Joseph Kirkpatrick, Author at KirkpatrickPrice

When navigating your HITRUST CSF compliance journey, there are a few different assessment and reporting options to consider. But before you start the process of which HITRUST CSF assessment and report is right for you, it’s important to fully understand what your client is requesting. Have you received a letter from a client in the mail? Are you reviewing an RFP? The first question you must know the answer to is whether certification is required or not. Once you know what your client is asking for, you can determine your level of engagement with the HITRUST CSF and which assessment type makes sense based on your business objectives.

HITRUST Assessment Options

CSF Security Assessment

The most common, and baseline, assessment option that organizations choose is the CSF Security Assessment. There are 66 controls that are required for HITRUST certification, and those are directly related to the CSF Security Assessment.

CSF Security Assessment + Privacy Assessment

There is an optional add-on for your CSF Security Assessment, and that is adding a Privacy component. If privacy is a concern of yours or applicable to your business, it will make sense to add the Privacy component to your CSF Security Assessment.

CSF Comprehensive Security Assessment

The CSF Comprehensive Security Assessment option evaluates all 149 controls, including the baseline 66 controls. Organizations will select this assessment option based on client demands. Maybe there will be someone internally, like a stakeholder, who wants to take a holistic approach to how your organization stands against the HITRUST CSF framework. This assessment option evaluates an organization’s information security management system against all the controls in the HITRUST CSF.

CSF Comprehensive Security + Privacy Assessment

Just like with the baseline CSF Security Assessment, there is an option to add a Privacy component to the CSF Comprehensive Security Assessment.

NIST Cybersecurity Assessment

If the NIST Cybersecurity Framework is applicable to your organization, you also have the option to evaluate the HITRUST CSF requirement statements that pertain to the NIST Cybersecurity Framework with the NIST Cybersecurity Assessment option.

HITRUST CSF Report Options

There are several options for demonstrating your compliance with the HITRUST CSF framework. These options include:

SOC 2
SOC 2 +
SOC 2 + HITRUST CSF Certification
HITRUST CSF Self-Assessment
HITRUST CSF Validated Assessment (Certification)

Some of your clients may accept a HITRUST CSF Self-Assessment only, as a Self-Assessment Security Assessment might satisfy the OCR’s requirements for a HIPAA risk analysis since it’s a risk-based compliance framework. A Self-Assessment is a great way to begin your HITRUST compliance efforts, and is what KirkpatrickPrice recommends to clients who are just starting out. To begin a HITRUST CSF Self-Assessment, you must establish a relationship with HITRUST, log into the MyCSF tool, and select the self-assessment option. A Self-Assessment must be completed within 90 days and results in a finalized report. This option doesn’t provide the highest level of assurance since it is based on your own evaluation and attestation of your organization’s compliance.

A Validated Assessment provides a greater level of information security assurance and is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF Self-Assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place.

Once you have decided which assessment type and level of engagement is right for you, you need to know which report is required. A few years ago, HITRUST and the AICPA came to an agreement that the HITRUST CSF framework itself can be used within a SOC 2 Report. In some instances, your client may ask you for either HITRUST CSF Certification or a SOC 2 only. In other cases, depending on if you service different industries, you may have clients that ask for both. In this case, it would benefit most organizations to utilize the HITRUST CSF within the SOC 2 framework, satisfying both. It’s important to remember that clients who are asking for HITRUST CSF Certification will not be satisfied with a SOC 2 only, and you must have the certification element if that is what your client is requiring.

Understanding which HITRUST CSF assessment and report option your clients will accept is key. Contact me at s.morris@3.95.165.71 for more information on which assessment and report type is right for your organization.

Hello, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. We’re here today to continue our video series of navigating HITRUST CSF compliance. To take you back to where we’ve been, we started off with video #1 in the series, talking about who HITRUST is, what the CSF is, and what it aims to solve as far as problems in the healthcare industry. In video #2, we started digging deeper and deeper into the CSF itself, helping you determine how to establish scope and how to navigate the controls in greater detail. Today, I want to talk about the assessment options that you have.

You have assessment options and then you have report options to consider. Before you start this process of trying to determine which is right for you, it’s really important to know what your client is requesting. If you are a Business Associate pursuing HITRUST certification or HITRUST compliance, you must understand what your client is asking for. If you’ve received a letter in the mail or if you have been reviewing an RFP that you’re applying for, you must understand if certification is required. That’s first and foremost the important step.

