Risk Management Frameworks - HITRUST...Risk Management Frameworks How HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting

HITRUST Risk Managment Framework

vHT-301-01

1<< Back to Contents

Risk Management FrameworksHow HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare environment

2019

Introduction ...........................................................................................................................................................................3Background ............................................................................................................................................................................5 Overview ............................................................................................................................................................................5 HIPAA .................................................................................................................................................................................5 HITECH ..............................................................................................................................................................................6 Omnibus Rule ....................................................................................................................................................................6 Other Drivers ......................................................................................................................................................................7 Summary ............................................................................................................................................................................7Risk Management Frameworks.............................................................................................................................................7 Overview ............................................................................................................................................................................7 General RMF ......................................................................................................................................................................8 Step1-IdentifyRisksandDefineProtectionRequirements .............................................................................................8 Step2-SpecifyControls ...................................................................................................................................................9 Step3-ImplementandManageControls .........................................................................................................................9 Step4-AssessandReport ...............................................................................................................................................9 Summary ..........................................................................................................................................................................10NIST RMF ..............................................................................................................................................................................10 Step1-IdentifyRisksandDefineProtectionRequirements ...........................................................................................10 Step2-SpecifyControls .................................................................................................................................................11 Step3-ImplementandManageControls .......................................................................................................................12 Step4-AssessandReport .............................................................................................................................................13 Summary ..........................................................................................................................................................................14HITRUST RMF .......................................................................................................................................................................14 Step1-IdentifyRisksandDefineProtectionRequirements ...........................................................................................14 Step2-SpecifyControls .................................................................................................................................................15 Step3-ImplementandManageControls .......................................................................................................................16 Step4-AssessandReport .............................................................................................................................................17 Summary ..........................................................................................................................................................................20Conclusion ............................................................................................................................................................................20About HITRUST ....................................................................................................................................................................22 MyCSF ..................................................................................................................................................................................22

Contents


vHT-301-01


Figure 1

IntroductionHealthcareorganizationscontinuetofaceamultitudeofchallengeswithregardstoinformationsecurityandprivacy.Attheforefrontofthesechallengesistheneedtoapply‘reasonableandappropriate’safeguardstoprovide‘adequate’protectionofsensitiveinformationtodemonstratecompliancewithagrowingnumberofcontinuouslyevolvingfederal,stateandindustryrequirements.However,giventhegenerallackofdefinitionandprescriptivenessoftheserequirements,organizationsareleftwiththetaskofdecidingwhatactionswouldbeconsidered‘reasonableandappropriate’andwhatlevelofprotectionwouldbe‘adequate’intheeyesoffederal,stateandindustryregulators,businesspartners,patientsandtheirfamilies,andotherinterestedthird-parties.

ThiscomplexchallengeisthebasisforwhythehealthcareindustrycametogetherandformedHITRUST.HITRUSTdidthe‘heavylifting’byintegratingmultipleinternational,federal,stateandindustrylegislation,regulations,standards,andbestpracticeframeworks;adaptedthemtothehealthcareenvironmentinpartic-ular;anddeterminedanindustrystandardofduediligenceandduecarethatcanbetailoredtoanindividualorganizationbaseduponitsspecificbusinessrequirements.TheresultoftheseeffortsistheHITRUSTCSF,anindustry-wideframeworkofsecurityandprivacycontrolsthatisbasedon,andcross-referencedwith,existingrequirements.Inaddition,theHITRUSTCSFAssuranceProgramprovidesorganizationswithasingleapproachforconductinganassessmentandreportingagainstthesemultiplerequirements.BoththeHITRUSTCSFandCSFAssuranceProgramareupdatedatleastannuallytoaccountforchangesinleg-islation,regulations,standards,guidanceandbestpractices,suchaswiththe2014releaseoftheNationalInstituteofStandardsandTechnology(NIST)Framework for Improving Critical Infrastructure Cybersecurity,morecommonlyknownastheNISTCybersecurityFramework(CsF).Further,allchangestotheHITRUST


vHT-301-01


CSFareprovidedtotheindustryforreviewandcomment,ensuringtransparencyandopenness.HITRUSTprovidestheCSFfreetoqualifiedorganizationsthatwishtoimplementtheframework.

So,whydoestheHITRUSTCSFincreaseinvalueasnew/updatedrequirementsorguidancearereleased?Becausethemorecomplexthesecurityandregulatorylandscapebecomes,themoredifficultitisfororga-nizationstomaintaincompliance,protectinformation,andprotectthemselvesagainstbreaches.HITRUSTestablishedaflexiblecontrolstructurefromitsinceptionandcontinuouslyaddsandupdatestheframeworkinresponsetochanginglegislation,regulations,standardsandguidance. Partoftheprocessistoanalyzeeachnewsourceandmapitsrequirementstothecontrolstructure,whichcanalsobeperformedwiththeassistanceofacross-industryworkinggroup.Inaddition,theHITRUSTCSFwasstructuredinsuchawaythatallowsadditionaltailoringbasedonriskfactorssuchasorganizationaltypeoraspecificsystemcharacteristic.HITRUSTalsocontinuestodevelopandpublishguidanceandtoolsliketheHITRUSTCSFassessmentmethodologyandMyCSFaspartofanoverallriskmanagementframework(RMF),whichisessentiallyacommontaxonomyandstandardsetofprocesses,procedures,activitiesandtoolsthatsupporttheidentification,assessment,response,controlandreportingofrisk.Thisprovidesorga-nizationswithonesetofrequirementsirrespectiveofneworupdatedregulations,guidanceorbestpractices,andonecomplianceapproachtoimplementandmanage‘reasonableandappropriate’safeguardsthatdemonstratethelevelofduecareandduediligencerequiredtoensure‘adequate’protectionoftheinforma-tionwithwhichtheyareentrusted.

WhatwouldorganizationsneedtodowithoutHITRUSTandtheCSF?Thealternativeistocontinuallyreviewchangestolegislation,regulations,guidanceandstandardstodeterminetherequirementsthatareappropriatebasedoneachorganization’sriskprofile,identifyindustrybestpracticestoaddresstherequirements,anddevelopanapproachtoassessitscomplianceagainsttheserequirements.Becauseeachorganizationwouldbeworkingindependently,eachinterpretationandimplementationoftherequirementswouldbeuniqueifnotproprietary,impedingtheabilitytoformtrusted,third-partybusinessrelationshipsandthehealthcareindustry’sprogressinthedigitalage.

Thispaperdescribes:• Howorganizationsstrugglewiththeconstantlychangingsecurityandregulatorylandscape,• Howthemostefficientandeffectivewaytodealwiththesechangesisbyadoptionofanappropriate

RMF,• TheNISTandHITRUSTRMFsusinga4-stepriskmanagementprocess,and• HowtheHITRUSTRMFismorepracticalandprovidesmorevaluefornon-federalhealthcareentities.

Themorethesecurityandregulatorylandscapechanges,themoreanRMFisneeded,andthebettervalueHITRUSTofferstheindustry—theheavyliftingisalreadydone.


vHT-301-01


Figure 2

Background

OverviewHealthcareorganizationsarefacingmultiplechallengeswithregardstoinformationsecurityandprivacy.Redundantandinconsistentrequirementsandstandardsincreasecomplexityanddriveupcosts.Confusionaroundacceptablesafeguardsandthelackofdefinedsecurityrequirementsresultincriticalsystemswithoutappropriateadministrative,physicalandtechnicalsafeguards.Further,theincreasedscrutinyfromregulators,auditors,underwriters,customersandotherthirdpartiesleavestheindustrycopingwithadditionalexposure,increasedliability,andgrowingriskstopatients,theirfamiliesandhealthcareorganizations.Inaddition,organizationsarechallengedwithappropriatelymanagingthesharingofinformationduetothewiderangeofbusinesspartnersandotherthirdpartieswithdifferentcapabilities,requirementsandriskprofiles.

