Is your organization a HITRUST org?

I’m speaking of the HITRUST CSF, Computer Security Framework.

There are many reasons for adopting a complete framework such as the HITRUST CSF, especially if you are in healthcare. According to a recent FortiGuard Labs Report, healthcare is experiencing attacks at twice the rate of other business sectors. Why is this? We start with hospitals, clinics and add internet-based consulting and remote healthcare providers using the latest cloud implementations.  Then add mergers and acquisitions and IoMT (Internet of Medical Things) and you see why very fast.

Another reason is that credit card theft is not very profitable anymore, the latest credit card chip technology has significantly reduced card copy fraud, now cyber criminals find it much easier and profitable to apply for a new credit card in your name and while they are at it they steal your health plan and your complete identity. Healthcare’s overall size and thus attack surface is second only to the US government and the healthcare sector’s IT spending reached 100 billion in 2017.

All of this means more focus on regulatory compliance for healthcare—which also includes a multitude of vendors and business associates to manage risk for and meet or better yet exceed the Health & Human Services (HHS) compliance demands. You can transfer business operations to cloud vendors and business associates but, in the end, you can’t transfer liability. Now add the fact the healthcare also processes payments so Payment Card Data Security Standard (PCI DSS) is in scope.

What does HITRUST CSF framework look like and how does it work?

First, a healthcare organization can use this unified compliance framework to achieve HIPAA, CMS, ISO, NIST and PCI all in a single framework that harmonizes the combined frameworks and standards for efficiency and effectiveness.

HITRUST CSF Version 9.1 has the following control categories:

• Information security management program
• Access control
• Human resources security
• Risk management
• Security policy
• Organization of information security
• Compliance
• Asset management
• Physical and environmental security
• Communications and operations management
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management

[Source: HITRUSTAlliance.net]

Each control category contains the following:

• Control reference: A control ID.
• Control objective: A statement of a given result to be achieved by implementing the control.

Each control contains the following:

• Control specification: The policies, procedures, or organizational structures.
• Risk factor: Listing of regulatory, organizational, and system, factors that drive requirements.
• Implementation requirement: The information to support the implementation of the control / control objective. There are up to three levels of requirements defined based on the relevant organizational or system scope.
• Control assessment guidance: Guidance in performing an assessment.

[Source: HITRUSTAlliance.net]

The HITRUST CSF manages risk by looking at regulatory, organizational and systems factors.

Regulatory…abbreviated list

• Subject to PCI compliance
• Subject to CMS minimum security requirements
• Subject to MARS-E requirements
• Subject to FFIEC IT examination requirements for information security

Organizational…abbreviated list

• Business volume
• Service provider
• Geographic scope

System…abbreviated list

• Stores, processes, or transmits PHI
• Accessible from the Internet
• Accessible by a third party
• Number of interfaces to other systems
• Number of users
• Number of transactions per day

[Source: HITRUSTAlliance.net]

Putting it all together, HITRUST CSF is a compliance and risk management framework.

By considering regulatory, organizational and systems, we now add implementation levels to tie it all together.

Implementation levels

Multiple levels of Implementation Requirements may be defined depending on an organization’s environment and risks. HITRUST CSF is a Risk and Compliance framework

• Level 1: The set of minimum-security controls defined for an information system.
• Level 2: Any additional, but related, functionality to a Level 1 control, and/or increase in the strength of a Level 1 control.
• Level 3: Any additional, but related, functionality to a level 2 control, and/or increase in the strength of a Level 2 control.

In other words, Level 1 is basic, level 2 includes level 1 with additional requirements, Level 3 includes level 2 plus additional requirements.

This concept was adapted from the NIST SP-800 Series security standards which prescribes a range of control risk as low-, medium-, and high-impact systems.

Level 1 is the minimum set of security requirements for all systems and organizations regardless of size, sophistication, or complexity. It’s just a starting point, no organization should ever aim for a minimum standard. Start here and custom tailor for your organizations risk appetite and regulatory frameworks.

Level 2 and Level 3 are required only for organizations and systems of increased risk and complexity as determined by the associated organization, system and regulatory factors (see details in previous section).

The implementation levels are built upon three risk factors:

1. Organizational factors (e.g. Business volume, Type and size)
2. System factors (e.g. Number of users, Access by third party)
3. Regulatory factors (e.g. Meaningful use /HIPAA )

Identifying these factors may drive higher implementation levels.

Level 1 is a baseline control agreed by the industry. The objective of Level 1 is to meet the HIPAA Security Rule requirements (required & addressable)

Each additional level encompasses the lower levels and includes additional requirements to mitigate the higher risk.

To sum things up, The HITRUST CSF is a compliance and risk management framework that harmonizes existing controls and requirements from standards, regulations, business and third party requirements applicable to healthcare.

Remember that HIPAA, while not as prescriptive HITRUST CSF is, it’s also a compliance and risk management framework.

An example of the risk component: In determining risk, you can see that if your org falls into Organizational as being multistate, in Regulatory you are an org that falls under CMS, PCI DSS and MARS-E and that in Systems your org stores, processes, or transmits PHI; are accessible from the internet; are accessible by a third party; exchange data with a third party/business partner; are publicly accessible; where mobile devices are used; and connect with or exchanges data with a Health Information Exchange (HIE). Your RISK is much higher than an organization that does not fall under all these requirements.

Healthcare organizations are the second largest business sector and are attacked at twice the rate of any other sector, yet healthcare has more to gain by staying ahead of regulatory compliance and is responsible for safeguarding not only data but more importantly human life.

A recent article in the HIPAA Journal reported that a researcher at Vanderbilt University conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimated healthcare data breaches may cause as many as 2,100 deaths a year in the United States.

Therefore, we in healthcare governance, risk and compliance must set the highest cyber risk standards of any industry because we are protecting so much more than financial data and patient privacy. We are protecting human life!