Out of the assessment options that you have, the most common assessment option is the CSF Security Assessment option. That’s what I’ve been referring to all along in this video series as the requirement for certification. There’s 66 controls right now required for HITRUST certification and those are related to the CSF Security Assessment.

The optional add-on, option #2, is the CSF Security + Privacy Assessment. If privacy is a concern of yours or applicable to your business, you may want to select the Security + Privacy option.

The third on the list of assessment options is the CSF Comprehensive Security Assessment. The difference between Comprehensive and Security is that Comprehensive covers all 149 of those controls; beyond that subset of the 66, it covers all 149. The reason for choosing a Comprehensive Assessment may be because your client demands it, although that hasn’t been the norm of what we’ve seen. It may be a situation where someone internally, like a CEO or investment partners, may want to know from a holistic view how you’re doing comprehensively according to the framework. They would want your information security management system to be evaluated against all 149 controls.

Beyond that, you can choose the CSF Comprehensive Security + Privacy Assessment. Again, adding that Privacy component onto that Comprehensive Assessment.

The next option would be if the NIST Cybersecurity Framework applies to you. That seems not to be the common element, but it is an assessment option that’s available to you.

The assessment options will apply whether or not you’re pursuing a Validated Assessment or whether you’re pursuing a SOC 2. Let’s dig deeper into the report options. Once you decide which assessment option is right for you, you need to know what report is required. Some of your clients may accept what’s called a HITRUST CSF Self-Assessment. A HITRUST CSF Self-Assessment, for example, may satisfy the OCR’s requirements for a risk assessment, given it is a risk-based compliance framework. Keep that in mind because a Self-Assessment is an excellent way to begin with your compliance efforts. In fact, that’s what we recommend, to always start with a Self-Assessment. If the Self-Assessment happens, you establish a relationship with HITRUST, you log into the My CSF tool, and you select the Self-Assessment option. The Self-Assessment must be completed within 90 days. It’s all based on your input and your evaluation of controls. What comes out of that is a HITRUST CSF Self-Assessment Report. A Self-Assessment, of course, is not the highest level of information security assurance because it’s all based on how you are evaluating yourself.

The next option, the HITRUST CSF Validated Assessment, is a greater level of information security assurance. In that case, you would hire someone who is a CSF Assessor firm, very much like KirkpatrickPrice, to validate your controls against what you have said is in place. A Validated Assessment is just that; it’s you entering information, it’s you attesting to your compliance, and then it’s someone coming in to validate that.

Another report option to consider is a SOC 2. A couple of years ago, the AICPA and HITRUST came together and came to an agreement that the HITRUST framework itself could be utilized within a SOC 2 report. In some cases, your client may ask you for either certification or a SOC 2; they may ask for either/or. Some of the benefits of having a SOC 2 that uses the HITRUST framework is that you may have some clients that ask for both. Maybe some of your clients are in financial services, other clients are in healthcare. Having a SOC 2 performed using the HITRUST framework could satisfy both, but keep in mind that those clients asking for HITRUST certification will not be satisfied with a SOC 2 using HITRUST components. You have to have that certification element if your client is requiring it. In that case, you could do the SOC 2 and then the HITRUST certification could be added to that as an additional component of the SOC 2. There’s lots of different options as far as the assessment types and the report options. Knowing which is right for you is the first step in determining what your next step in your overall compliance objectives should be. This concludes our overview of assessment types and report options. To further assist you in deciding which is right for you, we’ve put together the graphic that you’re seeing now. As you can see, at the starting point is really knowing if certification is required. If certification is required, then navigating the rest of the options is fairly simple. It’s the first question that we would ask you if you called our firm and asked for assistance. We’d want to know if your client is asking for certification or not. Something that you need to know and remember is that if certification is required, HITRUST is the only entity that can issue certification directly; a 3-way relationship must exist. We have a relationship as a CSF Assessor firm with HITRUST, you have a relationship with HITRUST from using the My CSF tool and requesting that HITRUST CSF Validated Assessment Report, and then we have a relationship with you as our client. That relationship has to be established because HITRUST is the only entity that can issue certification. That word – certification – is always step #1. Knowing if that is required should be the first thing you get an answer to.