Theseissuesledtoagrowingneedandbroaddesireforacommonsecurityframework—asetofcommonstandardsandsupportingmethodologies—thatwouldprovideaminimumbaselinesetofsecurityrequirements.Duetothevariednatureoforganizationsinhealthcareinparticular,thisframeworkalsoneededtobetailorabletoaspecificsizeandtypeoforganization,whichwouldimproveadoptionandimplementation,andsubsequentlyimprovestakehold-ertrustaswellasfurthermitigatepotentialliabilityfrombreachesofsensitiveinformation.

Thus,HITRUSTwasbornoutofthebeliefthatinformationsecurityandprivacyarecriticaltothebroadadoption,utilizationandcon-fidenceinhealthinformationsystems,medicaltechnologiesandelectronicexchangesofhealthinformation.TheHITRUSTCSF®

providestheneededfundamentalandholisticchangeinthewayindustrymanagesinformationsecurityandprivacy-relatedrisk.Itrationalizeslegislation,regulations,standardsandbestpracticesintoasingleoverar-chingframeworkandprovidesaconsistentapproachtocertificationandriskacceptance.

HIPAATheprincipledriverbehindsecurityandprivacyinhealthcareformanyyearswaswithoutadoubttheHealthInformationPortabilityandAccountabilityAct(HIPAA),whichincorporatesspecificprivacyandsecurityrequirementsforproviders,payersandothercoveredentitiesinthehealthcareindustry.HIPAA’sSecurityRuleprovidednumerousimplementationspecificationsthatessentiallyrequiredcoveredentitiestoimplementreasonableandappropriateadministrative,technicalandphysicalsafeguardsforprotectedhealthinformation(PHI).

Unfortunately,theimplementationspecificationsintheRulegenerallylackthelevelofprescriptivenessnecessarytodetermineastandardofduecareordiligence,i.e.,safeguardsthatwouldbeconsidered‘reasonableandappropriate.’Organizationsweresubsequentlylefttodeterminethesesafeguardsforthemselvesbutoftenfoundthemdifficulttojustifygiventhecostsassociatedwiththeirimplementation.Itis


vHT-301-01


notoriouslydifficulttoquantifyareturnoninvestmentfornewsecurityinvestmentsunlessexistingtechnolo-giesorprocessesarebeingreplaced,allowingsuchcoststobecalculated.Unlessspecificallyrequiredbyabusinesspartnerorregulator,securityinvestmentsaremostoftenjustifiedbasedon‘costavoidance’calcula-tions,orwhathasbeenreferredtobysomesecurityexpertsas‘fear,uncertaintyanddoubt.’

Tocompoundmatters,healthcareisaserviceindustryfocusedonqualityofcareaswellasefficiencyandcost.Giventhatpatientsandothershavefounditdifficulttoevaluatethisqualityofservice,itissubse-quentlydifficultfororganizationstocalculatetheirreturnoninvestmentforanyinitiative,letalonethosewithsignificantsecurityandprivacyrequirements.Fortunately,itonlytookthreeyearsaftercompliancewiththeSecurityRulewasmandatoryforthefederalgovernmenttorealizethedifficultiesengenderedwiththeRule’spracticalapplicationandissueadditionallegislation.

HITECHAspartofthenationalinitiativetoimprovequalityandlowerthecostofhealthcarethroughthemeaningfuluseofelectronichealthrecord(EHR)systemsandhealthinformationexchanges(HIEs),CongresspassedtheHealthInformationTechnologyforEconomicandClinicalHealth(HITECH)ActaspartoftheAmericanRecoveryandReinvestmentActof2009.Inadditiontotheprivacyandsecurityrequirementsformean-ingfuluse,inwhichcoveredentitiesareexpectedtoconductorreviewasecurityriskanalysisandcorrectidentifieddeficiencies,themostsignificantchangesstemmingfromHITECHweretheestablishmentofafederalbreachnotificationrequirementandincreasedenforcementoftheHIPAASecurityRulethroughtheOfficeofCivilRights(OCR).

Unfortunately,theHITECHActdidnotprovidesignificantadditionalguidancetoorganizationsonwhatlevelsofduediligenceandduecarearereasonableandappropriate.ItwasnotuntilafewyearslaterwhenOCRandNISTbegancooperatingonprovidingguidanceontheHIPAASecurityRule’srequirementsthatcoveredentitiesbegantogetarealindicationoftheincreasedlevelofrigorthefederalgovernmentexpected.OCRandNISTbeganhostingaseriesofannualjointconferencesonsecurityandprivacy,andworkedtogethertoproducetheNISTHIPAASecurityRule(HSR)Toolkitin2011.OCRalsopublishedaddition-alguidancein2012ontheauditprotocolbeingusedaspartoftheoverallHIPAAenforcementeffort.(Noteamuchanticipatedsecondversionoftheprotocolwaspublishedin2016,providingmorespecificguidanceonthetypesofactivitiesOCRexpectedcoveredentitiestoundertakeforeachoftheRule’sstandardsandimple-mentationspecifications.)

Omnibus RuleTheHIPAAFinalOmnibusRulepublishedinJanuaryof2013—10yearsaftertheSecurityRulewasreleased—providesfinalmodificationstotheHIPAAPrivacy,SecurityandEnforcementRulesembeddedintheHITECHAct,afinalruleontieredmonetarypenalties,andaBreachNotificationRule.OneofthemostsignificantaspectsoftheOmnibusRuleisitsapplicationtobusinessassociates,whicharenowdirectlyliableforfailuretocomplywiththealltheRule’srequirements,includingtheHIPAASecurityRuleasman-dated by HITECH.


vHT-301-01


Other DriversWhilelegislationandregulationarearguablytheprincipledriverforsecurityandprivacyinhealthcare,therearenumerousotherlegislative,regulatory,industryandbestpracticerequirementsthathealthcareentitiesmustaddress.ExamplesincludethePrivacyActof1974,theGeneticInformationNon-discriminationAct(GINA)of2008(laterincorporatedintotheHIPAAOmnibus),theFederalTradeCommission(FTC)RedFlagsRuleandFairInformationPracticePrinciples,FederalDrugAdministration(FDA)requirementsforEHRsandelectronicsignatures,multiplestate-levelsecurityandprivacylegislationandregulations,andthePaymentCardIndustryDigitalSecurityStandard(PCI-DSS).

SummaryOrganizationshavefaced,andwillcontinuetoface,multiplechallengeswithregardstoinformationsecurityandprivacy,includingthegrowingneedtodemonstratecompliancewithmultiplefederal,stateandindustryrequirements.However,giventhegenerallackofdefinitionandprescriptivenessoftheserequirements,organizationsareleftwiththetaskofdecidingwhatactionswouldbeconsidered‘reasonableandappropriate’andwhatlevelofprotectionwouldbe‘adequate’intheeyesoffederal,stateandindustryregulators,busi-nesspartners,customers,andotherinterestedthirdparties.Implementingtherightframework,processesandtoolsistheonlyefficientandeffectivewaytomanageinformationriskandcompliance.

TheHITRUSTCSFprovidestheneededfundamentalandholisticchangeinthewayindustrymanagesinformationsecurityandprivacy-relatedrisk.Itrationalizeslegislation,regulations,standardsandbestpracticesintoasingleoverarchingframeworktailoredforindustry—healthcareinparticular—andprovidesaconsistentapproachtoassessment,certificationandriskacceptance.

