By Uday Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Member (FBI) InfraGard.
HITRUST recently established the HITRUST CSF Assessor Council. The Assessor Council comes together at a time when the risk from rising multi-million-dollar compliance fines, class action, breach-related lawsuits and significant cyberattacks are proving to be disruptive to organizations. Consider the facts (Source: Verizon Data Breach Investigation Report of 2016):
- 89% of breaches have a financial or espionage motive
- 63% of breaches involved weak or stolen passwords
- The time it takes to compromise an organization is minutes, or less; and time to discovery is weeks or more
- 50% of all exploitations happen between 10 to 100 days of a vulnerability being published
Yes, unfortunately, there is no reason to believe that such challenges will not continue into 2017 and beyond. This is where the Assessor Council will learn from industry challenges and real-world threat scenarios to continuously improve the CSF and associated applications.
How Will the Council Work?
The CSF Assessor Council will interact regularly with HITRUST to share challenges and opportunities relating to HITRUST service offerings. It will hold four meetings over the course of the year.
Who is On the Council?
The CSF Assessor Council, comprised of eleven HITRUST CSF Assessors and one HITRUST executive, represents substantial diverse expertise. The Assessor Council includes the following individuals with significant industry experience:
- Allen Bradley: Advisory Senior Manager, Deloitte
- Andrew Hicks: Principal, Healthcare and Life Sciences, Coalfire
- Greg Miller: Practice Leader, Schellman & Co
- Kevin O’Connell: Partner, PwC
- Maurice Liddell: Managing Director, Technology Advisory & Cybersecurity, BDO
- Nancy Spizzo: Managing Director, Healthcare and Risk Assurance, Fortrex
- Nancy Wilson: Vice President, Compliance and Security Services, Cautela Labs
- Nicole Romano: Director of Risk Consulting, KPMG LLP
- Sarah Jensen: Manager IT Security, IRM, Optum
- Steve Simmons: Director of SOC and Attestation Services, A-LIGN
- Ali Pabrai: Chief Executive, ecfirst
State of CSF Today
The Council will provide insight to continue to evolve and enhance the HITRUST CSF. The HITRUST CSF provides organizations with a comprehensive approach toward regulatory compliance and security and privacy risk management. The HITRUST CSF version 8 released in 2016, addressed the following updates:
- Formally integrating mappings for the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria
- HITRUST De-Identification Framework
- Center for Internet Security Critical Security Controls (CIS CSC) v6
- Payment Card Industry Digital Security Standard (PCI DSS) v3.1 and more
CSF Update in Early 2017
HITRUST CSF v8.1, regarded as an intermediate release, will be finalized before the end of 2016 and rolled out in January 2017. HITRUST CSF v8.1 will provide additional timely updates, such as bringing the CSF framework up to date with:
- PCI DSS v3.2
- MARS-E v2
CSF v8.1 simplifies some of the existing language in MyCSF assessment statements, which is intended to make the requirements more understandable. Concurrent with the CSF v8.1 release, HITRUST will also release CSF BASICs: Basic Assurance and Simple Institutional Cybersecurity. CSF BASICs is a new HITRUST program intended to help smaller, relatively low-risk organizations such as small physician practices successfully adopt good cybersecurity and privacy practices, and provide satisfactory assurances to their patients, business partners and industry regulators that patient health information is adequately protected.
CSF Update in Mid-2017
HITRUST CSF v9 is the annual update expected in mid-2017. Updates in CSF v9 will be addressing the following areas:
- Cyber Resilience Review (CRR)
- Federal Risk and Authorization Management Program (FedRAMP)
- Federal Financial Institutions Examination Council (FFIEC)
Getting Started with the Council
The Assessor Council was created to ensure that HITRUST CSF Assessors working with the healthcare industry are able to provide input and influence the CSF Assurance program, including associated applications.
The Council will provide valuable insight to ensure it addresses complex, evolving compliance mandates and disruptive cyber-attacks.
The Japanese word, kaizen, which means “change for better”, or continual improvement, is reflective of the spirit that the Assessor Council embodies for continual improvement of the HITRUST CSF standard and associated applications.
About the Author
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security+, a cyber security & compliance expert, is the chief executive of ecfirst.