In our next video, we’re going to talk about how the scoring mechanism works within the control framework. If a Validated Assessment is chosen and you want to receive certification, you must understand the maturity model and how controls are scored in order to know if you’re going to meet the certification requirements. I hope you’ll join us for our next video! If you need any further information or need assistance immediately, please contact us at the link below.

Getting started with your HITRUST certification journey can be overwhelming; the CSF is a lengthy framework containing 845 requirement statements spread over three implementation levels. Here is a step-by-step guide for understanding how to navigate the makeup of each control by determining the scope of the assessment, determining your unique risk factors, and knowing which level applies to your organization.

Defining the Scope of your Assessment

The very first thing organizations must do before downloading the HITRUST CSF or beginning any work in the MyCSF tool itself is define the scope of the assessment. Properly scoping your environment is an important step in becoming HITRUST certified. The scope of your assessment will determine to which extent the CSF controls will apply to your organization and whether you are able to minimize or condense the amount of work that needs to be done. Are you assessing a particular business unit? Or a geographical location? Or segmented network? When determining scope, you must consider all people, processes, and technology that come into contact with sensitive data.

Determining your Risk Factors

The next step in your HITRUST journey should be determining your inherent risk factors. These risk factors are comprised of organizational, system, and regulatory risks.

Organizational Risk Factors

Organizational risk factors are defined based on the type, size, and complexity of the organization and its environment. Different industries require different requirements. For example, a health plan or insurance company’s implementation level is determined based on the number of covered lives, whereas a medical facility or hospital’s level is determined based on the number of licensed beds. Third party processors must determine their implementation level based on the number of records processed each year. Understanding your unique risk factors is important to know which implementation level applies to your organization.

System Risk Factors

System factors are based on system characteristics that could potentially increase the likelihood or impact of a vulnerability being exploited. The following information must be gathered for all in-scope systems before assessing yourself against the CSF:

Are they storing processing, or transmitting sensitive information?
Is it accessible from the internet?
Is it accessible by a third party?
Is it publicly accessible?
Is there mobile technology being used?
What is the total number of users?

Regulatory Risk Factors

There are a number of regulatory risk factors that could also affect your in-scope systems. Does PCI DSS apply to your organization? FISMA? FTC Red Flags Rule? HITECH Act? If you know that any of these regulations apply to your organization, you must be sure to implement the associated requirement statements.

Understanding your Implementation Level

Once you have defined your scope and your risk factors, your implementation level can be determined by industry type and organizational risk factor for volume of business, record count, etc. For example, an IT service provider with between 10 and 60 million records and 15 to 60 terabytes of data would be considered level 2 and have to implement controls for level 1 and level 2. If the same hospital exceeded 60 million total records or 60 terabytes of data, they would then be considered level 3 and have to implement controls for levels 1,2 and 3. As you can see, the HITRUST CSF provides a scalable, layered approach based on your unique risk factors and implementation control levels.

Define your scope, determine your risk factors, and start at level 1. Then you can build to level 2 or 3, and include regulatory requirements, as applicable to your organization. If you need help with preparing for a HITRUST certification assessment or navigating the HITRUST CSF controls, contact me today at s.morris@3.95.165.71.

In our last video, we talked about the CSF and how it breaks down into numbers. To shorten that, there’s 149 controls spread out over the 14 categories. Keep in mind that only 66 of those controls are required when you’re pursuing certification. What we’re going to talk about in today’s video teaches you how to navigate the controls themselves. The CSF, when you download it from the HITRUST website, is a very lengthy document. There’s a lot of content in there, so I wanted to break it down for you and show you step-by-step the makeup of the controls, how to determine what your risk factors are, which levels affect you, etc. That’s what today’s video is all about. Hopefully you’ll stick with us for our next video, but we’re really wanting to zero-in on the controls themselves today.

