To communicate changes and/or clarifications to existing HITRUST CSF Assurance Program Requirements, HITRUST provides regular CSF Assurance Bulletins. These bulletins contain CSF Assurance Program advisory notices, and are highly recommended for CSF Assessor firms, Certified CSF Practitioners, and adopting organizations.

Please review each advisory below in its entirety to assess its impact on CSF implementation and assessments.

Summary of HITRUST Assurance Advisories 2017 (click to expand)

Impacted Policy/Program Name

CSF Assurance Program

Date

March 6, 2017

Advisory Type

Process Change

Advisory Details

This bulletin is to communicate a change in the assurance process regarding the processing of validated assessments and the time allowed to respond to a HITRUST Quality Assurance (QA) request.

After a validated assessment has been submitted, HITRUST responds within 24-48 hours with a QA Letter.  This letter requests supporting evidence for those controls selected for QA, those controls that have been assigned a Measured/Managed score, and those controls marked as N/A. Supporting evidence should be provided within 14 days of the issuance of the QA Letter.  If supporting evidence is not provided within that time frame, HITRUST will only issue a self-assessment report in lieu of a validated report.  No certification will be awarded.

Rationale

Establishing a deadline for receiving QA materials will help ensure a timely and efficient process for generating draft reports.  As evidence is supposed to be gathered throughout the assessment process, submitting artifacts in support of a QA request should be a minimal effort.  Assessor organizations that have gathered evidence throughout the effort should not be impacted by this advisory.  The timely processing of a client’s assessment through QA is best achieved if the QA Letter is responded to promptly. Failure to respond in a timely manner may indicate that an assessor has not collected, nor is maintaining, adequate working papers in support of their assessments.  This may lead to a conclusion that adequate validation has not occurred and may therefore result in the issuance of a self-assessment report.

Timetable for Implementation

Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.

Impacted Policy/Program Name

CSF Assurance Program

Date

July 31, 2017

Advisory Type

Clarification

Advisory Details

This advisory is being issued to address situations where a service organization has decided to pursue a SOC report and a HITRUST CSF Validated assessment report, and engages separate organizations to perform the work supporting the two reports. When this occurs and the HITRUST CSF assessor organization intends to rely on a SOC report that was performed as part of an AICPA SOC engagement, there are certain considerations which should be addressed during engagement planning.

Rationale

First, determine if you are entitled to use the SOC Report:

Since SOC reports are limited distribution reports, the service organization (unless it is a user of its own service) and its HITRUST CSF assessor organization are typically not intended users (user organizations) of a SOC report issued by the service organization that contains an independent opinion provided by the service auditor. For any organization to be an intended user of a SOC report, they have to be users of the service that is covered within the service organization’s SOC report. If the user organization and its HITRUST CSF assessor are not intended users of the report, they cannot directly place reliance on the SOC report for purposes of testing to support a HITRUST CSF Validated assessment.

Next, determine if you can place reliance on report if an intended user:

If, however, the user organization, and by extension its HITRUST CSF assessor organization, are intended users of the SOC report, they may be able to place reliance on the SOC report. This reliance is subject to the understanding/expectation that in a HITRUST CSF assessment the control requirements are very prescriptive. So, for the assessor to rely on the SOC report, it would need evidence of that granular level of detail, both in the section that describes the controls as well as in the auditor’s section where the controls were tested and the results of those tests were disclosed. For example, simply having in the description that the service organization has password management policies and procedures and the service auditor simply stating it tested the password management system would not suffice. The report would have to contain more detail and the assessor organization would need to obtain a copy of the associated testing workpapers to support the operating effectiveness of the control for inclusion in its workpapers, which is not a probable scenario in the market place. If work papers are successfully obtained, the assessor organization must follow the professional standards that are in place when reperforming the work of others, which include but are not limited to assessing the competency, objectivity and independence of the firm performing the SOC report work. The assessor organization would also have to draw their own conclusions on the evidence obtained through the execution of their own independent procedures.

