The HITRUST CSF Advisory Council was established to coordinate with HITRUST to maintain and improve the HITRUST CSF, ensuring it meets the demands of today’s healthcare industry while leading the program into the future as the healthcare industry continues to grow and mature.

HITRUST CSF Advisory Council members actively advise and make recommendations to HITRUST with respect to the structure and content of the HITRUST CSF and CSF Assurance Program based on their various areas of subject matter expertise and experience, as well as the expertise and experience of their respective constituencies and other stakeholders.

In 2017, the Council was expanded with the addition of key standards and trade associations so that HITRUST could receive input and consensus from every healthcare sector where risk management is relevant.

The CSF Advisory Council Members include:

• America’s Health Insurance Plans (AHIP)
  Marilyn Zigmund Luke, Vice President, Special Projects
• American Hospital Association (AHA)
  Lawrence Hughes, Assistant General Counsel
• American Medical Association (AMA)
  Laura Hoffman, Assistant Director, Department of Federal Affairs
• American Medical Group Association (AMGA)
  Richard Stempniewicz, Chief Technology Officer
• Electronic Healthcare Network Accreditation Commission (EHNAC)
  Lee Barrett, Executive Director
• Texas Medical Association (TMA)
  J. Stefan Walker, M.D., HIT Committee Member and practicing physician
• Independent Member:
  Jason Taule, Chief Security Officer and Chief Privacy Officer, FEI Systems
• Independent Member:
  Kirk Nahra, Partner, Wiley Rein LLP

The HITRUST Third-Party Risk Management (TPRM) Council was formed to foster collaboration between companies, third-party vendors, and advisory service firms. The mission of the Council is to drive efficiencies and effectiveness as it relates to identifying, assessing, and mitigating risk in the complex supply chain ecosystem.

Founding members of the TPRM Council are global, security, risk, compliance, and audit executives representing a diverse cross-section of organizations. TPRM Council members are committed to identifying and supporting approaches to improve the current TPRM process—with a focus on increasing effectiveness and reducing inefficiencies.

Members of the TPRM Council include:

• Amazon Web Services (AWS) – Hadis Ali, Security Assurance Manager
• AT&T – Vecky Juko, Associate Director, Supplier Governance, Global Benefits
• Broadridge Financial – Sandra Rohrer, Sr. Director, Product Management, Marketing and Regulatory Communications
• Change Healthcare – Susan Richards, Director, Information Security
• Coalfire – Zachary Shales, Director, Healthcare Assurance
• Conduent – Troy Bos, Director, Client Assurance
• CVS Health – Steve Meallo, Information Security Program Management
• Frist Cressey Ventures – Chris Booker, Partner
• Frazier & Deeter – Andrew Hicks, VP, Risk Assurance
• Google – Sam Morales, Program Manager, Cloud Compliance
• Health Care Service Corporation (HCSC) – Chris Lodico, Sr. Director, Information Security
• Humana – Matt Phillips, Enterprise Information Security
• Mastercard – Ashish Gupta, VP, Cyber & Data Product Management
• Microsoft Azure – David Houlding, Director of Healthcare Experiences
• Rite Aid – Robert Lautsch, CISO
• Teleperformance – Jeffery Schilling, Global CISO
• UnitedHealth Group – Brian Troen, Sr. Director, Risk Governance & Supplier Management
• University of Pittsburgh Medical Center – John Houston, VP, Information Security & Privacy
• Vonage – Ordia Bryan, Sr. Manager, Global Security Compliance

HITRUST Third-Party Assurance Council Receives 2017 CSO50 Award for IDG’s CSO

Previously named the HITRUST Third-Party Assurance Council, this working group was named as an honoree of the 2017 CSO50 Award for IDG’s CSO. This prestigious honor is bestowed upon a select group of organizations that have demonstrated that their security initiatives have created outstanding business value and thought leadership for their companies.

View the official press release.

Now in its second year, the HITRUST Authorized External Assessor Council has grown to 25 appointees, representing a broad range of experience in information security and privacy. The council provides a forum to ensure that HITRUST Authorized External Assessors can directly submit input to HITRUST thereby influencing the HITRUST CSF Assurance program to continually ensure and evolve its integrity, effectiveness, and efficiency. The creation of the Quality Subcommittee further upholds the continued focus on maintaining a standard of excellence.

The HITRUST Authorized External Assessor Council interacts regularly with HITRUST to share challenges and opportunities relating to HITRUST service offerings. It holds periodic meetings over the course of each year.

HITRUST Authorized External Assessor Council members include:

• 360 Advanced, Inc. – Brad Lyons and Chelsea Higgins
• BDO USA, LLP – Deepak Chaudhry and Josh Ayers
• Beyond LLC – Cathlynn Nigh and Ray Biondo
• Coalfire – Zachary Shales and Arthur Staff
• Crowe LLP – Erika Del Giudice and Jaclyn Dettloff
• Deloitte & Touche LLP – Allen Bradley
• Frazier & Deeter – Andrew Hicks
• Grant Thornton, LLP – Powell Jones and Timothy Davis
• Intraprise Health –Melissa Hawkins and Ryan Patrick
• LBMC, PC – Nancy Spizzo and Drew Hendrickson
• NCC Group – Jay Trinkes and Kurt Osburn
• PwC – Dennis Quandt and Adrian Christie
• Wipfli LLP – Paul Johnson and Karen Johnston
• Wolf & Company, P.C. – Michael Kanarellis

HITRUST Quality Subcommittee members include:

• Frazier & Deeter – Andrew Hicks
• LBMC, PC – Nancy Spizzo
• PwC – Dennis Quandt
• Intraprise Health – Ryan Patrick
• Coalfire – Zachary Shales

Organizations no longer operate in a fixed environment. Today, more than ever, it is critical to continually innovate and address the new technologies, laws, and regulations that impact organizations as they develop and grow.