Before you open up that CSF document, or before you begin any work in the My CSF tool (say, for example, you’re going through self-assessment), you need to define your scope because the scope is where it all starts. You can possibly limit the scope to condense the amount of work that needs to go into the assessment, like if you have multiple business units, multiple geographic locations, etc. Getting an understand of what business units are going to be involved in that scope and how to narrow that scope when it seems appropriate. For a lot of smaller organizations, the entire organization may be what’s in scope. It’s really important to start there. If you have a flat network, everything’s going to be in scope because there’s no segmentation. The proper way to segment, if you’re going to take the business or the geographical region approach, you need to make sure you’re scoping from a network perspective to make sure you have proper segmentation in place. Keep that in mind. Always get a clear definition of scope because if there are various business units involved, you’ll want to make sure that the leaders from those business units and the corporate people are brought into the assessment. This is one of the very first things as an assessor firm that we’re going to want to confirm – the scope of your environment. We’re going to want to know the people involved, we’re going to want to know the systems that are involved in that scope because that is what the assessment is going to be performed on. So like I said, whether you’re starting in the My CSF tool or whether you’re starting by just opening up the document to determine what you’re compliant with and what you’re not, really having an understanding of scope is step one. Once you have that defined, you know what systems are in scope and what potential business units are in scope, then you can move into determining what your risk factors are. We’re talking about inherent risk factors associated with organizational, system, and regulatory items.

The very next thing that you’re going to want to do after you’ve determined what the scope of your environment is, is you’re going to want to make a pretty simple assessment. There are different categories that you must select, whether you’re, again, in the My CSF tool. You have to have an understanding of that if you’re just using the CSF to determine compliance. For example, are you a health information exchange company? Are you a hospital? (Of course, you know the answers to these questions) Are you a payer, pharmacy, physician’s practice, service provider IT, or service provider non-IT (Those are the 2 most common we see for Business Associates)? Understanding whether you’re categorized as a “service provider IT” or whether you’re a “service provider non-IT” is definitely something you need to determine. For example, an IT service provider is generally someone who provides IT services such as cloud services or hosted IT infrastructure. If you fit into that category, you’re definitely a service provider IT. Service providers non IT are companies that are generally defined as Business Associates that provide non-IT-related services such as transcription services and clearing houses. You want to know, for example, what category you fit into, and based on that category, there are some risk factors that you’ll want to know the answers to. Gathering this information before you begin the assessment is critical because it’s going to determine, for example, if level 2 or level 3 applies to your organization. As you’re going through the controls you’re going to want to know the answer, for example if you are service provider IT, to: what is your total record count that you have? If you don’t know the answer to that, there are alternatives such as, what is the annual record count? What is the total volume of data that you have in the systems that are in scope? People often ask me, what is considered a record? And, of course as I just mentioned, you have to know the number of records that you’re maintaining to know which levels apply to you. A record, as defined by HITRUST, is as instance where data items (fields) are stored with a unique identifier. Such records include but are NOT limited to designated record set as defined under HIPAA. Having an understanding of how many records you have is going to be included in the scope of your assessment.

Gathering this data on the in-scope systems prior to starting the assessment is critical because you need to know where and when those levels 2 and 3 will apply. Also for those in-scope systems, you’re going to want to gather the following information. You don’t have to memorize or write down what I’m saying, it’s all listed in the CSF, but I want to walk through it just to explain it to you.

For example, for the in-scope systems you have to know if they are storing, processing, or transmitting sensitive information. Is it accessible from the internet? Is it accessible by a third party? Is it publicly accessible? Is there mobile technology being used on the in-scope system? What is the total number of users? The important thing is not that I’m giving you the entire list here; the important thing is remembering that you must gather this information prior to jumping in and trying to assess yourself against the controls. Again, step number one is defining the scope. Is it a different business unit? Is it a geographic location? Is it systems that are segmented on the network? Those are the types of things you want to know before you start the assessment. Then, recognizing your organizational factors. How many records do you have, etc. And of course, evaluating the in-scope systems.

The CSF also has a number of regulatory considerations where regulatory inherent risk factors would apply. If, for example, PCI applies to your environment, FISMA, maybe the FTC Red Flags Rule, or the HITECH Act – there’s a list of regulatory factors that may or may not affect the in-scope systems or the scope as you’ve defined it. Understand that before you get started will also determine which levels apply to you. For example, when you use the My CSF tool, if you’re going through an assessment using the My CSF tool, these are all questions that you have to answer before the questionnaire is built. You have to know the answers to these questions. Most likely, if you’re working with an assessment firm, these are all questions that they’re going to ask you right off the bat before they start working with you. The answers to these questions will determine how many requirement statements actually will apply, so it really determines scalability. Is it going to be a rather small assessment, or is it going to be a rather large assessment? So the answers to these questions from an organizational, from a regulatory, and a system aspect will determine the number of controls that apply and how long or short the assessment is going to be overall.