Also, during the HITRUST QA process, HITRUST will ask for testing evidence in support of the certification. Responding to this request along the lines of “relied on the SOC 2 testing” would not be sufficient. HITRUST would need evidence that the SOC 2 testing included the level of detail and rigor discussed in the previous paragraph. Besides the testing workpapers, this may require the assessor organization to perform a walk through to verify its understanding, along with a reference to the specific description/tests performed by the service auditor. It is important to understand if its client is an intended user of any SOC report to support a validated assessment engagement, a level of due diligence and independent verification in line with the published assessor guidance must be performed by the assessor organization. This would include determining if the testing that was done for the SOC reports was adequate and appropriate given the scope of the assessment report to address the HITRUST CSF requirement(s). It is also important for assessors to understand that even if they are an intended user of a SOC report as an extension of management, the intended use of that report must be appropriately understood in order for an assessor organization to rely on the report, which can be accomplished through a discussion with the service organization. Failure to abide by these rules may result in HITRUST not issuing a validated/certified report and could lead to sanctions being imposed on an assessor organization.

As a final consideration and given the sensitivity of workpapers, the CPA organization will likely be reluctant to provide access/copies of their workpapers to the HITRUST CSF assessor organization. So where two different organizations are involved in producing a SOC report and a HITRUST CSF Validated assessment report, there will need to be discussions with service organization management and whether the sharing of testing procedures is an option.

Timetable for Implementation

Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.

Impacted Policy/Program Name

CSF Assurance Program

Date

August 24, 2017

Advisory Type

Process Change

Advisory Details

This bulletin is to communicate a change in the assurance process regarding the performance and processing of interim assessments.

In efforts to streamline the interim assessment process, HITRUST will be moving to an online process with the launch of MyCSF 2.0.

Rationale

Historically, assessors have had a great deal of latitude when it comes to the interim assessments for organizations that are HITRUST CSF Certified. As such, there has been a wide variance in the materials that are received in documentation of this assessment. By building the interim assessment into the MyCSF platform, HITRUST hopes to increase consistency in the documentation of results as well as provide increased efficiencies for Assessors and Assessed Entities.

Timetable for Implementation

Effective with release of MyCSF 2.0., Assessed Entities will not need to comply with the new process until they are migrated into MyCSF 2.0.

Impacted Policy/Program Name

CSF Assurance Program

Date

September 12, 2017

Advisory Type

Assurance Requirements

Advisory Details

This bulletin is to remind assessor organizations about the expectations of the assurance process regarding the performance of testing of control requirements for assessments.

The validation process of the HITRUST CSF Assurance Program requires validation of all control requirements (100%) that are generated in an assessment based on the Assessed Entity’s risk factors. In addition, the expectation is that this testing be performed on site with a few exceptions. The exceptions are:

  • Reliance on a third-party attestation in lieu of testing
  • Inheritance of scores from a current validated assessment
  • In cases where an organization deploys a virtual workforce (work from home) where making a visit is impractical.

HITRUST reserves the right to expand the QA process to include additional controls (up to 100%) and support for scores on a case-by-case basis at its sole discretion

Rationale

This reminder is being issued due to feedback that some Assessors may be performing most, if not all, testing remotely, and that testing may not include 100% of the control requirements in an assessment. HITRUST takes the integrity of the assurance program seriously and will take steps to ensure that program requirements are being met in all cases.

Timetable for Implementation

Already effective per HITRUST CSF Assurance Program requirements.

Summary of HITRUST Assurance Advisories 2016 (click to expand)

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

Effective Date

Immediate: This bulletin is to clarify existing policy.

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Clarification

Policy/Program Clarification Details

This bulletin clarifies the treatment of controls required for Certification in situations where certain controls are outsourced to a third party, and the impact of outsourced controls on a HITRUST CSF validated assessment.