Risk Management Frameworks

OverviewSo,howcananorganizationdetermine‘reasonableandappropriate’safeguardstoprovide‘adequate’protectionforsensitiveinformation?Orstatedanotherway,howcananorganizationselectandimplementaspecificsetofcontrolstomanageinformationsecurityandprivacy-relatedriskatanacceptablelevel?

Thetextbookansweristhroughacomprehensiveriskanalysisthat(1)includesthreatandvulnerabilityassess-ments,informationassetvaluation,andtheselectionofacomprehensivesetofinformationsecurityandprivacycontrolsthataddressestheenumeratedthreat-vulnerabilitypairs(aprocesssometimesreferredtoasthreatmodeling),(2)iscost-effective,and(3)managesriskataleveldeemedacceptablebytheorganization.

Fromaquantitativeviewpoint,thisprocessisvirtuallyimpossibleformany—ifnotmost—organizationstoperform.Forexample,unlessactuarial-typeinformationisavailable,thelikelihoodathreat-sourcewillsuc-cessfullyexploitoneormorevulnerabilitiescannotbecalculatedwithanylevelofprecision.Inthecaseofahumanactor,likelihoodisalsodependentonthemotivationofthethreatsourceandthedifficultyorcostassociatedwithexploitingoneormorevulnerabilitiestoachievethethreatactor’sobjectives.Asaresult,itissimilarlydifficulttodevelopavalidbusinesscaseforaspecificriskresponseortreatmentbasedonareturnoninvestment.Organizationscouldtakeasemi-orquasi-quantitativeapproachorevenapurelyqualitativeapproach;however,itwouldstillbedifficultforanorganizationtodevelopavalidbusinesscase,particularlyforacomprehensivesetofriskresponses.


vHT-301-01


Figure 3

Analternativeapproachistorelyonotherorganizationsthatdohavetheresourcestodevelopasetofcontrolsthataddressessimilarthreatstosimilartechnologiesemployedbytheirownorganization.Thisistheapproachemployedbytheintelligencecommunity(IC),defensedepartmentandcivilianagenciesofthefederalgovernmentwiththeirrespectiveinformationsecuritycontrolframeworks,allofwhicharenowbasedontheNISTRMF.ItistheHITRUSTRMF,whichconsistsoftheHITRUSTCSFcombinedwithCSFAssurancePro-gram-relateddocumentsandtools,suchastheHITRUSTCSFAssuranceProgramrequirements,HITRUSTAuthorizedExternalAssessorrequirements,HITRUSTCSFassessmentmethodology,andHITRUST’s comprehensiveonlinetool,MyCSF.

General RMFRiskmanagementframeworkssupportabasic4-stepriskmanagementprocessmodel:

• Step1—Identifyrisksanddefineprotectionrequirements• Step2—Specifycontrols• Step3—Implementandmanagecontrols• Step4—Assessandreport

Step 1 - Identify Risks and Define Protection Requirements Theobjectiveofthisstepistodeterminetheriskstoinformationandinformationassetsthatarespecifictotheorganization.Riskscanbeidentifiedthroughtheanalysisofregulationsandlegislativerequirements,breachdataforsimilarorganizationsintheindustry,aswellasananalysisofcurrentarchitectures,technol-ogiesandmarkettrends.Theendresultofthisanalysisshouldbeaprioritizedlistofhigh-riskareasandanoverallcontrolstrategytominimizetherisktotheorganizationfromtheuseofsensitiveorbusinesscriticalinformationintermsofoverallimpacttotheorganization.


vHT-301-01


Figure 4

Thisstepissupportedbysevensub-processes,whichrangefromtheclassificationofinformationassetstothedevelopmentofspecificrisktreatments.Asindicatedpreviously,thisisoneofthemoreproblematicaspectsofriskanalysisthatacontrol-basedriskmanagementframeworkwillhelpanorganizationaddress.

Step 2 - Specify Controls Thenextstepistodetermineasetofreasonableandappropriatesafeguardsanorganizationshouldimplementtoadequatelymanageinformationsecurityrisk.Theendresultshouldbeaclear,consistentanddetailedorprescriptivesetofcontrolrecommendationsthatarecustomizedfortheorganization.

Acontrol-basedriskmanagementframeworkwillprovideacomprehensivecontrolcatalogderivedfromthesevensub-processesoutlinedearlieraswellasspecificcriteriafortheselectionofabaselinesetofcontrols,whichisperformedinthisstep.

Step 3 - Implement and Manage ControlsControlsareimplementedthroughanorganization’snormaloperationalandcapitalbudgetandworkprocesseswithboard-levelandseniorexecutiveoversightusingexistinggovernancestructuresandprocesses.Ariskman-agementframeworkwillprovideguidanceandtoolsforimplementationoftheframework,includingthecontrolsspecifiedearlierinstep2.

Step 4 - Assess and ReportTheobjectiveofthislaststepistoassesstheefficacyofimplementedcontrolsandthegeneralman-agementofinformationsecurityagainsttheorganization’sbaseline.Theresultoftheseassessmentandreportingactivitiesisariskmodelthatassessesinternalcontrolsandthoseofbusinessassociatesbasedonwell-definedriskfactors.Itshouldalsoprovidecommon,easy-to-usetoolsthataddressrequirementsandriskwithoutbeingburdensome,supportthird-partyreviewandvalidation,andprovidecommonreportsonriskandcompliance.


vHT-301-01


SummaryUnlessskilledpersonnelandotherresourcesareavailabletodetermineacomprehensivesetof‘reasonableandappropriate’safeguardstoprovide‘adequate’protectionforsensitiveinformation,healthcareorganizationsshouldleverageexistingcontrolandriskmanagementframeworks.Thisisthesameapproachusedbythefederalgovernment,anditisalsotheapproachusedbythehealthcareindustrythroughHITRUST.

Butregardlessofthesource,ariskmanagementframeworkissupportedbyariskmanagementprocess,whichatabasiclevelincorporatesfourdistinctsteps.

• Step1—Identifyrisksanddefineprotectionrequirements• Step2—Specifycontrols• Step3—Implementandmanagecontrols• Step4—Assessandreport

AlthoughstructuredonInternationalStandardsOrganizationandInternationalElectrotechnicalCommittee(ISO/IEC)Standard27001andincorporatesguidancefromISO/IEC27002,theHITRUSTCSFreliesheavilyonNISTSP800-53,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,andintegratesotherNISTandfederalsecurityguidancesuchastheCentersforMedicaidandMedicare(CMS)InformationSystems(IS)AcceptableRiskSafeguards(ARS).Assuch,therestofthiswhitepaperwillfocusontheNISTandHITRUSTriskmanagementframeworksinthecontextofthisfour-stepprocessandidentifysomeofthedifferencesbetweenthem.

NIST RMFNISTprovidesastructuredprocessandasignificantamountofguidancetohelpfederalorganizationsidentifyandassessrisktotheirinformationandinformationsystemsandtakestepstoreducerisktoanacceptablelevel.ThisisaccomplishedthroughthepublicationofvariousNISTSP800-seriesdocuments,FederalInformationProcessingStandards(FIPS)documents,andInter-agencyReports(NISTIRs),whichhelpguidefederalagenciesthroughasix-stepriskmanagementprocessdesignedtominimizetheriskofharmfromtheunauthorizedaccess,use,disclosure,disruption,modificationordestructionofsensitiveinformation.NISTSP800-37Revision1outlinestheprocessandprovidesadditionalguidancebymappingotherNISTdocumentsintheframeworktoeachstepoftheprocess.