So now I’m going to break it down. If you have the actual CSF in front of you or downloaded (Version 8.1 as it’s the most current version at the recording of this video), you can follow along. I want to take you to page 280 if you want to follow along. If not, you can just listen to the way I’m describing this. Each control is broken down and the control reference that I’m going to share with you today is the “Physical Entry Control.” This example, the control specification states (I apologize for reading, but I don’t have these memorized), “Secure areas shall be protected by appropriate entry control to ensure that only authorized personnel are allowed access.” The other thing that you’ll notice in this particular control is there’s an asterisk that says, “Required for HITRUST certification, CSF Version 8.1.” Every control that is required for certification – again, it’s one of those 66 controls – is defined within the CSF as required for certification. If it’s not listed there, you know that this is not a control that would apply if you’re working towards certification as the end result. So for this particular control, we’re read the control specification and we know that is factor type is organizational. This means that the organizational risk factors that we talked about a minute ago really come into play.

In my example today, we’re looking at level 1 implementation requirements for this particular control. Let’s pretend, for example, that we are a service provider IT. What’s going to apply in this control is how many records do we have. So I’m looking at level 1 implementation requirements and I’m going through the list. I know that all of these controls are going to apply to me because this is going to apply to everyone. I have to make sure that my visitor records contain the following information: name, organization, signature, form of indication, etc. You can read all of that, obviously, in the CSF. What I really want to walk you through is what’s next. For example, level 2 would apply to me as an IT service provider, if I had 15 to 16 total terabytes of data. If my data falls within that category, I need to make sure that all of level 1 implementation requirements are met as well as level 2. In this case, I’m also going to make sure this visitor log contains the data and time of arrival and departure, visitor’s name, etc. It’s a little bit deeper. The concept here is: the greater the risk, the more controls in place to protect that risk. Having between 15 and 16 terabytes of data increases my overall amount of risk as a business partner to my client. Going down through the list, if I have more than 16 terabytes that I’m maintaining for my client, you have to also consider that doors and internal secure areas are locked, implemented a door delay alarm, and are equipped with a secure lock. That’s an example of, “I have to have all of level 1, all of level 2, and all of level 3 in place.” That is only if, as an IT provider, I am housing more than 60 terabytes of data. That ties back to understand those risk factors involved in your scope before you go into the assessment, because you’re going to need to know how deep you need to go. This gives you a basic idea of how the controls are structured, understanding what risk factors are, and first and foremost, determining if level 1, 2, or 3 applies to you.

The other things I really didn’t really cover with you here are regulatory risk factors. If you’re navigating the CSF and know PCI applies to you, you would also have to make sure that those requirement statements that are in the PCI sections are also implemented. We’re building upon and building layers as we go. Like I said, the CSF is scalable. Starting at level 1, which applies to all organizations, adding level 2, level 3, and then those regulatory requirements really adds a layered approach. It’s relevant to how much risk you are trying to maintain. Again, it’s a risk-based framework that works really nicely in the layers I described.

That concludes this video, where we’re wanting to define for you how the controls are structured and what applies to you and what doesn’t. In our next video, we’re going to talk about your different assessment options, like the SOC 2 option, validated assessment, the certification – all of that information will help you determine the next step, which is: what is your goal in achieving an assessment? Thank you for joining us today, I look forward to seeing you in the next video! If you need any help immediately, please contact us at the link below.

Have you been asked by a top client to become HITRUST CSF certified? Are you looking for a better way to demonstrate compliance with HIPAA laws? What exactly is HITRUST and how does it apply to your organization? KirkpatrickPrice is an approved HITRUST CSF Assessor, prepared to help Business Associates understand who HITRUST is, what the HITRUST CSF is, and how you can apply HITRUST CSF certification to your organization.

Who is HITRUST?

HITRUST Alliance is an independent, not-for-profit organization, was established in 2007 and was “born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” Over the last several years, the HITRUST CSF certification has really begun to gain momentum as Covered Entities are regularly adopting the HITRUST CSF framework. 80% of hospitals, insurance carriers, and health plans have or are adopting the HITRUST CSF framework, and it has become the most widely used framework across the healthcare industry. HITRUST Alliance’s Board of Directors is made up of experienced individuals from organizations like Anthem, Walgreens, and UnitedHealth Group. HITRUST updates the HITRUST CSF on an annual basis, paying special attention to the current and evolving threat landscape and breach data while collaborating with regulators to create a comprehensive framework that provides a road map for demonstrating due diligence for maintaining HIPAA compliance.