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

Under no circumstances are outsourced controls or those supported by a third party considered “Not Applicable” when performing a CSF Assessment. All controls must be tested by an approved CSF Assessor, or the CSF Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. For example, CSF Assessors may be able to rely on a current CSF Certification report, CSF Validated Report, or a current SOC 2 report that is based on the HITRUST CSF criteria.

Rationale

HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. In many instances, the validated assessment is submitted with the outsourced controls listed as “Not Applicable” or the CSF Assessors are being provided assessments performed with limited understanding of the scope, methodology, or assurance of the accuracy relating to the controls in question. HITRUST has been returning these assessments back to the CSF Assessor in order to perform the required testing and score the controls in question. HITRUST is releasing this bulletin to clarify the HITRUST CSF Assurance Program requirements related to the outsourcing of controls. This should allow CSF Assessors to more clearly communicate this requirement to their clients and prevent costly re-work related to outsourced controls.

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Change

Policy/Program Change Details

This change will require submission of all corrective action plans that are REQUIRED for certification within 30 days of the posting of the corresponding draft report. Failure to submit the required corrective action plans within the 30 day timeframe will result in the report being issued final as VALIDATED and not CERTIFIED. The Letter of Certification included in the report will be replaced with a Letter of Validation.

Rationale

HITRUST’s policy is to issue a final report no later than 30 days after the draft report is posted. HITRUST cannot issue a final report in cases where there are REQUIRED corrective actions as a condition of CERTIFICATION without the required corrective action plans. HITRUST has been experiencing long delays and/or failures in receiving required corrective actions in a timely manner. This has had an adverse effect on HITRUST’s ability to achieve its desired SLA with regard to processing of these reports. It is believed that this new policy will encourage organizations to be more diligent and submit corrective action plans within the allotted timeframe.

Timetable for Implementation

Effective Date: January 15, 2016

Enforcement Date: April 1, 2016

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

January 12, 2016

Advisory Type

Requirement Change

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Policy/Program Change Details

This change adds CSF control 01.t Session Time-out to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.t after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 64 to 65.

Rationale

HIPAA § 164.312(a)(2)(iii), an addressable implementation specification that requires organizations to “implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity,” is currently supported by CSF control 01.h, Clear Desk and Clear Screen Policy, for the purpose of HITRUST CSF certification. Although CSF control 01.h requires the use of a protected screen and keyboard locking mechanism if a user is logged into a computer or terminal, CSF control 01.t more specifically addresses the intent of the language in the HIPAA specification.

Timetable for Implementation

Effective Date: Assessments generated with Version 8 of the HITRUST CSF

Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

January 12, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

This change adds CSF control 01.e, Review of User Access Rights, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.e after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 65 to 66 after the addition of 01.t, Session Time-out, per HAA 2016-003.

Rationale

HITRUST has received numerous inquiries from healthcare organizations over the past several years about including the review of user access rights in the controls required for certification. “Recertification” of user access is a common if not ubiquitous item on internal and external audits and an essential component of privilege management. Recertification helps prevent “access creep” for workforce members that transfer from one position to another within an organization, as well as provide the organization with another check on the validity of initial privileges granted to new workforce members and additional assurance that access for terminated workforce members has been revoked. Ensuring that only current workforce members have access helps reduce the overall attack surface for malicious cyber threat actors and further inhibits the ability of these malicious actors to escalate user privileges and subsequently maintain them if an account is successfully compromised.

Timetable for Implementation

Effective Date: Assessments generated with Version 8 of the HITRUST CSF

Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

This advisory reminds CSF Assessor Organizations of the addition of CSF control 01.e, Review of User Access Rights, and CSF control 01.t, Session Time-out, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. (See HAA 2016-003 and -004.) Failure to include CSF controls 01.e and 01.t will prevent organizations from submitting their assessments for HITRUST validation and certification against the CSF version 8 release. These two additional requirements increase the total number of CSF controls required for HITRUST CSF certification from 64 to 66.

Rationale

See HAA 2016-003 and HAA 2016-004.

Timetable for Implementation

Effective Date: 1 July 2016

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

HITRUST policy has been to increase the number of control required for CSF certification over time: 45 controls were required in 2009 for the initial release of the HITRUST CSF, and 66 controls are now required for certification against the v8 release. HITRUST has decided to accelerate the process of adding controls required for CSF certification and incorporate all 135 CSF security controls in CSF Categories 0 thru 12 within five (5) years. HITRUST organizations and assessors should plan for significant increases in the number of control requirements assessed for certification in all future releases until such time as all 135 controls are addressed.

Rationale

The level of due diligence required to obtain satisfactory assurances around an entity’s information protection program has changed significantly in recent years and—along with increased use of the HITRUST CSF to support scorecards against external frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, combined HITRUST CSF and AICPA SOC 2 reporting, and cyber-insurance underwriting—HITRUST recently committed to its Board of Directors to integrating all the HITRUST CSF control requirements into the certification process within five (5) years.

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Modification

Policy/Program Change Details

Organizational risk factors were revised as follows:

Note the CSF implementation level that would be selected for an applicable CSF control is determined by one and only one of the multiple risk factors listed in the table for each healthcare vertical in the order of preference indicated. System risk factors generally only impact implementation level selection for system controls; however, regulatory factors can force selection of a higher implementation level for either organizational or system controls as previously discussed. Geographic scope (e.g., multi-state) is also retained.

Rationale

In August of 2014, as part of this ongoing maintenance of the CSF, HITRUST chartered an industry working group to examine the current risk factors and make recommendations for improvement if needed. Upon review, the working group determined that modifications to the volume of business in the organizational factors were needed.

The consensus of working group members was that a significant determinant of relative risk amongst organizations is the number of individual records that they hold and/or process, regardless of the class (or vertical) in which the organization resides. The rationale is based primarily on common use of the average cost of a breach per individual record compromised to estimate the costs of a specific breach. Further, the total number of individual records that could potentially be compromised then provides an estimate of the organization’s maximum exposure in the event of such a catastrophic breach.

However, since in HITRUST’s experience not all healthcare organizations can provide a precise estimate of the total number of individual records they hold, the working group decided to provide an alternative risk factor based on the number of individual records processed annually.

Timetable for Implementation

Effective Date: July 1, 2016 (when used with the CSF v8 Release or later)

Impacted Policy/Program Name

CSF Assurance Program Assessments

Date

August 3, 2016

Advisory Type

Clarification

Policy/Program Change Details

HITRUST will continue to accept and process validated assessments under CSF v7 until December 31, 2016 which is six (6) months after the release of CSF v8. It should be noted that once a new version of the CSF is released, any new assessments or changes to existing assessments will cause the assessment to update to the current/latest version of the CSF.

Rationale

HITRUST recognizes any increase in requirements, even one as small as 10% in the HITRUST CSF v8 release, may not have been considered when preparing for a CSF validated assessment. This grace period allows organizations that purchased assessments based on the CSF v7 controls or that may have already begun their assessments with CSF v7 to complete them.

Timetable for Implementation

Effective Date: July 1, 2016

Enforcement Date: December 31, 2016

Impacted Policy/Program Name

CSF Assurance Program

Date

August 3, 2016

Advisory Type

Clarification

Policy/Program Change Details

HITRUST continues to recommend that “readiness assessments” be conducted for an organization’s entire HITRUST CSF-based information protection program, i.e., against all 135 security controls as scoped to their environment rather than only those controls required for CSF certification.

Rationale

This will help ensure both the approved HITRUST CSF Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Guidance

Policy/Program Change Details

This advisory clarifies the treatment of controls required for certification in situations when certain controls are outsourced to a third party and they are inherited by the assessed entity.

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

All controls must be tested by an approved CSF Assessor, or the CSF Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. Where the testing involves inheriting the control from another HITRUST CSF Validated Assessment, the assessor should obtain the current status of the relied upon HITRUST CSF Validated Assessment to ensure it is still valid and in good standing. If that is the case, no further testing of the control should be required.

Rationale

HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. Often this involves a hosting or third-party service provider arrangement. In order to keep the assessment process as efficient as possible, HITRUST has introduced the concept of inheriting validated controls from a hosting or service provider. This should streamline the validation that takes place for an organization that uses a participating hosting provider by only testing the controls the assessed entity is responsible for and not having to re-test controls that were previously validated by the host provider. The inheritance feature should also transfer the scores for these controls which will eliminate the manual transfer of scores and provide greater consistency of results. HITRUST is releasing this advisory to clarify the HITRUST CSF Assurance Program requirements related to the inheritance of controls.

Timetable for Implementation

Effective Date: Immediate

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

September 21, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

Any assessment that is generated or updated after October 1, 2016, will include an Assessor timesheet. This timesheet must be filled out prior to submitting the assessment to HITRUST for processing. MyCSF will prevent submission if the timesheet is not completed. The timesheet will require assessors to list the name, CCSFP number (if applicable), and hours worked on the assessment for each assigned resource. This includes all resources that worked on the assessment and not just CCSFP resources. It will also require a resource be designated as the assessment lead and another as quality assurance reviewer.

Rationale

HITRUST CSF Assurance Program requirements stipulate that at least a third of hours worked on an assessment be performed by a CCSFP. In addition, Assessor organizations are required to demonstrate internal quality assurance processes as part of the approval to become an assessor organization. HITRUST will leverage this new functionality in MyCSF to ensure that all validated CSF assessments are performed consistent with the CSF Assurance Program and Approved Assessor Firm requirements.

Timetable for Implementation

Effective Date: October 1, 2016

Enforcement Date: Any new or refreshed assessments after October 1, 2016

Impacted Policy/Program Name

CSF Assessor Access to MyCSF

Date

December 15, 2016

Advisory Type

Policy Change

Policy/Program Change Details

This bulletin is to communicate some changes in policy regarding the access levels and functional capability of CSF Assessors within the MyCSF tool.

The first policy change deals with the test (scoping) objects available to CSF Assessors. CSF Assessor test objects will be moved to and created in the MyCSF Demo environment. The number of assessment objects in the Demo environment will be determined by the participation tier of the Assessor firm with large assessors receiving 50, medium assessors 25 and small assessors 10 test objects. These objects will expire after nine months and will no longer be exportable.

A related policy change removes the capability to export content from the Production MyCSF environment (test objects that might have previously been used to do this are now in the Demo environment) unless they are working with a client that has purchased that capability. CSF Assessors requiring an electronic copy of an assessment to evidence the work that was performed, may request an electronic PDF copy be published to the MyCSF portal for archival purposes. Requests for archive copies of assessments can be made to support@hitrustalliance.net.

The last policy change addresses those engagements where CSF Assessors are assisting a client with a Self-Assessment. Assessors can now be assigned to the Self-Assessment objects of their clients without the need for a client email address and additional MyCSF user ID.

Rationale

HITRUST has had numerous requests from CSF Assessors regarding increasing the number of test objects and having the ability to preview forthcoming releases of the HITRUST CSF. Implementation of this policy will afford Assessors the preview capability they desire and increase the number of assessment objects, while better enforcing the MyCSF test objects intended use. Test objects in MyCSF assigned to CSF Assessors are limited to internal use only and are afforded to allow for scoping and pricing of potential assessment engagements.

These changes will also allow CSF Assessor firms to better assist their clients with readiness assessments without having to create multiple IDs in MyCSF.

Timetable for implementation

March 1, 2017

View the Frequently Asked Questions for this advisory.

Summary of HITRUST Implementation Advisories 2016 (click to expand)

Topic

Malware

Subject

HHS FACT SHEET: Ransomware and HIPAA

Date

August 25, 2016

Advisory Type

Clarification

Summary

One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware. The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals.

To help healthcare entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights has released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and reporting such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup. The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.

Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment.

Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.
The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
[The entirety of the Advisory Summary is quoted from Jocelyn Samuels, Director, Office for Civil Rights, retrieved from an 11 Jul 2016 blog on the HHS Website at https://www.hhs.gov/blog/2016/07/11/your-money-or-your-phi.html.]

Related CSF Controls

HITRUST CSF Controls related to the requirements referenced in the Fact Sheet include but are not limited to 0.a, 01.a thru 01.y, 02.e, 03.a thru 03.d, 05.f, 06.d, 07.a, 08.j, 09.j, 09.k, 09.l, 09.o, 09.q, 09.aa, 09.ab, 10.m, 11.a thru 11.e, and 12.a thru 12.e.

HITRUST Comments / Recommendations

The HHS Fact Sheet describes ransomware attack prevention and recovery in the context of the HIPAA Security Rule.  HHS’ guidance subsequently begins with the information security management program, specifically with the broad risk analysis required under the Rule that provides the basis for control design and/or selection.  Although this would include all the controls implemented by an organization, HHS stresses antimalware protection and detection, user training, incident reporting, and access controls, all of which are covered in detail by the HITRUST CSF.

HHS also stresses that the risk analysis is intended to address all ePHI in the organization and all reasonably anticipated threats, not just those addressed by the HIPAA Security Rule’s standards and implementation specifications.  This has general applicability beyond the scope of the Fact Sheet’s focus on ransomware and is yet another indication that simply addressing the Rule’s standards and implementation specifications does not, in and of itself, satisfy the risk analysis requirement.  And this is why some CSF controls do not map directly to the HIPAA Security Rule, as they address threats not specifically addressed by the Rule.  “The Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI; entities are permitted (and encouraged) to implement additional and/or more stringent security measures above what they determined to be required by Security Rule standards” [emphasis added].

The Fact Sheet describes specific types of activities, e.g., robust data backup and disaster recovery planning, that will help mitigate the ransomware threat—the relevant CSF controls for which are identified in this advisory (above)—and identifies a series of five (5) steps that are consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity’s Core Functions: identify, protect, detect, respond and recover, which emphasize a cyber resilience rather than the traditional “protect and defend” approach to information security risk management.  Leveraging the HITRUST risk management framework (RMF), including the HITRUST CSF and CSF Assurance Program, to implement this approach along with other recommendations from the NIST cybersecurity framework is the subject of the Healthcare Sector Cybersecurity Framework Implementation Guide, one of seven critical infrastructure sector guides available on the DHS US-CERT Cybersecurity Framework Website.  How the HITRUST RMF addresses cyber resilience is the subject of a Deloitte article entitled, The Healthcare Cyber Shift: From prevention to threat detection and response.

Given that NIST IR 7298 r2 includes a security event that potentially jeopardizes the confidentiality of an information system in its definition of a security incident, it is no surprise that HHS takes the position that the mere presence of ransomware constitutes a potential breach of ePHI.  Subsequently, HHS stresses in the Fact Sheet that a breach must be assumed until the organization can demonstrate a low probability of compromise as required by the HIPAA Data Breach Notification Rule, 45 C.F.R. 164.402(2).  The Fact Sheet also provides clarification around the circumstances in which encryption would or would not prevent a ransomware incident from being a reportable breach under the Rule.

HITRUST recommends implementing organizations (1) review all relevant controls identified in this advisory to ensure they are fully implemented and adequately address the ransomware threat; (2) in particular, review their incident response procedures to ensure the steps outlined in the Fact Sheet for responding to a ransomware attack are addressed, especially the requirement to conduct post-incident activities; (3) ensure their user training specifically addresses the indicators of a ransomware attack provided in the Fact Sheet; and (4) verify their incident response procedures include a formal, documented risk analysis that specifically addresses the four (4) factors required by the HIPAA Data Breach Notification Rule, 45 C.F.R. 164.402(2)(i)-(iv), as well as the exceptions provided for data encryption as described in the Fact Sheet.

Additional Information / References

For more information, contact: support@hitrustalliance.net.