Thesix-stepNISTriskmanagementprocesscanbemappedtothebasicfour-stepprocessasfollows:CategorizeInformationSystemtostep1;SelectSecurityControlstostep2;ImplementSecurityControls,AssessSecurityControlsandAuthorizeInformationSystemtostep3;andMonitorSecurityControlstostep4.(Note,weconsiderthesecurityassessmentperformedaspartofsystemauthorizationtobediffer-entfromtheongoingassessmentandmonitoringofsecuritycontrolspost-implementation.)

Step 1- Identify Risks and Define Protection RequirementsThefirststepofNIST’sriskmanagementprocess,CategorizeInformationSystems,categorizesaninfor-mationsystemandtheinformationbeingprocessed,storedandtransmittedbythesystembasedonthepotentialimpacttotheorganizationshouldathreat-sourcesuccessfullyexploitavulnerability.FIPS199requiresorganizationstocategorizetheirinformationsystemsaslow-impact,moderate-impact,orhigh-im-pactforthesecurityobjectivesofconfidentiality,integrityandavailability.Thepotentialimpactvalues


vHT-301-01


assignedtotherespectivesecurityobjectivesarethehighestvalue(high-watermark)fromamongthesecuritycategoriesdeterminedforeachtypeofinformationprocessed,stored,ortransmittedbytheinfor-mationsystem(s)consideredinscope.RelatedpublicationsincludeNISTSP800-60.

Noteforhealthcareorganizations:althoughnottechnicallypartoftheNISTRMFpublications,NISTSP800-66provideslinksfromtheNISTRMFtotheHIPAASecurityRule’simplementationspecifications.However,thepublicationdoesn’tspecifyasecuritycategorizationforePHI;thisexerciseislefttothefeder-alhealthcareorganization.

Step 2 - Specify ControlsThefirststepinselectingsecuritycontrolsfortheinformationsystemistochooseaninitialsetofbaselinesecuritycontrolsfromNISTSP800-53basedontheimpactleveloftheinformationsystemasdeterminedbythesecuritycategorizationperformedinstep1.Theorganizationselectsoneofthreesetsofbaselinesecuritycontrolsfromthesecuritycontrolcatalogcorrespondingtothelow-impact,moderate-impact,orhigh-impactratingoftheinformationsystem.Note,NISTforegoesthetraditionalsecurityobjectivesofconfidentiality,integrityandavailabilityusedinFIPS199,Standards or Security Categorization of Federal Information and Information Systems,andusessensitivityandcriticalityinstead.NISTIR7298r2,Glos-sary of Key Information Security Terms,definessensitivityasa“measureoftheimportanceassignedtoinformationbyitsowner,forthepurposeofdenotingitsneedforprotection,”andcriticalityasa“measureofthedegreetowhichanorganizationdependsontheinformationorinformationsystemforthesuccessofamissionorofabusinessfunction.”FortheprotectionofPHIandsystemsprocessingePHI,HITRUSTconsidersconfidentiality(andprivacy)requirementsanindicationofsensitivity,andintegrityandavailabilityrequirementsanindicationofcriticality.

Afterselectingtheinitialsetofbaselinesecuritycontrols,theorganizationstartsthetailoringprocesstoappropriatelymodifyandmorecloselyalignthecontrolswithspecificconditionswithintheorganization(i.e.,conditionsspecifictotheinformationsystemoritsenvironmentofoperation).Thetailoringprocessincludes:

• Applyingscopingguidancetotheinitialbaselinesecuritycontrolstoobtainapreliminarysetofapplica-blecontrolsforthetailoredbaseline;

• Selecting(orspecifying)compensatingsecuritycontrols,ifneeded,toadjustthepreliminarysetofcontrolstoobtainanequivalentsetdeemedtobemorefeasibletoimplement;and

• Specifyingorganization-definedparametersinthesecuritycontrolsviaexplicitassignmentandselec-tionstatementstocompletethedefinitionofthetailoredbaseline.

Althoughthesecuritycontrolselectionprocessisgenerallyfocusedontheinformationsystem,NISTstatestheselectionprocessisalsoapplicableattheorganizationalandmission/businessprocesslevels.GeneralguidanceinapplyingtheNISTRMFattheselevelsmaybefoundinNISTSP800-39,Managing Informa-tion Security Risk: Organization, Mission, and Information System View.However,thetailoringprocessdescribedinNISTSP800-53isneitherprescriptivenormanaged,whichdoeslittletoguaranteetailoringisperformedconsistentlyfromoneorganizationtothenextor,moreoftenthannot,thattailoringisperformedatall.RelatedpublicationsincludeFIPS200,Minimum Security Requirements for Federal Information and Information Systems.


vHT-301-01


AdditionalguidanceforhealthcareorganizationscanbefoundinNISTSP800-66, An Introductory Resource Guide for Implementing the [HIPAA] Security Rule,asitaddresseskeyactivitiesforeachoftheRule’sstandardsandimplementationspecifications,e.g.,section4.1.1is“IdentifyRelevantInformationSystems,”whichsupportsHIPAA§164.308(a)(1),SecurityManagementProcess.AnorganizationmayalsolookuptheassociatedNISTcontrolsandNISTRMFdocumentsreferencedineachsectionformoreinformation.Forexample,NISTSP800-66§4.1.1maps164.308(a)(1)toNISTSP800-53controlRA-1andcrosswalkstothefollowingpublications:FIPS199,NISTSP800-37,NISTSP800-39,andNISTSP800-53,amongothers.However,it’suptotheorganizationtoparsethereferencesamongtheninekeyactivities,aswellasreadthroughandapplyinformationfromeachofthereferencedpublications.

AhealthcareorganizationcanuseNISTSP800-66todetermineallthepossibleNISTcontrolsthatsupporttheimplementationspecificationandcomeupwithadditionalcontrolsthatmaptotheimplementationspec-ificationsbutnotexplicitlyprovidedintheNISTtool-kit.However,itissimilarlylefttotheorganizationtoparsethroughtheNISTSP800-53controlsanddeterminethesubsetofrequirementsthatdirectlysupporttheHIPAASecurityRule’simplementationspecifications.

NISTSP800-66alsoprovidessomeadditionaltailoringrecommendationsforhealthcareorganizationsbymappingcontrolsfromNISTSP800-53totheHIPAASecurityRule’sstandardsandimplementationspecificationsanddescribingkeyactivitiesforeach;however,thiswouldonlyaddressanorganization’sobligationsundertheRule.Othercontrolsmaybeneededtosupportotherlegislative,regulatory,industryorbestpracticerequirements.

Inaddition,thereislittleifanyprescriptiveguidanceoncontrolselectionbasedonriskfactorssuchasorganizationalsize/capabilityorassignmentofacceptableorganization-definedparameters.However,healthcareorganizationsmayrefertotheCMSISARSforadditionalguidanceontheselectionoforganiza-tion-definedparametersforlow-,moderate-andhigh-levelNISTcontrolbaselines.