What is the HITRUST CSF?

The HITRUST Common Security Framework, or CSF, is a security and privacy framework, the basis of what HITRUST has developed and maintains for the healthcare industry. The hierarchy of the framework is constructed similarly to ISO 27001/27001 and consists of 14 control categories which contain 46 control objectives that map to 149 controls. Within each of the 149 controls, there are up to 3 implementation levels in which you must meet for each risk factor involved. Risk factors include organizational, system, and regulatory. In all, there are 845 requirement statements spread over each implementation level.

It’s important to remember that the HITRUST CSF is very scalable, thus the basis of its appeal. Depending on the size of your organization, the number of records you’re maintaining, and whether you’ve scoped your environment effectively, not all 845 requirements will apply to your organization. In the following HITRUST videos, we will dive in to a more granular level and explore what applies to you, how it applies to you, and how you can begin your HITRUST CSF certification journey.

Why HITRUST CSF Certification?

You may be asking yourself, “Why do I need this? Why is my client asking me for yet another framework?” If you’re managing healthcare data, it’s critical from a business and reputational standpoint to protect yourself from risk and maintain a strong relationship with your clients who are also trying to mitigate their risks. HITRUST certification is a great way to ensure this is happening.

HITRUST certification is also a great way to demonstrate compliance with HIPAA laws. The HITRUST CSF certification demonstrates a high level of due diligence that you are doing everything you possibly can to protect the healthcare data for which you are responsible. HIPAA has been around since 1996, however, it only provides basic guidelines for organizations to follow and doesn’t go in to detail on how to maintain the controls. The HITRUST CSF is effective because not only is it scalable based on your unique risks, but it also provides guidance on how to meet specific controls.

Because the HITRUST CSF was built on the ISO 27001/27002 framework and incorporates elements of other frameworks such as PCI DSS, NIST 800-53, and COBIT, it aligns itself nicely with other frameworks your clients are likely asking you about. Since there is a lot of crossover, this can increase efficiency and decrease costs for your organization. The HITRUST CSF is certifiable and attractive to Covered Entities because they know what HITRUST is and see it as a great way to measure, mitigate, and control risks at your organization. Contact me today at s.morris@3.95.165.71 for help with establishing a relationship with HITRUST and get started with your HITRUST compliance journey today.

Hi, I’m Jessie Skibbe! I’m the Vice President of Strategic Development and Chief Compliance Officer for KirkpatrickPrice. Thanks for joining me today! We want to take you on a journey to describe what HITRUST compliance really means, starting off with: Who is HITRUST? What is the CSF? How do I apply it to my organization? First, just a little bit about me. I have been in the role of Information Security Officer, Network Administrator, and Chief Compliance Officer, spanning my career of 25 years in manufacturing, financial services, and healthcare industries. In my current role, my primary objective is to help our clients achieve their security and compliance objectives. Many of our clients – being the Business Associate in a lot of cases – really have a multiple-audit challenge that they have to deal with.

A little bit about our firm: we have been practicing for over 12 years. We are a licensed CPA firm as well as a PCI QSA firm and, of course, a HITRUST Assessor firm. We have a wide variety of services to offer to help you meet your compliance objectives. I’m going to start with giving you a background of who HITRUST is – not to be confused with the HITECH Act or HIPAA. HITRUST is an independent organization. They are a not-for-profit organization. They were established in 2007, so they’ve just celebrated their 10-year anniversary. Most recently, over the last 3 years, they’ve gained a lot of momentum with Covered Entities, hospitals, and payers really adopting their framework. A statistic I read on their website recently showed that 80% of hospitals and payers have both adopted the framework, making it the most widely-used framework across the healthcare industry. HITRUST themselves, like I mentioned, is an independent organization. The Board of Directors behind HITRUST is from companies such as Anthem, United Health Group, and Walgreens, just to name a few. You can go to their website, that we’re going to show you here on-screen, that will take you to the “About Us,” obviously, shows you who the Board of Directors are, which is made up of healthcare industry professionals that are really guiding and directing the initiative of HITRUST.