The Research Advisory Council will identify opportunities to help ensure the HITRUST Approach remains current and relevant to the needs of the HITRUST community. Members will advise and make recommendations to the OR&S based on their area of research or technical expertise.

Learn more about the HITRUST Research Advisory Council here.

HITRUST is launching a new Mobile Application Environment (MAE) Working Group (WG) to help solve the market need for organizations that employ mobile applications (apps) within their environment to ensure and provide interested stakeholders reasonable assurances that the internal development, distribution, implementation, and usage of apps are done securely.

The goal of the HITRUST MAE WG will be to support the development and integration of organizational-level mobile app environment-related security and privacy control requirements into the HITRUST CSF and HITRUST CSF Assurance Program. The scope of the WG’s efforts may include an organization’s internal development, vetting, deployment, and operation of mobile apps and mobile devices, but does not currently include the technical testing and certification of the mobile apps themselves.

HITRUST MAE WG Members will advise and make recommendations to HITRUST in the following key areas:

• Formal definition of the term “mobile applications environment” consistent with public and private sector usage and its intended use for the purpose of HITRUST CSF Certification.
• Identification of security and privacy risks specific to an organization’s MAE, as defined, and the specification of structured HITRUST CSF control requirements to mitigate those risks, which may include but are not limited to:
  • Apps pushed to mobile devices and personal computers via a third party or organizational app store, and
  • Apps intended to run from a browser.

Specification of related changes, if any, to the HITRUST CSF Assurance Program to support the assessment and certification of an organization’s MAE, as defined.

The HITRUST Information Security Continuous Monitoring (ISCM) Working Group (WG) will help develop the HITRUST CSF Ongoing Certification (OC) Program in an effort to fully define the ISCM-based approach.

The HITRUST ISCM WG includes organizations with mature ISCM programs to help develop the ISCM-based approach. As we move forward with cultivating the HITRUST CSF OC Program, we intend to develop control requirements for organizations’ internal ISCM and ongoing authorization programs, define reporting requirements between organizations and HITRUST Authorized External Assessors to support continuous assessment of the security controls, define reporting requirements between the External Assessors and HITRUST, and develop OC criteria for maintaining certification or requiring the recertification or decertification of an assessed organization.

Members of the HITRUST ISCM WG will assist in the definitions of these requirements and help develop criteria for future maintenance of certification and future requirements of recertification or decertification, as appropriate for assessed organizations.

The HITRUST Shared Responsibility Working Group Develops a Matrix for Control Responsibility and Inheritance for Cloud Service Providers

The HITRUST Shared Responsibility Working Group develops content for the Shared Responsibility Matrix. This matrix of HITRUST CSF Controls will list out the common set of sharable and inheritable controls based on a specific third-party service provider’s CSF Certification. This vendor/service-specific matrix will be used as a tool to ensure alignment between customers and service providers to identify which party is responsible and where shared responsibility occurs for controls. Matrix will include:

1. Recommendations for assigning responsibility for controls and specific requirements for shared controls, and help ensure all aspects of control responsibility are understood when outsourcing systems and services to third-parties. This allows organizations to determine those controls that are—or should be—a third-party’s full responsibility and understand their own specific duties for those that are a shared responsibility.
2. Assessment Guidance on how evidence can be obtained and validated. A completed matrix would then be used by the External Assessor as part of the CSF Assessment to ensure compliance.

Protecting sensitive information is a challenge for any organization and even more so for organizations that retain third-party service providers, such as a cloud hosting company, platform-as-a-service, or business process outsourcer. There is added complexity and time-consuming effort that comes with determining who is responsible for the operation of security controls and gaining assurance that these controls are operating effectively by both parties.

The HITRUST Shared Responsibility Program will help remove the guesswork, ambiguity and confusion that comes with defining control responsibility between customer and service provider by outlining data governance, information risk management and regulatory compliance requirements in clear, concise language. The program will ensure organizations and their third-party cloud providers appropriately identify and assess information security controls. This will allow for the complete and accurate sharing of assurances between and amongst organizations, third-party service providers and other relying parties.

HITRUST Threat Catalogue Working Group Develops Catalog of PHI Threats for Healthcare Industry

The HITRUST Threat Catalogue Working Group develops a catalog of threats to protected health information (PHI). By tying these threats to the CSF controls that are intended to address them, the catalog will support two very important goals.
First, the catalog will be used by the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) to help healthcare organizations react to threat intelligence by reviewing their implementation and monitoring of CSF controls that address the threats identified in the reports. Cyber threat intelligence and lessons learned from incident response will also be used to provide real-time and near real-time guidance on how organizations can address these threats, as well as provide interim guidance on modifications necessary for existing CSF control requirements as well as recommendations for new requirements when necessary. By issuing interim guidance and formally incorporating this guidance into the CSF at least annually, HITRUST will provide a healthcare information protection framework that is better and able to keep up the pace with a constantly evolving cyber threat environment.

Second, the catalog will be used to help healthcare organizations satisfy their obligations under the HIPAA Security Rule to identify all reasonably anticipated threats to ePHI as well as support the risk analyses required to (1) further tailor their selected CSF controls based on any unique threats to the organization’s PHI, which is consistent with the overlays addressed in NIST SP 800-53 r4; (2) evaluate the suitability of alternate (compensating) controls, which provide additional flexibility for organizations in the tailoring of the CSF to their specific needs; and (3) support an organization’s decision to accept the risk associated with not implementing or only partially implementing one or more CSF control requirements.