Step 3- Implement and Manage ControlsNISTprovidesguidanceonvariousinformationsecuritycontrolsinanextensivelibraryofNISTSP800-series,FIPSandNISTIRdocuments,andprovidesaguideforselectingdocumentsorganizedbyspe-cifictopicssuchasbiometrics(e.g.,FIPS201-1andNISTSP800-116,A Recommendation for the Use of PIV Credentials in Physical Access Control Systems)andcryptography(e.g.,FIPS198-1,The Keyed-Hash Message Authentication Code)orspecificNISTcontrolfamiliessuchasaccesscontrol(e.g.,FIPS200andNISTSP800-114,User’s Guide to Securing External Devices for Telework or Remote Access)andCon-tingencyPlanning(e.g.,NISTSP800-34,Contingency Planning Guide for Federal Information Systems).NISTalsoprovidesguidanceoncapitalplanninginNISTSP800-65,Integrating IT Security into the Capital Planning and Investment Control Process,andsystemdevelopmentinNISTSP800-64,Security Consid-erations in the System Development Life Cycle;however,thereislittleinthewayofspecificguidanceortoolsupportonhowtheNISTcontrolframeworkcanbeimplementedinindustry.RelatedRMFpublicationsincludeNISTSP800-37and800-70,National Checklist Program for IT Products: Guidelines for Checklist Users and Developers,amongothers.

NISTSP800-66doesnotprovideinformationonhowtoimplementormanagesecuritycontrolsinahealthcareenvironment.


vHT-301-01


Step 4 - Assess and ReportNISTprovidesgeneralassessmentguidancefortheNISTSP800-53controlcataloginNISTSP800-53A,Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,atechnicalassessmentguidanceinNISTSP800-115,Technical Guide to Information Security Testing and Assessment,andtargetedassessmentguidanceindocumentslikeNISTIR7316,Assessment of Access Control Systems.NISTalsoprovidesaprocessmaturity-basedsecu-rityassessmentmethodologyinNISTIR7358,Program Review for Information Security Management Assistance (PRISMA).AlthoughnotformallyincorporatedintheNISTRMF,PRISMAprovidesanintuitiveapproachtotheevaluationofinformationsecuritycontrolsbyconsideringwhethertherequirementisspecifiedinpolicy,supportedbyformalprocesses,implementedacrosstheorganization,testedtoensurecontinuedeffectiveness,andthatactivitiessupportingthefirstfourlevelsarefullyintegratedwitheachotherandtheorganization’scontrolenvironment.TheNISTIRalsoprovidesguidanceonhowtoprepareforandexecuteaPRISMA-basedassessmentaswellasinformationaroundthepracticalapplicationoftheformalreport.RelatedRMFpublicationsincludeNISTSP800-37.

NISTSP800-66providesspecificquestionsforhealthcareorganizationstoconsiderwhenassessingone’sinformationprotectionprogram,organizedbyHIPAASecurityRulestandardandimplementationspecifica-tion,butprovideslimitedguidanceontheriskassessmentprocessthatcouldhelpaddressrequirementsthatmaynotbedirectlyrelatedtotheHIPAASecurityRulestandardsandimplementationspecifications.

In2011,NISTpublishedtheHIPAASecurityRule“HSR”Toolkit,whichprovides472questionsfor“stan-dard”organizationsand809questionsfor“enterprise”-levelorganizations.NISTalsoreferencesothersourcesforeachquestion:491questionsmaptoNISTSP800-66sectionsaddressingtheHIPAAimple-mentationspecifications,290maptoaspecificNISTSP800-53control,and28arenotmapped.Whileanexcellentresource,NISTcautionsusersthat“theHSRToolkitisnotintendedtomakeanystatementofanorganization’scompliancewiththerequirementsoftheHIPAASecurityRule.”

Andin2014,HHSpublishedtheSecurityRiskAssessment(SRA)tooltohelpsmallandmedium-sizedbusinessesgothroughtheriskanalysisprocess.ThetooldoesamuchbetterjobthantheoriginalOCRAuditProtocolinhelpingorganizationsaddresssalientelementsoftheHIPAASecurityRule’sstandardsandimplementationspecifications;however,questionsarespecifictotheRule’srequirementsandsub-sequentlyhassomeofthesamelimitationsastheNISTHSRToolkit.HHSalsohassimilardisclaimers,stating:

• Useofthistoolisneitherrequiredbynorguaranteescompliancewithfederal,stateorlocallaws.• Theinformationpresentedmaynotbeapplicableorappropriateforallhealthcareprovidersandorgani-

zations.• Thetoolisnotintendedtobeanexhaustiveordefinitivesourceonsafeguardinghealthinformation

fromprivacyandsecurityrisks.

OrganizationsmayalsoleveragethesecondOCRAuditProtocolpublishedin2016todeterminehighinterestareastheyshouldensureareaddressedintheirsecurityprogram,andwhichshouldbeassessedaccordingly.However,organizationsmustunderstandthat,likeallaudits,theProtocolisnarrowlyfocusedandmaynotaddressallthesecuritycontrolrequirementsthatwouldbeimplementedbytheorganizationtosupportitsobligationsundertheHIPAASecurityRule.Theauditproceduresalsofocusheavilyonpolicy


vHT-301-01


andprocessrequirementsbut,unliketheoriginal,provideguidanceonspecificactivitiesthathelpaddresstheintentofaparticularstandardorspecification.However,neitherthetoolsortheauditprotocolsprovideamechanismtoevaluateandscoretherelevantmaturityofthecontrol,computeriskestimatesorsupportriskreporting.Thisisleftfortheorganizationtodetermine.

Organizationsshouldnotethat,whiletheNISTHSRToolkit,HHSSRAToolOCRAuditProtocolandDHS/OCRSRAtoolwillsupportHIPAA-specificassessments,theydonotnecessarilysupportamoregeneralassessmentthatincludesotherlegislative,regulatory,industryorbestpracticerequirementsthatshouldbeaddressedbyanorganization’sinformationprotectionprogram,includingtheprovisionofthird-partyassurancesaboutitsprogramtorelevantinternalandexternalstakeholders.

SummaryNISTpublishesacomprehensivesetofcontrolsdesignedforusebyfederalagencies,anextensivelibraryofguidancedocumentsfortheNISTRMF,andspecialinterestdocumentsonspecificinformationsecuritytopicsandcontrolareas.NISTalsopublishesanexcellentresourceontheimplementationofNISTSP800-53securitycontrolstosatisfyHIPAArequirements.However,private-sectororganizationsarenotsub-jecttoallthesamelegislativeandregulatoryrequirementsasafederalhealthcareorganization(e.g.,theFederalInformationSecurityManagementAct),nordotheyhavethesameskilledpersonnelandresourc-esavailabletosupporttheirinformationsecurityprogram.ItcanbedifficultformanyorganizationstoadapttheNISTRMFtotheirspecificneeds,i.e.,todeterminewhatcontrolsare“reasonableandappropriate”foranon-federalorganization.Inparticular,NISThealthcareguidanceisfocusedoncompliancewiththeHIPAASecurityRuleanddoesnotspecificallyaddresstheselectionandimplementationofcontrolsneces-sarytosatisfyotherlegislative,regulatory,industryandbestpracticerequirements.

HITRUSTwasformedtoaddressthegrowingneedandbroaddesirewithintheindustryforacommonframework—asetofcommonstandardsandsupportingmethodologies—thatwouldprovideaminimumbaselinesetofsecurityrequirements,tailorabletoaspecificsizeandtypeoforganization,whichwouldimprovetrustaswellasmitigatepotentialliabilityfrombreachesofsensitiveinformation.HITRUSTbelievesthatimprovementsinthestateofinformationsecurityandprivacyarecriticaltothebroadadoption,utilizationandconfidenceinhealthinformationsystems,informationtechnologiesandelec-tronicexchangesofinformation.TheHITRUSTRMFprovidesaconsistentapproachtocertification,riskacceptanceandsharedtrustthroughtheHITRUSTCSF,CSFAssuranceProgram,andsupportingmeth-odologiesandtoolssuchastheHITRUSTCSFAssessmentMethodologyandMyCSF.

