get ready now for hitrust 2017

Get Ready Now for HITRUST 2017 | 1

Get Ready Now for HITRUST 2017 Your Map to HITRUST Certification


01. Background / Overview 02. The CSF Framework 03. Scope and Approach 04. Options 05. Steps to Certification 06. Process 07. Q&A

Agenda


Background & Overview 01


HITRUST Overview • Began in 2007, first version released in 2009 • Meet demand of healthcare challenges

– Inconsistency – Inefficiencies – Increasing cost – Increasing risk


Announcement


Overview of Expansion • CSF Certification • Anthem/Cigna, Health Care Services Corp.,

Highmark, Humana, and UnitedHealth Group Significance

• Effective security and privacy practices


Why the Expansion? • Increasing cyber threats • Significance of Business Associates • Interconnection of healthcare industry • Beyond HIPAA • Minimize the duplicity, costs and inefficiencies


Mandatory?

YES! (For Business Associates of these Healthcare Organizations)


7,500 An additional 7,500 organizations that do not currently have a CSF

Certification do so with within the next 24 months.


Overview of the Common Security Framework 02


CSF Overview • CSF

– Defined set of requirements – Prescriptive requirements – Meet the challenges in healthcare security – Secure protected health information


Overview of the CSF • ISO 27001 • PCI-DSS • HIPAA/HITECH • Meaningful Use

• NIST 800-53 • FTC Red Flags • CMS • Privacy Laws


Organization of the CSF • Establishes a single benchmark • Increases trust and transparency • Obtains industry consensus


CSF and Privacy • CSF version 7

– Inclusion of privacy – Satisfy health care regulations in TX, MA, and NV


Purpose & Scope 03


Purpose • Harmonizes privacy and security standards • Establishes framework of controls • Build trust and assurance • Highlights credibility • Helps eliminate the need for redundant audits


Define Scope • Entire organization environment • Segmented portions

– Single location – Single business unit – Single application

• Covered information


Define Scope • Assessment options

– Security Assessment – Security & Privacy Assessment – Comprehensive Security Assessment – Comprehensive Security & Privacy Assessment


Scope of CSF • Assessment factors

– Organizational factors – System factors – Regulatory factors


Scope of CSF • 14 control categories

– 13 for Security – 1 for Privacy

• 46 control objectives • 149 control specifications

– Grouped within 19 assessment domains


Scope of CSF CSF Assessment Domains

Information Protection Program Access Control Endpoint Protection Audit Logging & Monitoring Portable Media Security Education, Training and Awareness Mobile Device Security Third Party Assurance Wireless Security Incident Management Configuration Management Business Continuity & Disaster Recovery Vulnerability Management Risk Management Network Protection Physical & Environmental Security Transmission Protection Data Protection & Privacy

Password Management


MyCSF • Access to the CSF and authoritative source • Perform assessments • Reporting/Tracking compliance • Document remediation in Corrective Action Plan

(CAPs) • Benchmarking


Implementation Levels • Generated by myCSF • Levels are 1, 2, and 3 • Level 1 in baseline, each additional level increases

number of required controls • Adapted from NIST SP-800 series


Options 04


• Self Assessment • CSF Validated

Assessment Types


• Self Assessment – No validation – 3rd party can facilitate assessment – 3rd party can provide review and feedback

Assessment Types


• Validated – HITRUST approved CSF Assessor – On-site fieldwork

• Interviews • Technical testing

Assessment Types


• Self-assessment • CSF Certified

– Minimum maturity scoring of 3 in ALL assessment domains

• CSF Validated – Minimum maturity rating of below 3 in ANY

assessment domains

Report Types


Steps to Certification 05


one Initial Project Planning


• Executive support • Assignment of a main point of contact • Determining scope • Determining system boundaries • Communication with process owners

Project Planning


two Organizational and

System Scoping


• Location(s) • Application(s) • Device(s) • Regulatory requirement(s) • Third party service organization(s)

Organizational and System Scoping


three Assessment Preparation


• Project calendars • Evidence request lists • Identification of process owners • Interview scheduling

Assessment Preparation


four Examine Documentation

and Practices


• Policy documents • Documented procedures • Processes

Examine Documentation and Practices


five Conduct Interviews


• Process owners • Verify process controls • Confirmation of evidence

Conduct Interviews


six Perform Review and

Technical Testing


• Perform walkthroughs • Automated control configurations • Manual control sampling

– HITRUST sampling methodology

Perform Technical Testing


• Compliance scoring – Control requirement

• Policy • Procedure • Implemented • Managed • Measured

Review Technical Testing


• Compliance scoring – Control requirement

• Policy • Procedure • Implemented • Managed • Measured


– Maturity rating • Non-compliant (0%) • Somewhat compliant (25%) • Partially compliant (50%) • Mostly compliant (75%) • Fully compliant (100%)


• Compliance scoring example



seven Alternate Control

Identification and Selection


• Only if non-compliant CSF controls exist • Identify compensating controls • Residual compliance scoring

Alternate Control Identification and Testing


eight Reporting


• Prepare for submission to HITRUST – Assessor testing – Management representation letter – Remediation plans (CAPs)

• HITRUST QA Review – 4 – 6 weeks

Reporting


nine Remediation Tracking


• Corrective Action Plan (CAP) progress – CAP Owner – Implementation plan – Expected completion date

• Residual risk score adjustments

Remediation Tracking


The Certification Process 06


Issuing Certification



• Valid 2 years – Annual review

• Within 2 months following the 1-year anniversary

• Continuous monitoring requirements – CAP remediation


LEARN MORE ABOUT HITRUST click here

https://www.schellmanco.com/hitrust-csf-certification