Top Banner
Get Ready Now for HITRUST 2017 | 1 Get Ready Now for HITRUST 2017 Your Map to HITRUST Certification
58

Get Ready Now for HITRUST 2017

Jan 15, 2017

Download

Healthcare

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 1

Get Ready Now for HITRUST 2017 Your Map to HITRUST Certification

Page 2: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 2

01. Background / Overview 02. The CSF Framework 03. Scope and Approach 04. Options 05. Steps to Certification 06. Process 07. Q&A

Agenda

Page 3: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 3

Background & Overview 01

Page 4: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 4

HITRUST Overview • Began in 2007, first version released in 2009 • Meet demand of healthcare challenges

– Inconsistency – Inefficiencies – Increasing cost – Increasing risk

Page 5: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 5

Announcement

Page 6: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 6

Overview of Expansion • CSF Certification • Anthem/Cigna, Health Care Services Corp.,

Highmark, Humana, and UnitedHealth Group Significance

• Effective security and privacy practices

Page 7: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 7

Why the Expansion? • Increasing cyber threats • Significance of Business Associates • Interconnection of healthcare industry • Beyond HIPAA • Minimize the duplicity, costs and inefficiencies

Page 8: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 8

Mandatory?

YES! (For Business Associates of these Healthcare Organizations)

Page 9: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 9

7,500 An additional 7,500 organizations that do not currently have a CSF

Certification do so with within the next 24 months.

Page 10: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 10

Overview of the Common Security Framework 02

Page 11: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 11

CSF Overview • CSF

– Defined set of requirements – Prescriptive requirements – Meet the challenges in healthcare security – Secure protected health information

Page 12: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 12

Overview of the CSF • ISO 27001 • PCI-DSS • HIPAA/HITECH • Meaningful Use

• NIST 800-53 • FTC Red Flags • CMS • Privacy Laws

Page 13: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 13

Organization of the CSF • Establishes a single benchmark • Increases trust and transparency • Obtains industry consensus

Page 14: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 14

CSF and Privacy • CSF version 7

– Inclusion of privacy – Satisfy health care regulations in TX, MA, and NV

Page 15: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 15

Purpose & Scope 03

Page 16: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 16

Purpose • Harmonizes privacy and security standards • Establishes framework of controls • Build trust and assurance • Highlights credibility • Helps eliminate the need for redundant audits

Page 17: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 17

Define Scope • Entire organization environment • Segmented portions

– Single location – Single business unit – Single application

• Covered information

Page 18: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 18

Define Scope • Assessment options

– Security Assessment – Security & Privacy Assessment – Comprehensive Security Assessment – Comprehensive Security & Privacy Assessment

Page 19: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 19

Scope of CSF • Assessment factors

– Organizational factors – System factors – Regulatory factors

Page 20: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 20

Scope of CSF • 14 control categories

– 13 for Security – 1 for Privacy

• 46 control objectives • 149 control specifications

– Grouped within 19 assessment domains

Page 21: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 21

Scope of CSF CSF Assessment Domains

Information Protection Program Access Control Endpoint Protection Audit Logging & Monitoring Portable Media Security Education, Training and Awareness Mobile Device Security Third Party Assurance Wireless Security Incident Management Configuration Management Business Continuity & Disaster Recovery Vulnerability Management Risk Management Network Protection Physical & Environmental Security Transmission Protection Data Protection & Privacy

Password Management

Page 22: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 22

MyCSF • Access to the CSF and authoritative source • Perform assessments • Reporting/Tracking compliance • Document remediation in Corrective Action Plan

(CAPs) • Benchmarking

Page 23: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 23

Implementation Levels • Generated by myCSF • Levels are 1, 2, and 3 • Level 1 in baseline, each additional level increases

number of required controls • Adapted from NIST SP-800 series

Page 24: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 24

Options 04

Page 25: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 25

• Self Assessment • CSF Validated

Assessment Types

Page 26: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 26

• Self Assessment • CSF Validated

Assessment Types

Page 27: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 27

• Self Assessment – No validation – 3rd party can facilitate assessment – 3rd party can provide review and feedback

Assessment Types

Page 28: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 28

• Validated – HITRUST approved CSF Assessor – On-site fieldwork

• Interviews • Technical testing

Assessment Types

Page 29: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 29

• Self-assessment • CSF Certified

– Minimum maturity scoring of 3 in ALL assessment domains

• CSF Validated – Minimum maturity rating of below 3 in ANY

assessment domains

Report Types

Page 30: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 30

Steps to Certification 05

Page 31: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 31

one Initial Project Planning

Page 32: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 32

• Executive support • Assignment of a main point of contact • Determining scope • Determining system boundaries • Communication with process owners

Project Planning

Page 33: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 33

two Organizational and

System Scoping

Page 34: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 34

• Location(s) • Application(s) • Device(s) • Regulatory requirement(s) • Third party service organization(s)

Organizational and System Scoping

Page 35: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 35

three Assessment Preparation

Page 36: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 36

• Project calendars • Evidence request lists • Identification of process owners • Interview scheduling

Assessment Preparation

Page 37: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 37

four Examine Documentation

and Practices

Page 38: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 38

• Policy documents • Documented procedures • Processes

Examine Documentation and Practices

Page 39: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 39

five Conduct Interviews

Page 40: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 40

• Process owners • Verify process controls • Confirmation of evidence

Conduct Interviews

Page 41: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 41

six Perform Review and

Technical Testing

Page 42: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 42

• Perform walkthroughs • Automated control configurations • Manual control sampling

– HITRUST sampling methodology

Perform Technical Testing

Page 43: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 43

• Compliance scoring – Control requirement

• Policy • Procedure • Implemented • Managed • Measured

Review Technical Testing

Page 44: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 44

• Compliance scoring – Control requirement

• Policy • Procedure • Implemented • Managed • Measured

Review Technical Testing

– Maturity rating • Non-compliant (0%) • Somewhat compliant (25%) • Partially compliant (50%) • Mostly compliant (75%) • Fully compliant (100%)

Page 45: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 45

• Compliance scoring example

Review Technical Testing

Page 46: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 46

seven Alternate Control

Identification and Selection

Page 47: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 47

• Only if non-compliant CSF controls exist • Identify compensating controls • Residual compliance scoring

Alternate Control Identification and Testing

Page 48: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 48

eight Reporting

Page 49: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 49

• Prepare for submission to HITRUST – Assessor testing – Management representation letter – Remediation plans (CAPs)

• HITRUST QA Review – 4 – 6 weeks

Reporting

Page 50: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 50

nine Remediation Tracking

Page 51: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 51

• Corrective Action Plan (CAP) progress – CAP Owner – Implementation plan – Expected completion date

• Residual risk score adjustments

Remediation Tracking

Page 52: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 52

The Certification Process 06

Page 53: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 53

Issuing Certification

Page 54: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 54

Issuing Certification

Page 55: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 55

Issuing Certification

Page 56: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 56

Issuing Certification

Page 57: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 57

Issuing Certification

• Valid 2 years – Annual review

• Within 2 months following the 1-year anniversary

• Continuous monitoring requirements – CAP remediation

Page 58: Get Ready Now for HITRUST 2017

Get Ready Now for HITRUST 2017 | 58

LEARN MORE ABOUT HITRUST click here