HITRUST CSF v7

HITRUST CSF v7
Developments & Features
Today’s Presenters:
2
CSF Version 7- Developments and Features
Kenneth P. Mortensen
Senior Managing Director
Cybersecurity and Privacy
PricewaterhouseCoopers LLP
Michael Parisi
Director
Third Party Risk Assurance
PricewaterhouseCoopers LLP
HITRUST Developments
Caroline Budde
Chief Privacy Officer
Walgreens
Michael Frederick
SVP Assurance
HITRUST
February 2015
CSF Version 7 and MyCSF: Updates
3
I.   Introduction
II.   Value
i.  
Caroline Budde-Chief Privacy Officer, Walgreens
III.   Differences
i.  
Category 13-Privacy
ii.  
SOC 2 Parallels
IV.   Process
i.  
Incorporating Category 13 into scoping, the CPO process
HITRUST Developments
February 2015
About HITRUST
4
Created in Sep 2007, the Health Information Trust Alliance exists to ensure
information protection becomes a core pillar of, rather than an obstacle to, the
broad adoption of health information systems and exchanges.
•   Best known for:
–   Common Security Framework – in 7th major release
–   Annual health information breach and loss analysis report
•   Adoption of CSF
–   76% of hospitals1 (most widely adopted) and 78% of health plans2 (most
widely adopted)
•   Adoption of CSF Assurance
–   Over 19,000 CSF assessments in last three years
–   Most widely utilized approach by healthcare organizations and for 3rd
party risk assessments
–   Supports State of Texas Privacy and Security Certification
HITRUST Developments
February 2015
5
Programs - CSF
•  
•  
•  
•  
•  
Practical and efficient approach to manage risk
Scalable, prescriptive and certifiable
HITRUST maintains, supports and ensures the relevancy and applicability
Released v7 in 2015
Now includes more than 15 authoritative sources including federal and state
regulations, globally recognized standards, and industry best practices
COBIT
.
ISO 27001/2
HIPAA
Omnibus Final
Rule
Texas Health
& Safety
Meaningful
Code
Use
FTC
Red
Flags
PCI
NIST
HITRUST Developments
February 2015
6
About the HITRUST CSF
14 Control Categories
• 
Based on ISO27001 & 27002
• 
20 Authoritative Sources
• 
Cross-Referenced - De-Duplicated
45 Objective Names
• 
Statement of desired result or purpose of what is to be achieved
– 
Example: 01.03 User Responsibilities: To prevent unauthorized user access, and compromise or theft of
information and information assets.
149 Control Specifications
• 
The policies, procedures, guidelines, practices
• 
Maybe Organizational Questions:
– 
• 
Example: 01.f Password Use: Password management policies shall be developed and adopted and
communicated to all users to address the need ..
Maybe System Questions
– 
Example: 01.k Equipment Identification in Network: Automatic equipment identification shall be used........
HITRUST Developments
February 2015
7
About the HITRUST CSF
•  The current authoritative sources include:
•  Information Management NIST SP800-53 R4
•  201 CMR 17.00 (State of Massachusetts Data
Protection Act)
•  NRS 603A (State of Nevada - Security of
Personal Information)
•  CAQH CORE
•  PCI DSS v3.0
•  CMS Information Security ARS--Appendix A
Minimum Security Requirements for Moderate
Impact Data
•  16 CFR Part
•  COBIT
•  HITECH Act, Subtitle D
•  CSA Cloud Controls Matrix v1
•  Guidance to Render PHI Unusable, Unreadable,
or Indecipherable
•  HIPAA (Security Rule & Privacy Rule)
•  ISO/IEC 27001-2013
•  ISO/IEC 27002-2013
•  §681 (Identity Theft Red Flags)
•  TX Gen. Laws §181 (TX HB 300)
•  MARS-E
•  IRS Pub 1075
•  ISO 27799-2008
•  JCAHO
HITRUST Developments
February 2015
8
Programs – CSF Assurance
•  
•  
•  
•  
•  
•  
Risk-based methodology
Simplified information collection and reporting
Consistent testing procedures and scoring
Creates efficiencies and contains costs
Supported by leading professional services firms such as PwC, Deloitte & Touche,
AT&T, Verizon, Ernst & Young, Booz Allan Hamilton
Offers varying assurance levels – from self to utilizing 3rd parties
Healthcare
Organization
Healthcare
Organization
Healthcare
Organization
HITRUST Developments
Analyze Results
and Mitigate
HITRUST
CSF Assurance
Program
Business
Associate
Assess and
Report Status
with Corrective
Actions
Business
Associate
Business
Associate
February 2015
MyCSF
9
A fully-featured, user-friendly, integrated and managed tool that
streamlines the entire information compliance and risk management
process, from policy, assessment and remediation to incident and
exception management.
