trustisnotacontrolbutyousllhaveto haveit.(or$how$ilearned ... b23.pdf · symantec$vision$2013$...
TRANSCRIPT
1
Trust is not a Control . . . But you s1ll have to have it. (Or How I learned to Stop Worrying and
(HI)TRUST Control Compliance Suite)
David Finn, CISA, CISM, CRISC Health IT Officer, Symantec
SYMANTEC VISION 2013 Symantec Healthcare 2
Objec1ves for today’s session
• Understand what HITRUST is • Appreciate the Regulatory Impact to Health Care
• Recognize HITRUST’s Common Security Framework
• Know that CCS goes beyond mandates and beyond quesSonnaires – Comprehensive and automated
• IdenSfy how this soluSon can benefit your customer
• Explain how we can address healthcare challenges
SYMANTEC VISION 2013
What is HITRUST?
Symantec Healthcare
HITRUST Alliance is a collaboraSon among the healthcare industry, business, technology, and informaSon security.
The Alliance is made up of leaders across the healthcare industry and include:
3
SYMANTEC VISION 2013
HITRUST Mission
Symantec Healthcare
• Establish a fundamental and holisSc change in the way the healthcare industry manages informaSon security risks:
• RegulaSons and standards raSonalized into a single overarching framework tailored for the healthcare industry
• Prescrip(ve, Scalable, Cer2fiable • Address inconsistent approaches to cerSficaSon, risk acceptance and adopSon of compensaSng controls to eliminate ambiguity in the process
• Provide support and enable sharing of ideas, feedback, experiences among and across the industry
4
SYMANTEC VISION 2013
HITRUST, simplified
Symantec Healthcare
• To increase trust in the way health informaSon is safeguarded. This can be achieved by: • Following a prescrip2ve approach • AdopSng a “de-‐facto” industry standard*
• *PercepSon & reality of HITRUST • HITRUST CSF is not a new standard; this is a misconcepSon.
• The CSF supplements the exisSng controls with the industry knowledge and leading pracSces of HITRUST’s community and provides the clarity and consistency lacking in many standards and regulaSons.
• The CSF is the only framework that is built to provide scalable security requirements based on the different risks and exposures of organizaSons in the healthcare industry.
5
SYMANTEC VISION 2013
HITRUST – Standards & Regula1ons Overlap
COBIT
PresentaSon IdenSfier Goes Here 6
ISO 270001/2
FTC Red Flags
HIPAA Security
HITECH Act
Meaningful
Use
PCI
HITRUST CSF
SYMANTEC VISION 2013 7 Symantec Healthcare
Compliance Challenges
SYMANTEC VISION 2013
Healthcare Industry Informa1on Security Challenges
• The Risk Assessment – Costs and complexiSes of redundant and inconsistent requirements
and standards
• MulSple cerSficaSons (internal & external) – The (C)EHR vs HIPAA
– Business partner review and cerSficaSon
• Confusion around implementaSon and acceptable baseline controls
• InformaSon security audits subject to different interpretaSons of control objecSves and safeguards
• Increasing scruSny from regulators, auditors, underwriters, customers
• Growing risk and liability associated with informaSon protecSon
8 Symantec Healthcare
SYMANTEC VISION 2013
Overview of the Common Security Framework (CSF)
9 Symantec Healthcare
SYMANTEC VISION 2013
HITRUST Compliance Assurance Process
10
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment
Symantec Healthcare
SYMANTEC VISION 2013
HITRUST Compliance Assurance Process
11
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment
Symantec Healthcare
SYMANTEC VISION 2013
HITRUST Compliance Assurance Process
12
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment
Symantec Healthcare
SYMANTEC VISION 2013
HITRUST Compliance Assurance Process
13