HITRUST RMF

Step 1 - Identify Risks and Define Protection RequirementsTheHITRUSTCSFprovidesafundamentalandholisticchangeinthewayindustrymanagesinformationsecurityandprivacy-relatedriskbyrationalizingrelevantregulationsandstandardsintoasingleoverarchingframeworkdesignedforindustryandtailorabletoanorganization.

Figure5isintendedtoshowhowvariousframeworksandstandardsaremutuallyreinforcing,canbetailoredtoanorganization’sneeds,andintelligentlyappliedintheintendedenvironmenttohelpensureorganizationsmeetbusinessgoalswhileachievingregulatorycompliance.Itshowsthatoverarching


vHT-301-01


Figure 5

governanceframeworkssuchasCOBITcanbeintegratedwithriskmanagementframeworksliketheNISTRMFandISO/IEC27000-seriespublications,aswellasotherframeworkslikeITILforservicedeliveryandISO9000forcapabilityorprocessmaturity.Thisconceptappliestomanyotherstandardsthatanenterprisemaywishtoadopt.Thekeyistoadoptspecificframeworksandstandardsthatmeetone’sneeds,tailorthemappropriatelyandimplementthemsmartly.

HITRUSTstructuredtheCSFontheISO/IEC27001controlframeworkandbaselinedtheinitialcontrolrequirementsfromNISTSP800-53aswellassecurity-andprivacy-relevantrequirementsfromlegisla-tive,regulatory,industryandbestpracticeguidancesuchasISO/IEC27002,HIPAA,HITECH,CMS,FTCRedFlags,PCI-DSS,ISO27799andCOBIT.Staterequirementsspecifictoinformationsecurityarealsointegratedintotheframework.Thisallowsorganizationstoleverageasingleindustrycontrolframeworktomeetitsbusinessobjectivesandsatisfymultipleregulatoryandothercompliancerequirements.

TheHITRUSTCSFisfreelyavailabletoqualifiedorganizationsthroughtheHITRUSTwebsiteorbypaidsubscriptiontoMyCSFforaninteractiveversiontailorabletothesubscribingorganization.

Step 2 - Specify ControlsLikeNIST,HITRUSTbuilttheCSFtoaccommodatemultiplecontrolbaselines.However,unlikeNIST,HITRUSTassignscontrolsusingthreeriskfactors:organizational(e.g.,holdsfewerthan60milliontotalrecords),systemrequirements(e.g.,thesystemstoresePHI,isaccessiblefromtheInternet,andprocess-


vHT-301-01


Figure 6

esfewerthan6,750transactionsperday),andregulatoryrequirements(e.g.,subjecttoFTCRedFlagsRuleandPCI-DSScompliance).Theresultisasemi-custom,industry-specificinformationsecuritycontrolbaseline,i.e.asetofcontrolsthatispartiallytailoredtoanorganization’sclinical,businessandcompliancerequirements,asshownbelow.

Thecapabilitytotailorcontrolstoaspecificorganization’sneedsisavailableinMyCSF.TrainingontheCSFandtheMyCSFassessmentsupporttoolisprovidedtoanyoneseekingtheHITRUSTCertifiedCSFPractitioner(CCSFP)credential.

Step 3 - Implement and Manage ControlsHITRUSTtrainsthird-partyconsultingandassessmentfirmsintheCSFandCSFAssuranceProgrammethodologiesandtoolssothattheymayofferCSFimplementationsupporttohealthcareproviderorga-nizationsthatlackthecapabilitytoimplementandassessinformationsecurityandprivacycontrols,asrecommendedbyHHS.

HITRUSTalsorecommendsthedevelopmentofaninformationsecurityandprivacyriskmanagementarchitectureinwhichstrategicplanningandinformationsecurityarchitecture,policiesandstandardsformthefoundationforspecificcustomer-facinginformationsecurityandprivacyservices,whichshouldbedocumentedinsecurityandprivacyservicecataloguesconsistentwithrecommendationsintheInforma-tionTechnologyInfrastructureLibrary(ITIL).Examplesofthesecustomer-facingservicesincludesecurityoperations,incidentmanagementandinvestigations,businesscontinuityanddisasterrecovery,identity


vHT-301-01


andaccessmanagement,andeducation,trainingandawareness.CSFcontrolsandavailableresourcescanthenbemappedtoeachservice.Theresultistheabilitytodevelopoperationalandcapitalprojectplansfordefinedsecurityservicesbasedondeficienciesforspecificcontrolrequirementsidentifiedviariskassessmentaswellascontinuousmonitoringactivitiessuchasvulnerabilityassessment,penetrationtesting,controlmaturityassessmentsandincidentrootcauseanalysis.

Step 4 - Assess and ReportTheHITRUSTCSFAssuranceProgramprovidessimplifiedandconsistentcomplianceassessmentandreport-ingagainsttheCSFandtheauthoritativesourcesitincorporates.Thisrisk-basedapproach,whichisgovernedandmanagedbyHITRUST,isdesignedfortheuniqueregulatoryrequirementsandbusinessneedsthatprovideorganizationswithaneffective,standardizedandstreamlinedassessmentprocesstomanagecompli-ance.Thissolutionoffersamoreeffectiveprocessthanthatusedbyotherassessmentapproachesandtoolkits,whichsupportonlylimitedrequirementsandcheckboxapproachestoassessmentandreporting.

AnintegralcomponentoftheCSFAssuranceProgramistheHITRUSTriskassessmentmethodology,whichisbuiltaroundtheconceptofresidualrisk,i.e.,theriskthatisleftafterthecontrols,whichareintendedtomitigaterisktoaleveldeemedacceptablebytheorganization,havebeenfullyimplemented.Thus,excessiveresidualriskoccurswhenoneormorecontrolsarenotfullyimplemented,anditisthisrisktheorganizationmuststrivetominimizeinitsday-to-dayoperations.

Sinceexcessiveresidualriskmaybeestimatedbytheriskofacontrolfailure,wemustestimatethelikelihoodthecontrolwillfailaswellastheimpacttotheorganizationwhenafailureoccurs.Somepuristsmightarguethatonlyquantitativeassessmentsprovidevalue;however,inreality,decisionsareoftenmadewithincompleteinformation.Thereasonsaremanyandvaried.Forexample,theremaybealimitedamountoftimeinwhichtomakeadecision,ortheinformationsimplyisnotavailable.Inmanycases,expertjudgmentisappliedsuchaswhenauditorsscopeworkormakejudgmentsabouttheeffectivenessoffinancialcontrols.(Decisionmakingunderconditionsofuncertaintyisacentralfocusofthebodyofknowledgeknownas‘decisiontheory.’)

Thelevelofprecisiononeneedstomakeadecisionmayalsodependonthetypeofproblemorquestionbeingaddressed.Forexample,triageinanemergencyroomfollowinganaturaldisasterrequiresagenerallevelofinformation.Isthepatientbreathingorbleeding?Istheinjurylifethreatening?Medicaldiagnoses,ontheotherhand,generallyrequireamuchmoregranularlevelofinformationtodetermineifthepatientissufferingfromoneparticulardiseaseoranotherwithsimilarsymptoms.However,noneofthedecisionsdescribedaremadewithoutsomesortofframeworkormethodologytosupportthedecision-makingprocess.

