Written by HITRUST Independent Security Journalist Sean Martin.
Here’s a recap of the Community Extension Program event in Denver, including some of the key points discussed along with some of the key learnings shared during the session.
Thank you, Denver!
Centura Health, the largest healthcare network in the Denver region, was host to the Denver-based HITRUST Community Extension Program (CEP) event. Kris Kistler, VP and CISO at Centura Health led the group through the conversations the attendees were preparing for leading up to the event. During the event, Kistler provided a number of operational examples of risk management and compliance to help the attending organizations connect with the value of tackling risk head-on with the help of the HITRUST CSF and supporting programs.
One of the more compelling items that Kistler shared with the group was his views on the collection of scorecards and heat maps that are available in the HITRUST MyCSF platform; charts and reports he finds critical when presenting to, and communicating with, Centura’s senior management and board of directors. These are some of the points Kistler reviewed during his talk:
- Doing assessments against the HITRUST CSF will give the organization insight into where residual risk exists from a cybersecurity perspective.
- One of the biggest misperceptions with respect to the HITRUST framework is that HITRUST is only focused on compliance – and that many organizations view compliance as equivalent to security. However, as Kistler pointed out, “compliance is the add-on; the framework is centered on risk first and foremost and compliance does not equal security”.
- Kistler approaches their cybersecurity program from a risk management perspective and then leads the team through the process to improve their cybersecurity posture. Having an assessment against the framework with all the relevant maturity scores helps to put more concrete context around where additional investments in information security may be needed.
Analyzing Partnership Risk Before Signing on the Dotted Line
Kistler also spent a good amount of time during this CEP session talking about his company being in intense growth mode; they are in a near-constant mode of looking at organizations to either partner with as an affiliate or to acquire as a new subsidiary. And, in both cases, at the core of their program is assessing the security posture of the target company to validate that it is in line with their expectations.
Kistler and his team have developed a due diligence program that leverages the assurance methodology provided within the HITRUST CSF, applying the in-depth risk assessment model to clinics where they must apply before they can join the affiliate program, as one example. Overall, the program has been hugely successful in determining who to partner with and/or which companies are feasible to acquire. Equally important is that the team looking at the strategic end of these deals love the model, making it a win-win on all fronts.
Clearing up Misconceptions
As with most things that bring a comprehensive set of capabilities to the table, there can be some confusion and misconceptions when trying to look at what can and can’t be done with the product or service. This was true for some of the early stage companies attending this session, where the topic of flexibility was a common misconception for many of them.
Those that asked the question generally perceived HITRUST as a framework or assessment process that is not flexible; not able to be adjusted to meet their specific needs based on their size and information security and risk management maturity level. To put it in a different way, it comes across as an all-or-nothing solution in that, if the organization doesn’t have all the controls in place, the organization won’t be able to pass their assessment and get HITRUST certified.
Of course, this is not the case, and some of the other organizations that have some experience with HITRUST described their view for how HITRUST can be applied in a flexible manner to help reduce risk, raise their security posture, and meet the compliance requirements in a flexible, yet meaningful, manner.
For example, those familiar with HITRUST pointed to the alternative controls program where their organization can describe their own compensating controls as part of their assessment. And, if the assessor believes these compensating controls actually address the level of risk being identified, the organization can submit these alternative controls to a HITRUST committee for consideration and approval and potentially still meet the certification requirements. To further demonstrate the flexibility of the program – and the company behind it – if HITRUST agrees that the compensating controls both mitigate the risk identified and do it in a way that can apply to a number of organizations, then these compensating controls can be approved as part of the official program, thereby enhancing the program for all participants.
Others in attendance pointed to the HITRUST scoring model which allows for partial credit; essentially, it’s unrealistic to believe every organization will be perfect 100 percent of the time. Quite the contrary, in fact; nobody is meant to be perfect, and the HITRUST scoring model takes this reality into account. The built-in 1-5 scoring allows companies to get partial credit for areas they’ve made investments in to improve their security posture and reduce risk, even if they are not completely there yet in terms of their investment. This allows organizations to build up their defenses and risk mitigation practices in line with their business requirements and risk appetite. Recognizing this reality is especially valuable when internal audit looks at the assessment results and asks, “why aren’t we getting 5’s across the board?” When the scoring model is designed appropriately and managed effectively – even if you have an average of a 3 across a particular domain, this could mean that further improvements are necessary from a maturity perspective, but that the score could represent that that part of the business is actually operating correctly within an acceptable level of risk and still meets the requirements for certification.