HITRUST is updating the CSF framework every year. The important thing about that, and what can really make you feel good about adopting the framework, is that they’re paying attention to the cyber threat and intelligence that’s happening in the industry right now, they’re paying attention to breach data, and they’re working closely with regulators to create a comprehensive framework that will self-regulate and provide due diligence with maintain HIPAA compliance, specifically, across the healthcare industry. It’s something that you can feel good about implementing. Whether this is something that your client says you have to do, or whether it’s something that you’re choosing on your own accord to do for a great level of due diligence, HITRUST has committed to their users and people who’ve adopted the framework that they will continue to update it year after year after year. So that’s a little bit about who HITRUST is.

Now let’s talk about what the CSF is. So, what is the CSF? The CSF, as I described, is the Common Security Framework. It’s the core of what HITRUST maintains for the healthcare industry. I’m going to give you a lot of numbers to really describe what the CSF is. What’s it’s important to note – I described earlier how it’s widely adopted – 23,000 CSF assessments have been performed in the last few years, 10,000 of those in 2014. There’s been a push in the last 2-3 years of the number of assessments being performed. Like I mentioned, I’m going to give you a lot of numbers to describe the CSF, those being a few. To understand how the hierarchy works and how the CSF is constructed, it follows ISO 27001/27002 very closely. There are 14 control categories, containing 46 control objectives mapping to 149 controls. Within each of those 149 controls, there’s also up to 3 levels of implementation requirements that you have to meet based on the risk factors involved, which are organizational, system, and regulatory risk factors, which I’m going to explain a whole lot more in the next video when we talk about how to use the CSF to apply it to your organization. That, from a high-level, is how the CSF is constructed. Important to note, too – there are up to 845 requirement statements that you must be compliant with. Those are individual tests that must be performed when you’re going through the evaluation. The good news is, I hope that number doesn’t scare you off, because the HITRUST CSF is very scalable depending on the size of your organization, the number of records you’re maintaining, and the system that you have scoped out effectively. Not all of those 845 requirement statements are going to apply to you. My objective for this series of videos is to walk you through how to determine what applies to you, what doesn’t apply to you, and how you can begin your path in maintaining HITRUST compliance.

So, I described from a 10,000-foot level what the Common Security Framework is, but I want to give you some piece of mind because you may be wondering: why do I need this? Why is my client asking me to be compliant with 1 more framework? Why should you have to go through all of this trouble? If you’re maintaining healthcare data, it’s really important for you from a business standpoint and protecting yourself from risk, as well as maintaining that strong relationship with your client that’s trying to mitigate their risks. If you’re not sure what risks apply to you, then I would highly suggest a visit to the HHS Newsroom. Most recently, I read about a $5 million resolution agreement with a hospital system. It’s not only affecting Covered Entities; there are OCR resolution agreements going into place with Business Associates. That’s one reason, obviously the OCR is really gaining momentum with the audits and the resolution agreements that they’re putting into place now for companies that are not maintaining compliance with HIPAA. But also from a financial perspective, thinking about potentially providing breach notification to all those consumers that you have in your database. Protecting yourself from a data breach is the right thing to do from a business standpoint, from a reputational risk standpoint, and to maintain that strong relationship with your client. The Covered Entity, hospital, or network, depending on what you’re doing for them as a Business Associate, it’s necessary to show them and demonstrate to them that you are doing the right things, doing due diligence, and maintaining compliance with HIPAA. The CSF wraps itself beautifully around the HIPAA Security Rule. There are elements of Privacy that I’ll talk a little bit about later, but it’s primarily the Security Rule. If for no other reason, go to that HSS Newsroom and read about some of the risks that apply to you as a Business Associate as well as a Covered Entity, as far as your responsibility of maintaining protection over that data. Following something like the HITRUST CSF demonstrates a high level of due diligence, that you’re doing everything that you can to protect that healthcare-related data that you’re being held responsible for keeping secure.

We all know that HIPAA has been around for a very long time, since 1986, and then in 2009 the HITECH Act really brought some enforcement to that, as well as to Business Associates. HIPAA provides a basic guideline for entities to follow, but it doesn’t get into that granularity, as far as how to necessarily maintain some of those controls. The one thing that HITRUST does very effectively, like I said, is it’s very scalable depending on what your inherent risk factors are. If you’re in areas of greater risk, you have to have greater levels of control. It’s very scalable, from that aspect, to adopt to your organization, depending on if you’re on the larger or smaller side.

