy

Financial regulation as well as ISO27002, PCI, COBIT

Expanding into other industries including Healthcare


Contents

Introduction

42



Information Security Challenges H lthHealthcare

Different regulartory requirements

N i d i h i i i /b i (ISO )

43

Not integrated with exisisting common/best practices (ISO etc)

Changing frequently

Regional differences

Historically no healthcare specific common practices (except 27799)

Regulatory requirements not specific in several areas

Auditers uses different ratings of ”acceptable”

Departments using different frameworks to measure, assess, design, implement information security

Audit (COSO, COBIT)

IT (ITIL, NIST, CMMi etc)

Finance (IFAC)

Clinical (Joint Commission, etc)

Diversified IT environment

Tool complexity

Increased cost for security/compliance

ASP/Cloud computing/outsourcing increasing

Different terminology and risk acceptancegy p

SAS70 Reports not sufficient from an information security perspective

Historically Lack of tool to manage all the requirements with policies, common practices etc.

HITRUST Introduction44

During 2008 the industry collaborated and came together in support of HITRUST to During 2008, the industry collaborated and came together in support of HITRUST to develop the Common Security Framework (CSF). The goal was a framework that was:Prescriptive, certifiable, and scalable based on complexity and riskLeverages existing standards and best practices, includingg g p , g

ISO 27001, 27002 and 27799NIST 800-53 and 800-66Health Insurance Portability and Accountability Act

(HIPAA)CoBITCoBITPCI Data Security Standard (PCI DSS)Federal and state regulationsg

Information Security Implementation Manual

Standards and Materials

Leveraged

U S Healthcare

HITRUST member experience

NIST 800 SeriesU.S. Healthcare

Industry Implementation

Standards

Health InformaticsISO 27799

Others

Control ObjectivesPrimary Ref: ISO/IEC 27002:2005

& ISO/IEC 27001:2008

Application/System Configuration Packs

FTC Red Flags

Joint Commission

HITRUST NIST COBIT HIPAA

Standards and Regulations Cross Reference Matrix

Compliance Reporting System

Self Assessment Process

g

EHNAC & HITSP

CMSCntrl 1 X X

Cntrl 2 X X

Cntrl 3 X

Certification Process

CMS

Ongoing Enhancements45

HITRUST HITRUST 2012 AHIA Annual

Conference - www.ahia.org

HITRUST HITRUST Common Security FrameworkCommon Security Framework

Existing Standards and Regulation CCoverage

46

Existing Standards and Regulation CCoverage

47

Common Security Framework (CSF) -K V l Key Values

48

Prescriptive to ensure clarity (requirements and audit)Certifiable to enable common understanding and acceptanceScales according to type, size, and complexity of an organizationAddresses business specific requirements for each segment of the industry. These segments include:

l h l dHealth plan, PBM, providerPharmacy, pharmaceutical manufacturerData exchange and clearing house

Risk-based approach to ensure organizations adopt the appropriate level of l Thi i l dcontrols. This includes:

Risk contributing factors – elements that drive risk in an organizationMultiple levels of implementation requirements determined by risks and thresholds

Fl ibl t ll f i t h lt t t l t b tili dFlexible to allow for circumstances where alternate controls must be utilizedAlternate Control process

Leverages existing globally recognized standards and avoids introducing additional redundancy and ambiguity into the industryOn going Maintenance to address changes in regulatory requirements andOn-going Maintenance to address changes in regulatory requirements and common security standards

ISO 27002 Security Domains/Areasy /49

Minimum Level

Maturity Metric0=Non existent 1=initial/ad-hoc 2=Repeatable but intuitive 3=Defined process 4 Managed and Measurable

ISO27002 – Information Security Program Maturity

Area 0 1 2 3 4 5Area 0 1 2 3 4 5

4=Managed and Measurable 5=Optimized

Risk Assessment

Security policy

Security organization

Asset classification

HR security

Risk Assessment

Security policy

Security organization

Asset classification

HR securityHR security

Physical and environmental security

Communications and operations management

Access control

Acquisition, systems development and

HR security

Physical and environmental security

Communications and operations management

Access control

Acquisition, systems development and maintenance

Business continuity management

Incident Management

Compliance

maintenance

Business continuity management

Incident Management

Compliance

Maturity Levels 1-5y50

Levels – Type of Organizationyp gLevel 1

Bi T h O i ti < $100 000 S d R h d D l t P Y

51

BioTech Organizations: < $100,000 Spend on Research and Development Per YearPharmacy Companies: < 10,000,000 Prescriptions Per YearThird Party Processor: < 10,000,000 Records Processed Per YearPhysician Practice: < 60,000 Visits Per Year

Medical Facilities / Hospital: < 1,000 Licensed BedsHealth Plan / Insurance: < 1,000,000 Covered Lives

IT Service Providers (Vendors): < 500 EmployeesIT Service Providers (Vendors): 500 Employees