HITRUSTleveragestheNISTPRISMAmethodology,whichincorporatestheconceptofcapabilitymaturitytodeterminelikelihoodofacontrolfailurebutexpressesthelevelsinawaythat,whileroughlyequivalentwiththeirCapabilityMaturityModel-Integrated(CMMI)counterparts,ismuchmoreintuitivefortheevaluationofinformationsecurity,asopposedtothetraditionallanguageusedaroundprocessmaturity.HITRUSTalsoleveragesthePRISMAquasi-quantitativescoringmodeltofacilitatetheassessmentprocessandprovideastandardizedestimateofthematurity(effectiveness)ofacontrol’simplementation.

Theotherpartoftheriskequation—theimpactofaspecificcontrolfailure—isoftenhardertoassessthantheefficacyofthecontrolimplementation,especiallyinthecontextoftheentirecontrolenvironment.Onewaytomakethismoretractableistomapcontrol-levelimpactsfrom,andthrough,establishedinformationsecurity


vHT-301-01


controlframeworkstoprovideanon-contextualestimateoftherelativeimpactofonecontrolfailurewithrespecttoanother.HITRUSTleveragedworkdonebytheDoDtoassignnon-contextualimpactvaluestoindividualcontrolscontainedinDoDInstruction8500.2.BymappingthroughtheNIST800-53controlstotheISO27001informationsecuritycontrolclauses,estimatesoftherelativeimpactforthefailureofeachcontrolwereobtained.Thisprovidesacommonpointofreferencefororganizationstouseinacontextualanalysis,e.g.,onethatmightbeperformedonasmallersub-setofcontrolsfounddeficientinanaudit,whichisarguablymoretractablethantryingtodeterminetheimpactofallthecontrolsimplementedintheenvironmentatthesametime.HITRUSTbelievesthisapproachisjustifiedasitwasusedextensivelybytheDoDinitsinformationsystemsecuritycertificationandaccreditationmethodology,whendevelopingaresidualriskanalysisafterasecuritytestandevaluation.

Onceestimatesareobtainedforimpactandlikelihood,thecomputationofestimatedresidualriskisrela-tivelystraightforward.However,ratherthanrepresentriskintermsof“heatmaps,”itispossibletopresentrisktoexecutivemanagementinamoreintuitiveway.BymakingadjustmentstothePRISMAscoringmodelandnormalizingtheriskcomputationsonascaleofzeroto100,excessiveresidualriskmayberepresentedasacademic-stylegrades.Inthismodel,anythingbelow60wouldbeafailinggrade(an‘F’)andpresentasevererisk.Similarly,scoresfrom60to70wouldrepresentahighrisk(a‘D’),from70to80amediumrisk(a‘C’),from80to90alowrisk(a‘B’),andfrom90to100asaminimalrisk(an‘A’).(Inthismodel,ascoreof75wouldmostlikelyindicatetheorganizationhadpoliciesandproceduresinplaceandthecontrolwasfullyimplemented.)HITRUSTessentiallyinterpretsa‘C”astheminimumacceptable‘passinggrade’forthepurposedofcertification.Bettergrades,i.e.,betterassurancesacontroliseffectiveandwillcontinuetobeeffective,areprovidedthroughcontinuousmonitoringofthecontrol,i.e.,keepingtrackofhowwellthecontrolisperformingandaddressinganydeficienciesastheyarise.

Althoughnotatruequantitativeestimateoftherisk,thescoresprovidesufficientinformationinaveryintuitivewayfororganizationstomakedecisionsundernormalconditionsofuncertaintyabouttherelativecontrol-relatedrisksthesescoresrepresent.

Agraphicalrepresentationofthecontrolobjectivesandthecontrolcategoriestheysupport(suchastheonethatfollowsinfigure7)canbeprovidedforspecificsystemsand/orbusinessunitswithinanorganization.vInthecaseofahealthcareentity,thiscouldbeanelectronichealthrecordsystem,organizationssuchassinglehospitalswithinahealthsystem,orcommondepartmentswithinhealthsystemssuchasemergencyroomsorpharmacies.Thesescorescanalsobeusedforinternalandindustry-levelbenchmarking.

HITRUSTCSFassessmentsarenowsupportedbyafullyintegrated,optimized,anduser-friendlytoolwhichmarriesthecontentandmethodologiesoftheCSFandCSFAssuranceProgramwiththetech-nologyandcapabilitiesofagovernance,riskandcompliance(GRC)tool.MyCSFprovideshealthcareorganizationsofalltypesandsizeswithasecure,Web-basedsolutionforaccessingtheCSF,performingassessments,managingremediationactivities,andreportingandtrackingcompliance.MyCSFisalsomanagedandsupportedbyHITRUST,providingorganizationswithup-to-datecontent,accurateandcon-sistentscoring,reportsvalidatedbyHITRUSTandbenchmarkingdataavailablenowhereelsewithintheindustry,thusgoingfarbeyondwhatatraditionalGRCtoolprovides.


vHT-301-01


Figure 7

TheCSFAssuranceProgramenablestrustinhealthinformationprotectionthroughanefficientandman-ageableapproachbyidentifyingincrementalstepsforanorganizationtotakeonthepathtobecomingHITRUSTCSFValidatedorCSFCertified.

ThecomprehensivenessofthesecurityrequirementsspecifiedforanassessedentityisbasedonthemultiplelevelswithintheHITRUSTCSF,whicharedeterminedbyitsriskfactors.Thelevelofassurancefortheoverallassessmentoftheentityisbasedonmultipletiersorlevelsofassessment,fromReadinessAssessmentquestionnairestoon-siteanalysis/testingperformedbyanindependentExternalAssessor.Theresultsoftheassessmentaredocumentedinastandardreportwithacompliancescorecardandremediationactivitiestrackedinacorrectiveactionplan(CAP).OncevettedbyHITRUSTandperformedforalllevelsofassurance,theassessedentitycanusetheassessmentresultstoreporttoexternalpartiesinlieuofexistingsecurityrequirementsandprocesses,savingtimeandminimizingcosts.

Thefollowingdiagramoutlinestherelationshipbetweenthecomprehensivenessofanassessmentanditslevelofassuranceprovidedbytheassessmentfororganizationsofvaryingcomplexitybasedontheriskofthethird-partyrelationshipasdeterminedbytherelyingorganization:AHITRUSTCSFassessmentallowsanorganizationtocommunicatetorelyingentitiesitscompliancewiththeCSFand,optionally,withotherrequirementssuchasHIPAA.HITRUSTreviewstheassessmentresultsandCAPstoprovideaddedassurancetothoseexternalentitiesrelyingontheassessedentity’sresults.AndtheHITRUSTCSFAssuranceProgrameffectivelyestablishestrustininformationprotectionthroughanachievableassessmentandreportingpathfororganizationsofallsizes,complexitiesandrisks.


vHT-301-01


Figure 8

SummaryHITRUSTintegratedmultipleinternational,federal,industryframeworksandbestpracticestandardsandframeworks,adaptedthemtothehealthcareenvironment,andprovidedanindustrystandardofduediligenceandduecarethatcanbetailoredtoanindividualorganizationbaseduponitsspecificbusi-nessrequirements.TheHITRUSTCSFandCSFAssuranceProgramprovideorganizationswithasingleapproachtoassessmentandreportingagainstthesemultiplerequirements,andbothareupdatedatleastannuallytoaccountforchangesinlegislation,regulation,standards,guidanceandbestpractices,suchaswiththereleaseoftheNISTSP800-53revision4,theNISTCybersecurityFramework.Further,allchangestotheHITRUSTCSFareprovidedtotheindustryforreviewandcommenttoensureanopenandtransparentframeworkthatisfreelyavailabletoqualifiedorganizationsthatwishtouseit.