We’ve displayed a graphic here for you, to demonstrate some of the other frameworks that are included in the HITRUST framework. As you’ll see at the core, it’s built on ISO 27001/27002 standard, that being the international standard for information security and maintaining a management system that incorporates a risk management framework. This fits nicely with the scalability of the HITRUST CSF framework. Built on ISO, incorporating elements from PCI; as you’ll see, not all of PCI is covered, but we’re estimating that about 80% of PCI is covered within the framework. You’ll also see NIST 800-53, as well as a portion of COBIT. The one nice thing about the CSF is that it helps you gain efficiency within your compliance efforts if you have clients that are asking you for a lot of different types of compliance. If they’re asking you to be compliant with NIST, for example, if you’re doing any work and have to be compliant with FISMA. If you’re, for example, also a vendor to someone and you’re collecting credit card information or processing credit card information yourself, you’ll know that that crossover between the CSF and PCI exists. The HITRUST CSF framework can increase efficiency and reduce cost for your organization. That’s another reason why the framework was developed. So, as I was saying, the HITRUST CSF framework really aligns itself nicely with other frameworks that you may already have to be compliant with. One thing I’d really like to stress is that it’s a certifiable framework, which makes it really nice and attractive from a Covered Entities standpoint. You can achieve “HITRUST Certified” and they know what that means. They know the scalability, they know the Requirement Statements, they know the Controls that are requested in the CSF. It’s a really good way to control and mitigate risk from the Covered Entities standpoint.

In our next video, I’m really going to drill down with you. Like I mentioned, there 845 requirement statements. In our next video, I’m going to take you through how to determine what the scope of your environment is, and then how to apply that scope to navigate the CSF and how to apply those controls to your environment. Thank you so much for joining us today! We hope it was a valuable use of your time and we definitely hope to see you in the next video. As always, you can contact us immediately at the information below. We hope to be your trusted partner in meeting your compliance objectives.

Welcome to the inaugural Risky Business blog! The goal here is to provide education about the ISO 27001 standard and provide useful advice on how this framework can be used to solve many of your compliance and information security problems.

I have been using ISO 27001 for over a decade as the foundation for information security programs that I’ve developed and directed, both for myself and for my clients, and have seen the efficacy of the standard firsthand. ISO 27001 is unique in that it gives a clear framework that is risk-based, business-focused, and allows its users to build an information security program that meets their specific information security needs. It’s not a one-size-fits-all approach, but rather it tailors itself to your organization’s security needs based on your particular risk.

ISO 27001 is the successor to ISO 17799, BS 7799 before that, and is part of the ISO 27000 series’ information security standards. BS 7799 was published in 1995 by the government of the United Kingdom, so the core content behind this standard has been around for over 20 years. It was labelled as a “Code of practice for information security management.” In short, it tells you how to design and operate your information security management system (ISMS), or information security program.

Since you are reading an information security blog, you might be somewhat familiar with some other commonly used information security standards such as PCI DSS or HIPAA. Now, ISO 27001 has a very different approach to information security than standards such as these. Whereas, for example, PCI DSS tells you specifically what controls you have to use (the prescriptive approach), ISO 27001, instead, lets you decide on what controls best suit your particular information security needs (the risk-based approach). It’s a very different way of looking at things and requires a different mindset for those of you who are simply used to going “down the list” of controls, requirements, etc. The real magic in ISO 27001 is that, in following it, you essentially create an information security standard that is customized for your organization. It’s like making a tailor-fitted version of the PCI DSS just for you. This tailored version not only specifically addresses your particular information security needs and environment, but also allows you to not waste effort and resources on applying controls of no or little value to your organization. Again, it’s tailor-made for you.

ISO 27001 really is somewhat magic! I’ve consulted for hundreds of clients over the last few decades, and have noticed that those that use ISO 27001 as the basis of their information security programs are always heads and shoulders above those that don’t. Not only are their programs more mature and effective, but they also spend their budget far more effectively since ISO 27001 targets their real and actual risks instead of some theoretical risk on a piece of paper. We want you to be able to enjoy the same advantages that those organizations enjoy.

In upcoming posts, we will break down the standard into bit-sized pieces that are easy to understand and put into practice. In the meantime, we’d love to hear from you. What experiences have you had with ISO 27001? What questions or concerns do you have about the standard? Email me at b.penn@3.95.165.71. Contact us to learn more, and we look forward to hearing from you!