Level 2BioTech Organizations: > $100,000 Spend on Research and Development Per YearThird Party Processor: > 10,000,000 Records Processed Per YearPhysician Practice: > 60 000 Visits Per YearPhysician Practice: > 60,000 Visits Per Year

Medical Facilities / Hospital: > 1,000 Licensed BedsHealth Plan / Insurance: > 1,000,000 Covered LivesIT Service Providers (Vendors): > 500 Employees

Pharmacy Companies: > 10,000,000 Prescriptions Per Year

Level 3 BioTech Organizations: > $200,000,000 Spend on Research and Development Per YearThird Party Processor: > 60,000,000 Records Processed Per YearPhysician Practice: > 180,000 Visits Per Year

Medical Facilities / Hospital: > 10,000 Licensed Beds/ pHealth Plan / Insurance: > 7,500,000 Covered LivesIT Service Providers (Vendors): > 2,500 Employees

Pharmacy Companies: > 70,000,000 Prescriptions Per Year

System Levelsy

Level 1

52

Processing PHI: No - AND -Accessible from the Internet: NoExchanges Data with a Business Partner: NoThird Party Support: NoPublicly Accessible: NoyNumber of Interfaces to Other Systems: < 25

Level 2Processing PHI: Yes - AND -A ibl f h I YAccessible from the Internet: YesExchanges Data with a Business Partner: YesThird Party Support: YesPublicly Accessible: YesNumber of Interfaces to Other Systems: > 25

Level 3Processing PHI: Yes - AND -Accessible from the Internet: YesNumber of Users: > 5 500Number of Users: > 5,500Third Party Support: YesNumber of Interfaces to Other Systems: > 75


Organization Profile & Risksg53

Determining Factor Sample providerN b f l 15000Number of employees 15000+Volume of business ‐ number of beds 950Volume of business ‐ number of visits/year 921,000Number of applications 170

Organization Domain Risk Profile

Control Category Implementation RequirementLevel 1 Level 2 Level 3

f0 – Information Security Management System X

2 ‐ Human Resources Security X

3 ‐ Risk Assessment X

4 S it P li X4 ‐ Security Policy X

5 ‐ Organization of Information Security X

6 ‐ Compliance X

7 Asset Management X7 ‐ Asset Management X

8 – Physical and Environmental Security X

Systems Profile and Risksy54

System Name ePHI Internet Access Third Party C i i

Users Transactions Operating SystemConnectivity

HIM Yes No Yes 12000+ 100,000/day Windows 2000

MRI (Medical Device) Yes No Yes 150 720/day Windows 2000

Desktops Yes Yes No 15000+ N/A Windows XP

*Financial System No No No 200 2500/day Windows 2003

*Email Yes Yes No 5000+ 150,000/day Windows 2003

Data Warehouse Yes No No 15 100,000/day Windows 2000

Physician Portal Yes Yes Yes 200 3000/day Unix

System Profile & Risksy55

System Domain Risk Profile ‐ 1

Control Category HIM Desktops Financial System

Implementation Requirement Implementation Requirement Implementation Requirement

Level 1 Level 2 Level 3 Level 1 Level 2 Level 3 Level 1 Level 2 Level 3Level 1 Level 2 Level 3 Level 1 Level 2 Level 3 Level 1 Level 2 Level 3

1 – Access Control X X X

9 – Communications and Operations Management X X X

10 – Information Security Acquisition,

Development and Maintenance

X X X

11 – Information Security Incident Management X X X

12 – Business Continuity Management X X X

HITRUST CSF Samplep56

HITRUST CSF Sample (Cont’d)p ( )57

Scales according to type, size and complexity of the organization and system as determined by a predefined criteria.


Prescriptive to ensure clarity and p yconsistency of implementation.


Follows a risk-based approach to allow organizations to identify the appropriate level of controls. This

includes multiple levels of Implementation Requirements as

determined by risk.determined by risk.


Consistency in audit procedures allows

standardizedcomparisons and

i h improves the secure exchange of data

throughout the information’s lifecycle.


Leverages existing globally and nationally recognized standards to expand on the implementation requirements of the framework and to avoid introducing

additional redundancy and ambiguity into the industry.


Allows organizations to drill down into the authoritativesources referenced in each control.


Structured in accordance with ISO 27001 / 27002 standard.

Certifiable to assure common implementation and acceptance.

Certifications and Benchmarks

HITRUST Validations

64

Self-Assessment

Remote Assessment

On-site Assessment

HITRUST Certification

On-site Assessment – Requires a quality level of 3 to be certified

Benchmarks

PCI

FISMA

HIPAA

HITECH

State

Joint Commission

CMS

Contents

Introduction

65



Contents

Introduction

66



Question & Answers

Question & Answers2012 AHIA Annual Conference - www.ahia.org 67

Save the Date: August 25-28 2013August 25-28, 2013

32nd Annual Conference Chi ILChicago, IL

68