Here a Breach. There a Breach.
There were quite a number of big-name breaches to hit the news around the time of this CEP session. Therefore, this group spent a lot of time talking about breaches – both in general and in specifics to those companies that were breached. Of most importance to them was the question around what happens if a HITRUST certified org is breached; what gets kicked off from a HITRUST perspective? They wanted to know if a breach meant that the company’s certification would get revoked?
The answer to the inquiries involved a couple key points. First off, yes, a process kicks off when a HITRUST-certified organization gets breached. The HITRUST team will first look at what areas of the operations were affected. First question: Was it an area that was certified?
Depending on the findings from that analysis, the team might then choose to conduct an independent review, possibly with the help of an assessor. If during this review the scores are upheld and are found to remain true, then some actions might be enacted. Here are a couple examples:
- Did they properly maintain, manage and monitor that part of the program?
- Was there a breakdown in the controls implemented?
The involvement of the assessors also raised the question around the quality of the assessor program. The HITRUST team assured the attendees that there is a formal process in place to monitor the assessors from a quality perspective; both in full detail as they enter the program and then routinely throughout their life within the program.
Just How Expensive is this Stuff?
Another key topic of discussion was the cost of an assessment and certification. Another one of the misperceptions is that HITRUST is expensive, which, generally speaking, is a pretty broad view to have. To help clarify the costs associated with HITRUST, the HITRUST team provided some refreshing details.
In short, there are three aspects to costs associated with HITRUST:
- The costs paid to HITRUST: These costs depend on the programs you engage with. To start, there is actually a free program that organizations can adopt without any fees involved. With this free program, the organization can do free self-assessments without any HITRUST branding displayed in the resulting reports. There are a number of other free programs to join as well, such as the threat catalogue, regulatory mappings, and even some of the cyber programs are available for free. In short, there are a number of extremely valuable programs that will cost you nothing from a HITRUST perspective.
- Fees for HITRUST-validated assessments and certifications: When an organization engages with an assessor to either conduct an assessor-validated assessment, or if they engage the assessor to help them facilitate a self-assessment, these are considered consulting engagements where HITRUST does not get involved in any of the pricing aspects of the agreement. In short, the market sets the pricing, the assessors determine their services and pricing, and the customers of these services can select their preferred partner(s) and negotiate the services and service levels in connection with the pricing they desire. HITRUST will charge a relatively small administrative fee to generate these final reports once the assessment is completed.
- Remediation pricing: When there’s an action required to adjust policies and/or to implement a set of compensating controls, the services required will differ based on the organization’s maturity level – and the services offered will differ based on the partner selected. For example, if Centura says “I want to get 5’s across the board,” this will take significant funding to achieve that level of security posture. If they have the resources on hand to make this happen, then that represents the cost to reach that level of compliance and posture. However, other organizations can change the scope of their assessment, the level of remediation, and choose to partner with a service provider that can help them reach their own unique requirements; and there’s a different cost for this model. In other words, organizations can achieve varying levels of posture and meet varying levels of requirements to get the certification they are trying to reach – and the costs will be commensurate with the effort and resources it will take to get there.
There were quite a few healthy, lengthy conversations by the group in attendance in Denver. A number of questions were answered, misconceptions put to rest, and a lot of community relationships built along the way.
There was one final piece to this session that really hit home with this audience – the live scoping demo where the team at Coalfire worked with one of the HIE vendors in attendance who had not yet undergone an assessment. The team opened up a MyCSF session, put in real-world scoping factors, listed the controls mapped against the requirements, and then tweaked the parameters to modify the scope to meet that HIE’s requirements based on business need and risk appetite. It was evident that scoping is a critical step in the assessment and certification process; one that requires some additional discussion. With that in mind, perhaps there will be another post on this specific topic where the details of this scoping exercise can be fully documented.
If you don’t want to wait for that to get published, perhaps you can attend a CEP session near you and get to experience it live.
Even though we have a few under our belt now, we’ve only just begun. We have over 30 CEP sessions planned and will consider adding more if the demand is there. The next CEP session is in Orlando. So, if you’re in the area, we hope to see you there.
If Orlando doesn’t suit, be sure to check out the CEP schedule to see if your town is listed. If not, you can always request your town be added to the list – or, better yet, you could offer to host a session if you are so inclined. It’s a safe bet that your community will thank you for it.