How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?
HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and includes (1) the conduct of a risk assessment, the implementation of a risk mitigation strategy, and employment of techniques and procedures for the continuous monitoring of the security state of the information system.
The conduct of a risk assessment and the implementation of a risk mitigation strategy (through the application of security controls) is generally the focus of OCR audits. Note the terms risk assessment and risk analysis are considered synonymous by the U.S. government, so the risk assessment is for all intents and purposes the risk analysis required under the HIPAA Security Rule.
HHS describes the risk analysis process as follows:
- Scope the assessment to include all ePHI
- Identify & document all assets with ePHI
- Identify & document all reasonably anticipated threats to ePHI
- Assess all current security measures
- Determine the likelihood of threat occurrence
- Determine the potential impact of a threat occurrence
- Determine the level of risk
- Document assigned risk levels and corrective actions
Using this process would require the complete enumeration of threat-vulnerability pairs and the design of controls to address these pairs, an exercise that is typically beyond the capability of many organizations, especially in the private sector. In fact, the U.S. government doesn’t use this approach either.
Instead, federal civilian agencies rely on the application of a control-based risk management framework developed by NIST, the controls for which are specified for three different levels of sensitivity and criticality of information: low, moderate and high. The assumption is that NIST has performed the underlying threat and vulnerability assessments necessary to support a “standard” risk analysis for these common types of information for common types of threats against a common type of organization (in this case, a federal agency).
Consistent with the flexibility of approach provided under 45 CFR § 164.306(b), HITRUST leverages the same type of approach in the HITRUST CSF the federal government uses. By using the international security standard, ISO 27001, as the basis of the CSF control structure and incorporating relevant regulations, standards and leading practices such as HIPAA, ISO 27002, and NIST SP 800-53, respectively, and some state-level requirements, the CSF provides a comprehensive set of harmonized controls relevant to the healthcare industry. With the assistance of the healthcare industry, these requirements were further refined and separated into three levels of implementation and specific categories for special types of organizations or information (e.g., CMS contractors or FTI custodians). Their selection is then dependent upon specific organizational, system and regulatory risk factors, which results in multiple control overlays as defined by NIST, and the overlay becomes the initial control baseline for that organization.
HITRUST modified the HHS risk analysis process to accommodate this control framework-based approach as follows:
- Conduct a complete inventory of where health information ‘lives’
- Perform an impact analysis on all systems with health information (criticality)
- Categorize & valuate systems based on sensitivity & criticality
- Select an appropriate framework baseline set of controls
- Apply an overlay and/or tailor based on a targeted risk analysis
- Evaluate residual risk using control maturity & impact ratings
- Rank risks and determine risk treatments
- Make contextual adjustments to likelihood & impact, if needed, as part of the corrective action planning process
HITRUST also encourages organizations to further tailor their control selection (their overlay) based on risks unique to the organization with respect to the criteria for the selected baseline, identify gaps in the protections specified and risks managed by the baseline controls, and then select or design additional controls or enhancements as needed.
It’s important to note that what has been discussed here is relevant to the risk analysis required by HIPAA and of course the implementation of an organization’s entire information protection program. However, this is not the same as the baseline assessment used by HITRUST for the purposes of certification and the sharing of assurances with third parties. NIST allows for targeted assessments to address specific questions an organization may have, which in the case of HIPAA compliance would mean assessing the CSF requirements that map the Security Rule’s standards and implementation specifications.
However, HITRUST’s goal—and the goal of many, if not most—healthcare organizations is to achieve the best trade-off between the costs incurred in examining all the controls that support the Security Rule requirements and the level of assurance around the state of compliance that the assessment provides. Obviously assessing all the controls in the CSF would provide the highest level of assurance but cost the most, and assessing none of the controls would cost the least but provide no assurance. HITRUST’s subset of controls required for CSF Certification provide a “sweet spot” between cost and assurance by addressing each and every one of the Rule’s requirements, including the requirement for risk analysis through the use of the HITRUST risk management framework to help specify an organization’s target profile based on their organizational, system and regulatory risk factors.
DHHS specifically references HITRUST and the CSF with respect to risk management and risk assessment in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule. And although OCR does not endorse “any particular credentialing or accreditation program,” an OCR spokesperson stated the following: “We certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so. OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”
Implementation of the CSF as the basis for an organization’s information protection program and subsequent use of HITRUST CSF Validated or Certified Assessments has also been accepted by OCR as evidence of their compliance with the HIPAA Security Rule, assuming the assessment addresses the appropriate scope relevant to OCR’s audit or investigation. The HITRUST CSF and CSF Assurance Program have also been used in resolution agreements with OCR.
For more information on risk analysis, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors. A complete mapping of the HITRUST CSF to the HIPAA Security, Data Breach and Privacy Rules can be found in a spreadsheet provided in HITRUST’s downloadable CSF package via the License Agreement landing page. The article from which the OCR spokesperson was quoted can be found on the Healthcare Information Security Website.