HITRUST CSF v7 Developments & Features Today’s Presenters: 2 CSF Version 7- Developments and Features Kenneth P. Mortensen Senior Managing Director Cybersecurity and Privacy PricewaterhouseCoopers LLP Michael Parisi Director Third Party Risk Assurance PricewaterhouseCoopers LLP HITRUST Developments Caroline Budde Chief Privacy Officer Walgreens Michael Frederick SVP Assurance HITRUST February 2015 CSF Version 7 and MyCSF: Updates 3 I. Introduction II. Value i. Caroline Budde-Chief Privacy Officer, Walgreens III. Differences i. Category 13-Privacy ii. SOC 2 Parallels IV. Process i. Incorporating Category 13 into scoping, the CPO process HITRUST Developments February 2015 About HITRUST 4 Created in Sep 2007, the Health Information Trust Alliance exists to ensure information protection becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. • Best known for: – Common Security Framework – in 7th major release – Annual health information breach and loss analysis report • Adoption of CSF – 76% of hospitals1 (most widely adopted) and 78% of health plans2 (most widely adopted) • Adoption of CSF Assurance – Over 19,000 CSF assessments in last three years – Most widely utilized approach by healthcare organizations and for 3rd party risk assessments – Supports State of Texas Privacy and Security Certification HITRUST Developments February 2015 5 Programs - CSF • • • • • Practical and efficient approach to manage risk Scalable, prescriptive and certifiable HITRUST maintains, supports and ensures the relevancy and applicability Released v7 in 2015 Now includes more than 15 authoritative sources including federal and state regulations, globally recognized standards, and industry best practices COBIT . ISO 27001/2 HIPAA Omnibus Final Rule Texas Health & Safety Meaningful Code Use FTC Red Flags PCI NIST HITRUST Developments February 2015 6 About the HITRUST CSF 14 Control Categories • Based on ISO27001 & 27002 • 20 Authoritative Sources • Cross-Referenced - De-Duplicated 45 Objective Names • Statement of desired result or purpose of what is to be achieved – Example: 01.03 User Responsibilities: To prevent unauthorized user access, and compromise or theft of information and information assets. 149 Control Specifications • The policies, procedures, guidelines, practices • Maybe Organizational Questions: – • Example: 01.f Password Use: Password management policies shall be developed and adopted and communicated to all users to address the need .. Maybe System Questions – Example: 01.k Equipment Identification in Network: Automatic equipment identification shall be used........ HITRUST Developments February 2015 7 About the HITRUST CSF • The current authoritative sources include: • Information Management NIST SP800-53 R4 • 201 CMR 17.00 (State of Massachusetts Data Protection Act) • NRS 603A (State of Nevada - Security of Personal Information) • CAQH CORE • PCI DSS v3.0 • CMS Information Security ARS--Appendix A Minimum Security Requirements for Moderate Impact Data • 16 CFR Part • COBIT • HITECH Act, Subtitle D • CSA Cloud Controls Matrix v1 • Guidance to Render PHI Unusable, Unreadable, or Indecipherable • HIPAA (Security Rule & Privacy Rule) • ISO/IEC 27001-2013 • ISO/IEC 27002-2013 • §681 (Identity Theft Red Flags) • TX Gen. Laws §181 (TX HB 300) • MARS-E • IRS Pub 1075 • ISO 27799-2008 • JCAHO HITRUST Developments February 2015 8 Programs – CSF Assurance • • • • • • Risk-based methodology Simplified information collection and reporting Consistent testing procedures and scoring Creates efficiencies and contains costs Supported by leading professional services firms such as PwC, Deloitte & Touche, AT&T, Verizon, Ernst & Young, Booz Allan Hamilton Offers varying assurance levels – from self to utilizing 3rd parties Healthcare Organization Healthcare Organization Healthcare Organization HITRUST Developments Analyze Results and Mitigate HITRUST CSF Assurance Program Business Associate Assess and Report Status with Corrective Actions Business Associate Business Associate February 2015 MyCSF 9 A fully-featured, user-friendly, integrated and managed tool that streamlines the entire information compliance and risk management process, from policy, assessment and remediation to incident and exception management. HITRUST Developments February 2015 10 Programs – HITRUST Academy • • Educates security professionals from all industry segments about information protection in the healthcare industry and the utilization of the HITRUST CSF to manage risk Those who pass the exit exam obtain the Certified CSF Practitioner (CCSFP) credential HITRUST Developments February 2015 The Addition of Privacy Controls to CSF Framework Caroline Budde, Chief Privacy Officer- Walgreens The addition of the Privacy Controls Category allows HITRUST certified entities to feel more confident in their program’s compliance status. • The CSF applies to all “Covered Information,” regardless of form – Allows the organization to break up into auditable units, operating independently and distinctly • Controls apply to all systems, regardless of classification – Fits all healthcare organizations, irrespective of size or complexity » Applies the Information Security Management System (ISMS) from ISO 27001 HITRUST Developments February 2015 11 Control Category 13- Privacy 12 Comprised of Three Control Objectives: • 01- Openness and Transparency • 02- Individual Choice and Participation • 03- Correction and 14 Control References • -which are broken into three-phases for implementation simplicity • -and each phase is mapped to the relevant statutory standard, including specific ties for Texas entities HITRUST Developments February 2015 Control References 13 a. Notice of Privacy Practices h. Correction of Records b. Rights to Protection and Confidentiality i. Required Uses and Disclosures j. Permitted Uses and Disclosures c. Authorization Required d. Opportunity Required e. Authorization or Opportunity Not Required k. Prohibited or Restricted Uses and Disclosures l. Minimum Necessary Use m. Confidential Communications f. Access to Individual Information n. Organizational Requirements g. Accounting of Disclosures HITRUST Developments February 2015 Features of HITRUST’s Controls 14 Risk Factor: Listing of organizational, system, and regulatory factors that drive requirements for a higher level of control Implementation Requirement: Detailed information to support the implementation of the control and meeting the control objective Control Assessment Guidance: Includes examination of documentation, interviewing of personnel, and testing of technical implementation Standard Mapping: Mapped to each statutory provision Regulatory Factors: Based on the compliance requirements applicable to an organization and its systems System Factors: Various system attributes that would increase the likelihood or impact of a vulnerability being exploited HITRUST Developments February 2015 SOC 2 Parallels 15 With the inclusion of Control Category 13, the HITRUST certification should meet the stringent criteria of the SOC 2 Audit. These principles include: Ø Security: Employs both physical and logical controls. Ø Availability: The system is available for operation and use as committed or agreed. Ø Processing Integrity: System processing is complete, accurate, timely and authorized. Ø Confidentiality: Information designated as confidential is protected as committed or agreed. Ø Privacy: Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in AICPA’s GAPP. HITRUST Developments February 2015 Thank You! 16 Kenneth P. Mortensen Senior Managing Director Cybersecurity and Privacy PricewaterhouseCoopers LLP kenneth.p.mortensen@us.pwc.com Caroline Budde Chief Privacy Officer Walgreens Michael Parisi Director Third Party Risk Assurance PricewaterhouseCoopers LLP michael.p.parisi@us.pwc.com Michael Frederick SVP Assurance HITRUST michael.frederick@hitrustalliance.net This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. HITRUST Developments February 2015
© Copyright 2024