HITRUST Developments
February 2015
10
Programs – HITRUST Academy
•  
•  
Educates security professionals from all industry segments about information
protection in the healthcare industry and the utilization of the HITRUST CSF to
manage risk
Those who pass the exit exam obtain the Certified CSF Practitioner (CCSFP)
credential
HITRUST Developments
February 2015
The Addition of Privacy Controls to CSF Framework
Caroline Budde, Chief Privacy Officer- Walgreens
The addition of the Privacy Controls Category allows
HITRUST certified entities to feel more confident in their
program’s compliance status.
•   The CSF applies to all “Covered Information,”
regardless of form
–   Allows the organization to break up into auditable units, operating
independently and distinctly
•   Controls apply to all systems, regardless of classification
–   Fits all healthcare organizations, irrespective of size or
complexity
»   Applies the Information Security Management System (ISMS) from ISO 27001
HITRUST Developments
February 2015
11
Control Category 13- Privacy
12
Comprised of Three Control Objectives:
•   01- Openness and Transparency
•   02- Individual Choice and Participation
•   03- Correction
and 14 Control References
•   -which are broken into three-phases for implementation simplicity
•   -and each phase is mapped to the relevant statutory standard,
including specific ties for Texas entities
HITRUST Developments
February 2015
Control References
13
a.   Notice of Privacy Practices
h.   Correction of Records
b.   Rights to Protection and
Confidentiality
i.   Required Uses and Disclosures
j.   Permitted Uses and Disclosures
c.   Authorization Required
d.   Opportunity Required
e.   Authorization or Opportunity
Not Required
k.   Prohibited or Restricted Uses
and Disclosures
l.   Minimum Necessary Use
m.  Confidential Communications
f.   Access to Individual Information
n.   Organizational Requirements
g.   Accounting of Disclosures
HITRUST Developments
February 2015
Features of HITRUST’s Controls
14
Risk Factor: Listing of organizational, system, and regulatory factors
that drive requirements for a higher level of control
Implementation Requirement: Detailed information to support the
implementation of the control and meeting the control objective
Control Assessment Guidance: Includes examination of
documentation, interviewing of personnel, and testing of technical
implementation
Standard Mapping: Mapped to each statutory provision
Regulatory Factors: Based on the compliance requirements applicable
to an organization and its systems
System Factors: Various system attributes that would increase the
likelihood or impact of a vulnerability being exploited
HITRUST Developments
February 2015
SOC 2 Parallels
15
With the inclusion of Control Category 13, the HITRUST
certification should meet the stringent criteria of the SOC 2 Audit.
These principles include:
Ø  Security: Employs both physical and logical controls.
Ø  Availability: The system is available for operation and use as
committed or agreed.
Ø  Processing Integrity: System processing is complete,
accurate, timely and authorized.
Ø  Confidentiality: Information designated as confidential is
protected as committed or agreed.
Ø  Privacy: Personal information is collected, used, retained,
disclosed and disposed of in conformity with the commitments
in the entity’s privacy notice, and with criteria set forth in
AICPA’s GAPP.
HITRUST Developments
February 2015
Thank You!
16
Kenneth P. Mortensen
Senior Managing Director
Cybersecurity and Privacy
PricewaterhouseCoopers LLP
kenneth.p.mortensen@us.pwc.com
Caroline Budde
Chief Privacy Officer
Walgreens
Michael Parisi
Director
Third Party Risk Assurance
PricewaterhouseCoopers LLP
michael.p.parisi@us.pwc.com
Michael Frederick
SVP Assurance
HITRUST
michael.frederick@hitrustalliance.net
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice.
You should not act upon the information contained in this publication without obtaining specific professional advice. No
representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this
publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept
or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in
reliance on the information contained in this publication or for any decision based on it.
© 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which
is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
HITRUST Developments
February 2015