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment
Symantec Healthcare
SYMANTEC VISION 2013
HITRUST Compliance Assurance Process
14
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment • HITRUST Assessor Audit • Conducted by formally cerSfied
“CSF Assessors” • hfp://www.hitrustalliance.net/
assessors/
Symantec Healthcare
SYMANTEC VISION 2013
HITRUST Compliance Assurance Process
15
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment • HITRUST CerSficaSon • Based on inspecSon of all CSF
control audit reports • Sample cerSficaSon report
Symantec Healthcare
SYMANTEC VISION 2013
HITRUST / Control Compliance Suite (CCS) Implementa1on
16 Symantec Healthcare
SYMANTEC VISION 2013
Where does CCS fit it? Automa(on of HITRUST CSF Assurance Program
Control Compliance Suite automates: -‐ CSF framework management -‐ Assessment, RemediaSon & Monitoring of CSF Controls
-‐ CSF Assessment ReporSng -‐ ConSnuous Risk Assessment -‐ Asset Management
17
HITRUST CerSficaSon
HITRUST Assessor Audit
Assessment Reports
Control Assessment
CHIP/CSF Assessment Template
Applicable Controls
Scope Assessment
Symantec Healthcare
SYMANTEC VISION 2013
Risks Threats to the Info Sec assets of the Healthcare
organizaSon that should be miSgated
Mandates HIPAA, HITECH, PCI DSS, US Privacy Statues, FISMA, etc
Policies Internal objecSves for
securing the Info Sec assets of the healthcare organizaSon
CCS Structure: GRC Framework for Healthcare Industry
18
Checks -‐ 50+ CIS/SE Standards -‐ Industry best plakorm coverage
Controls Framework
HITRUST CSF Controls
Vulnerabili1es Threats to systems via known attack vectors usually mitigated through patching and updates
Ques1ons -‐ HITRUST CHIP
Assessment -‐ CCS quesSonnaires
3rd Party Data -‐ CCS Connectors for leading security products
Symantec Healthcare
SYMANTEC VISION 2013
Summary Compliance for Mul1ple Mandates
19 Symantec Healthcare
SYMANTEC VISION 2013
HIPAA Compliance Repor1ng & Remedia1on
20
Drill down to inves1gate
low compliance
score
Drill down on asset to
iden1fy failed controls
View evidence for failed controls
Symantec Healthcare
SYMANTEC VISION 2013
Proac1ve Risk Assessment based on HITRUST Controls
21
Access Control Risk for hospitals
Dallas hospital has the central
hospital database!
High risk with SQL server
Create remedia1on
plan
Symantec Healthcare
SYMANTEC VISION 2013
CCS Support for HITRUST CSF Controls Framework
22 Symantec Healthcare
SYMANTEC VISION 2013
Mapping of CSF Controls to Assessment Ques1ons
23 Symantec Healthcare
SYMANTEC VISION 2013
Mapping of HIPAA Mandate to CSF Controls
24 Symantec Healthcare
SYMANTEC VISION 2013
HIPAA Compliance Audit Report
25 Symantec Healthcare
SYMANTEC VISION 2013
HITRUST CSF – Applicable Controls Based on Scope Assessment
26 Symantec Healthcare
SYMANTEC VISION 2013
Key Takeaways -‐ -‐ What CCS Delivers
• Beyond mandates -‐ Risk focus! • Beyond quesSonnaires – Automated Technical Assessments!
– 50+ Standards -‐ Broadest plakorm coverage
• End-‐to-‐end automaSon for HITRUST CSF implementaSon
• Audit-‐ready reports for HITRUST cerSficaSons • Full support for HITRUST CHIP assessments
• IntegraSon with popular security products for 360 degree InfoSec posture
27 Symantec Healthcare
SYMANTEC VISION 2013
References
28 Symantec Healthcare
SYMANTEC VISION 2013
References
• HITRUST CSF Official WebSite – hfp://www.hitrustalliance.net
• HITRUST CSF Tutorials/Webinars – hfp://www.hitrustalliance.net/getstarted/
• Symantec Control Compliance Suite – hfp://www.symantec.com/control-‐compliance-‐suite
29 Symantec Healthcare
SYMANTEC VISION 2013 30
Thank You – Discussion
Symantec Healthcare
David S. Finn, CISA, CISM, CRISC Health IT Officer [email protected] 832.816.2206