ConclusionTheonlythingconstantaboutinformationsecurityandprivacyinischange.Newregulations,standards,guidanceandtoolscontinuetocomplicatethelandscape,andorganizationsarelefttodeterminehowbesttoachievecomplianceandprovidean‘adequate’levelofprotection.

Healthcareorganizationsoftendonothavetheskilledpersonnelorresourcestodevelopacustomsetof‘reasonableandappropriate’safeguardsandchoosetoadoptandadaptexternalinformationsecuritycontrolandriskmanagementframeworks.Buteventhiscanbedifficultformanyorganizationstodo.So,ratherthanindependentlyperformingtheworkofintegratingmultipleinternational,federalandindustryframeworksandbestpracticestandardsandthenadaptingthemtotheirspecificorganization,HITRUSTwasformedtoperformthisworkonbehalfoftheindustryandestablishastandardofduediligenceandduecarethatcanbetailoredtoanindividualorganizationbasedupontheirspecificbusinessrequire-ments—theHITRUSTCSF.

TheHITRUSTCSFAssuranceProgramalsoprovidesorganizationsasingleapproachtoassessmentandreportingagainstthesemultiplerequirements,andboththeCSFandCSFAssuranceProgramareupdatedatleastannuallytoaccountforchangesinlegislation,regulation,standards,guidanceandbestpractices,


vHT-301-01


suchaswiththe2014releaseoftheNISTCybersecurityFramework.Further,allchangestotheCSFareprovidedtotheindustryforreviewandcomment,ensuringtransparencyandopenness.AndHITRUSTprovidestheCSFfreetoqualifiedhealthcareorganizationsthatwishtoimplementtheframework.

GiventhattheCSFisanintegrated,harmonized,healthcarecentric,transparent,prescriptive,tailorable,scalableandcertifiableframeworkthatprovidesacommonmechanismforthesharingofriskinformation,whyhasn’titbeenadoptedby100percentofhealthcareorganizations?Unfortunately,manyorganizationshavenotyetcome-to-termswiththelevelofduediligenceandduecarerequiredtosafeguardePHIandmeetregulatorycompliancerequirements.

Forexample,theNISTHSRtoolkitappealstosomeorganizationsbecauseitprovidesa“check-the-box”approachtoaddressingspecificsafeguards;however,theyoftenfailtodigdeeperintothereferencestodeterminewhatisactually“in-the-box”theyarechecking.Theymaystopwiththeresultsofthiscontrolgapanalysisandfailtofullyevaluatethelikelihoodandimpactcomponentsnecessarytocompletetheriskanalysis.OtherorganizationsmaygoevenfurtherandrelyontheOCRAuditProtocoltosatisfytheirHIPAAriskanalysisrequirementswithoutrealizingtheprotocolisincomplete;itdoesn’taddresseveryimplementationspecificationintheSecurityRuleanddoesnotintegratewellwiththeNISTHSRToolkitortheNISTRMF.Thefocusison“passing”anauditratherthanonthespiritandintentoftheircompliancerequirements.TheHITRUSTCSFontheotherhand,istightlyintegratedwiththeCSFAssuranceProgramand MyCSF.

Fortunately,mostoftheindustryunderstandstheneedtoprovide‘reasonableandappropriate’safeguardsandsatisfytheirregulatoryobligationtoprovide‘adequate’protection,whichiswhytheHITRUSTCSFisdemonstrablythedefactostandardinthehealthcareindustry.The2018HealthcareInformationandManagementSystemsSociety(HIMSS)CybersecuritySurveyindicatestheHITRUSTCSFistheleadinginformationsecuritycontrolframeworkinhealthcare,andtheNIST Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT)recognizestheHITRUSTCSFasanindustry-ledsecuritystandardthataddressesmultipleareasofconcernwiththeuseofIoTdevices.TheGovernmentAccountabilityOffice(GAO)Report to Congressional Committees on Critical Infrastruc-ture ProtectionalsocitestheHITRUSTCSFasameansofdemonstratingcompliancewiththeNISTCybersecurityFrameworkintheHPHsector,asdemonstratedintheHealthcare Sector Cybersecurity Implementation Guide—adocumentproducedundertheauspicesoftheCriticalInfrastructureProtectionAdvisoryCouncil(CIPAC).

ForthosethathavenotyetfullyadoptedtheHITRUSTCSF,manyareleftwiththetaskofchoosing,adapt-ingandimplementinganexistinginformationsecuritycontrolframework.EventhosethathavedecidedtofullyadopttheCSFcansometimesstrugglewithitsimplementation.ThisiswhyHITRUSTcontinuestodevelopandpublishguidanceandtoolsliketheCSFassessmentmethodologyandMyCSFaspartofanoverallriskmanagementframeworktohelporganizationsimplementandmanage‘reasonableandappro-priate’safeguardsthatdemonstratethelevelofduecareandduediligencerequiredtoensure‘adequate’protectionofthesensitiveinformationwithwhichtheyareentrusted.

So,whenHITRUSTisaskedhownewregulations,standards,guidanceandtoolsaffectthevalueoftheCSFandCSF-relatedtools,theanswerissimple.TheCSF,CSFAssuranceProgramandrelatedmethod-ologiesandtoolsthatmakeuptheHITRUSTRMFareneededmorenowthaneverbefore.


vHT-301-01


About HITRUSTFoundedin2007,HITRUSTAllianceisanot-for-profitorganizationwhosemissionistochampionpro-gramsthatsafeguardsensitiveinformationandmanageinformationriskfororganizationsacrossallindus-triesandthroughoutthethird-partysupplychain.Incollaborationwithprivacy,informationsecurityandriskmanagementleadersfromboththepublicandprivatesectors,HITRUSTdevelops,maintainsandpro-videsbroadaccesstoitswidelyadoptedcommonriskandcompliancemanagementandde-identificationframeworks;relatedassessmentandassurancemethodologies;andinitiativesadvancingcybersharing,analysisandresilience.

HITRUSTactivelyparticipatesinmanyeffortsingovernmentadvocacy,communitybuildingandcyberse-curityeducation.

HITRUSTisledbyaseasonedmanagementteamandgovernedbyaBoardofDirectorsmadeupoflead-ersfromacrossthehealthcareindustryanditssupporters.Theseleadersrepresentthegovernanceoftheorganization,butotherfoundersalsocomprisetheleadershiptoensuretheframeworkmeetstheshort-andlong-termneedsoftheentireindustry.

Formoreinformation,visitwww.HITRUSTalliance.net.

MyCSFMyCSFmakesiteasierandmorecost-effectiveforanorganizationtomanageinformationriskandmeetinternational,federalandstateregulationsconcerningprivacyandsecurity.TheMyCSFtoolprovidesglobalorganizationsofallsizeswithapurposefullydesigned,andengineeredSaaSsolutionforperformingriskassessments,correctiveactionplanmanagement,enhancedbenchmarkinganddashboards,andinte-grationwithmajorGRCplatformsandtheHITRUSTAssessmentXChange®.MyCSFisasolutionthatwillsupportanorganization’sevolvingassessmentneedsthatalignwithmanagingriskinthechangingcyberthreat,informationriskandglobalregulatorylandscape. Formoreinformation,visitwww.hitrustalliance.net/MyCSF.

http://www.HITRUSTalliance.net

http://www.hitrustalliance.net/MyCSF


vHT-301-01


855.HITRUST

(855.448.7878)

www.HITRUSTAlliance.net

© 2019 HITRUST All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or utilized other than

being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.

http://www.HITRUSTalliance.net

Documents

Risk Management Frameworks - HITRUST...Risk Management Frameworks How HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting