HITRUST and the NIST Cybersecurity Framework FAQs
Does a HITRUST Assessment include NIST Reporting?
With each r2 Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) issued, HITRUST includes a scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. (The NIST Cybersecurity Framework Scorecard is not available with HITRUST i1 Assessment.)
Is an interim review required to maintain your HITRUST Certification for the NIST Cyber Security Framework?
No, the interim review requirement only applies to the HITRUST Certification.
What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.
Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.
Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.
Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?
HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF; however, HITRUST will review these practice guides, determine how HITRUST CSF adopters can best leverage this type of documentation, and provide supporting guidance to the healthcare community, e.g., through HITRUST Implementation Advisories, as needed.
For more information on the HITRUST approach to risk management, refer to the HITRUST Risk Management Frameworks and Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochures.
If I’m HITRUST Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?
If you’re HITRUST Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways.
An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST CsF Core Subcategories. A similar approach is used to “roll up” requirement-level scores to the HITRUST Assessment Domains in a HITRUST Assessment Report, and may be generated from the security assessment used for HITRUST Certification or from a comprehensive security assessment. The former will provide reasonable assurances about the state of NIST CsF compliance at a reasonable cost, whereas the latter will provide the greatest level of assurance but at a slightly higher cost.
Alternatively, an organization can use the results of a HITRUST Assessment to estimate the NIST CsF Implementation Tiers, which will help provide an organizational-level view into the maturity of its cybersecurity program.
For more information on the original NIST maturity model, see the NIST IR 7358, Program Review for Information Security Management Assistance (PRISMA).
For more information on how the HITRUST CSF is used to support an organization’s implementation of the NIST Cybersecurity Framework, see the Healthcare Sector Cybersecurity Framework Implementation Guide, Version 1.1.
For more information on the HITRUST CSF, see the Introduction to the HITRUST CSF, and the HITRUST CSF Framework FAQ.
If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?
Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, HITRUST Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector.
Since the NIST CsF lacks the prescriptive controls needed for an organization to implement the framework, HITRUST provides NIST CsF-implementing organizations a single, comprehensive, prescriptive, yet tailorable control framework to meet its business objectives. The HITRUST CSF also helps organizations satisfy multiple regulatory and other compliance requirements—including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule’s standards and implementation specifications—and ultimately meet industry-recognized due care and due diligence requirements for the adequate protection of health information.
By implementing the HITRUST RMF, organizations automatically implement the NIST CsF recommendations and meet the cyber resilience objectives specified by the NIST CsF Subcategories.
For more information on how the HITRUST CSF is used to support an organization’s implementation of the NIST Cybersecurity Framework, see the Healthcare Sector Cybersecurity Framework Implementation Guide, Version 1.1.
For more information on the HITRUST CSF, see the Introduction to the HITRUST CSF, and the HITRUST CSF Framework FAQ.
For more information on HIPAA, see the HIPAA Administrative Simplification Regulation Text for 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013).
What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?
The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the auspices of the Critical Infrastructure Protection Program’s (CIPP) Public-Private Partnership.
Although the NIST CsF provides an overarching framework for cyber resilience programs that can be adopted by virtually any organization in any industry, this flexibility is obtained through its lack of granularity. By not specifying the cybersecurity controls an organization should implement, organizations must analyze the risk from the use of information and information technology (IT) and design their own controls or select controls from a suitable control-based risk management framework, such as ISO/IEC 27001, NIST SP 800-53, and the HITRUST CSF.
The Healthcare Sector Cybersecurity Framework Implementation Guide describes how organizations can leverage the HITRUST risk management framework (RMF) – consisting of the HITRUST CSF, CSF Assurance Program and supporting methods and tools – to implement resilient cybersecurity programs that are consistent with and achieve the objectives specified by the NIST CsF.
For more information, refer to the NIST Framework for Improving Critical Infrastructure Cybersecurity, Healthcare Sector Cybersecurity Framework Implementation Guide, and webpage on CIPP.
Why can’t I just adopt the NIST Cybersecurity Framework without leveraging additional guidance or frameworks?
For an industry sector or organization to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework), one must understand that it relies on existing standards, guidance, and leading practices to achieve specific outcomes meant to help organizations manage their cybersecurity risk.
Specifically, the NIST Cybersecurity Framework provides a common language and mechanism to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improving the management of risk
- Assess progress toward the target state
- Foster communications among internal and external stakeholders
The NIST Cybersecurity Framework is intended to complement rather than replace an organization’s existing business or cybersecurity risk management process and cybersecurity program. Instead, organizations should use their current processes and leverage the framework to identify opportunities to improve their management of cybersecurity risk. Alternatively, an organization without an existing cybersecurity program can use the framework as a reference to establish one. In other words, the NIST Cybersecurity Framework provides an overarching set of guidelines to critical infrastructure industries to provide a minimal level of consistency as well as depth, breadth and rigor of industry’s cybersecurity programs.
These overarching guidelines are presented through the NIST Cybersecurity Framework Core, which provides the structure upon which a cybersecurity program may be built. The lowest level of the Core, the Subcategories, provides high-level requirements—essentially control objectives—that organizations should strive to implement. However, these Subcategories lack the prescription necessary for an organization to actually implement them, which is why NIST provides examples of controls from other, lower-level and generally more prescriptive frameworks such as ISO/IEC 27001:2013 and NIST SP 800-53 r4.
For example, NIST maps PR-PT-1 for audit/log records to ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, and A.12.7.1, and to the entire NIST SP 800-53 r4 AU family. The HITRUST CSF is mapped as follows:
It’s clear multiple requirements that provide additional specificity are required to satisfy the objectives provided by the NIST CsF Subcategories. And for a healthcare entity to select a reasonable and appropriate set of administrative, physical and technical safeguards to provide for the adequate protection of ePHI, it must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” it holds, as required by HIPAA § 164.308(a)(ii)(A). To learn more about how the HITRUST risk management framework (RMF) satisfies this requirement, refer to the guide on Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.
As mentioned in a previous FAQ, HITRUST and the Healthcare and Public Health (HPH) Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) recognized the need for additional guidance to sector organizations on how to properly implement the NIST CsF and established the development of such guidance as one of four core tasks for the Joint (SCC/GCC) HPH Cybersecurity WG. The result is the Healthcare Sector Cybersecurity Framework Implementation Guide, the 508-compliant version of which is available as one of seven sector-specific guides on the US-CERT Cybersecurity Framework Webpage. For more information on the Critical Infrastructure Protection (CIP) initiative under which the healthcare implementation guidance was developed, refer to the Websites on CIP Partnerships and Information Sharing, Critical Infrastructure Sector Partnerships, and HPH: Council Charters and Membership.
And to understand why the HITRUST RMF, which consists of the HITRUST CSF and CSF Assurance Program and supporting methods and tools, is the most widely used approach in healthcare, refer to the joint presentation by the Health Care Services Corporation and Children’s Health Dallas CIOs, Selecting a Healthcare Information Security Risk Management Framework in a Cyber World.
How does the RMF fit into the NIST Cybersecurity Framework?
The HITRUST RMF, which consists of the HITRUST CSF, HITRUST Assurance Program and supporting tools, methods and services, is actually a model implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework) for industry.
The NIST framework is intended to provide guidance to critical infrastructure industries on the development of industry, sector or organization-specific cyber security programs and help ensure a minimum level of consistency and rigor. The HITRUST RMF maps completely to the sub-categories in the NIST framework and is further supported by an implementation maturity model that also maps to the NIST model. However, HITRUST goes beyond the NIST framework recommendations by providing a fully functional cyber threat intelligence and response program to enable the U.S. healthcare industry to protect itself from disruption by these attacks.
HITRUST and the Office of the National Coordinator (ONC) Office of the Chief Privacy Officer (OCPO) also co-chaired the Risk Management Task Group (RMTG) of the Joint Healthcare and Public Health (HPH) Cybersecurity Working Group (WG), part of the Critical Infrastructure Protection (CIP) Public and Private Partnership. The RMTG was tasked to coordinate the development of (1) a tailored, Sector-wide HPH Cybersecurity Framework Implementation Guide, leveraging existing documents and efforts, and (2) supplemental guides tailored to different levels of users and different types of technology, as needed, which may include but is not limited to small organization implementation and medical device security. The guidance developed by the RMTG for HPH Sector-wide use is based on the HITRUST RMF, of which the HITRUST CSF and CSF Assurance Program are a part, and is available as a 508-compliant PDF from the US-CERT Cybersecurity Framework Webpage or downloaded directly here.
For more information, refer to the NIST and HITRUST CSF Webinar presentation and the Healthcare Sector Cybersecurity Framework Implementation Guide.
For more information on the CIP initiative, refer to the Websites on CIP Partnerships and Information Sharing, Critical Infrastructure Sector Partnerships, and HPH: Council Charters and Membership.
Do non-contextual impact ratings for controls provide any real value?
The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations have significant difficulty with the risk analysis process and do not truly understand the impact a particular control failure may have to the organization. So the HITRUST impact ratings, which are based on work by the U.S. Department of Defense (DoD) with respect to the impact and severity codes used under the Defense Information Assurance Certification and Authorization Program (DIACAP), are used to help provide an indication of the relative impact of the controls in the framework should they fail. The key to understanding this approach is that controls are designed to address one or more threats to the organization, which arguably present(s) a certain amount of additional risk should one or more vulnerabilities be successfully exploited. Since the assets in question are information assets of a specific type, i.e., ePHI and other information with similar confidentiality and criticality requirements, estimates of the impact of a control failure can be legitimately made (again as demonstrated by the DoD). The organization would then adjust the impact ratings for their own use (outside of the MyCSF tool) based on a contextual analysis for those controls that require some sort of remediation. By limiting the scope of the analysis to a subset of controls in the environment, the analysis becomes more tractable. The Risk Analysis Guide provides the impact ratings along with an example of how an organization can help prioritize corrective actions for control deficiencies using these ratings. The example also includes the use of priority codes derived from NIST SP 800-53 r4, which indicate relative dependence of the controls upon each other.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.
Can risk be calculated based on a control’s maturity level?
HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific classes of information using common types of technology. Control baselines are then established based on specific factors. In the case of the (now legacy) Department of Defense (DoD) Information Technology Security Certification and Accreditation Program (DITSCAP) control framework, estimates of the information’s confidentiality and criticality requirements resulted in up to nine specific control baselines. The current NIST framework takes a high watermark approach and provides three baselines. HITRUST takes a similar approach based on organizational, system and regulatory risk factors, which can result in dozens of possible baselines.
By implementing an appropriate control baseline that meets the confidentiality, integrity and availability requirements of the information, the organization is then able to manage risk to the organization to an acceptable level. HITRUST produces an overarching security baseline—essentially an industry overlay of the NIST SP 800-53 moderate impact baseline—and then tailors the controls to an organization based on organizational, system and regulatory risk factors. This process provides an organization the flexibility to determine the measures needed to reasonably and appropriately address information risk based on organizational size, complexity, capabilities, and infrastructure constraints. Organizations may then simply focus on the implementation and maintenance of the selected controls to manage excessive residual risk.
Since it’s intuitively obvious that well-implemented controls are less likely to fail than those that are poorly implemented, the evaluation of the maturity of the control provides a likelihood estimator for the probability (likelihood) that a threat will successfully exploit a vulnerability and potentially compromise the confidentiality, integrity and/or availability of the information protected.
One should note that evaluating a control’s implementation is one of the most common methods used to help organizations determine security risk, and the HITRUST approach is very similar to the maturity model described in NIST Interagency Report (NISTIR) 7358, _Program Review for Information Security Management Assistance _(PRISMA). Subsequently, maturity is a valid method for evaluating the relative effectiveness of a control, which in turn provides an estimate of how likely the control will fail.
- Policy: Requirements stated in a policy or standard are understood by the organization. If not stated, there is little guarantee that it will be implemented or continue to be implemented.
- Procedures: Processes are necessary to ensure the control can be implemented in a repeatable and consistent way. They may be ad hoc, documented or automated.
- Implemented: Evaluation of the control’s implementation across the breadth and depth of the organization is the most common way of assessing a control’s effectiveness.
- Measured and Managed: These last two levels of HITRUST’s version of the PRISMA model, which together have the same value as any one of the first three levels when scoring out the control, simply address a basic concept of continuous monitoring: ‘one can’t manage what one doesn’t measure.’ The idea is to avoid past practices of ‘implementing and forgetting’ a control and instead monitor the effectiveness of the control on an ongoing basis and take action should problems occur. This level of maturity beyond implementation provides additional assurance the control will continue operating as intended.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.