Written by HITRUST Independent Security Journalist Sean Martin.
Thank you, Irvine!
As part of the continuing Community Extension Program series, we found ourselves in Irvine, surrounded by an audience hungry to learn more about ways to improve compliance processes and information security postures.
The session, which was hosted by Jesse Salmon, Information Security Architect at Kareo and facilitated by John Huckeby, Managing Director Cybersecurity and Compliance at Tevora, along with Michael Parisi, Vice President of Assurance Strategy and Community Development at HITRUST, covered a lot of ground:
- How to use HITRUST in conjunction with your existing processes
- A review of Cyber Threat XChange and CyberAid
- Threat and compliance mapping in conjunction with assessment scoping
- Discussions around the value of HITRUST about shopping for cyber insurance
Cyber Threat XChange (CTX)
After a review for the day’s session from Kareo’s Salmon and HITRUST’s Parisi, Elie Nasrallah, Director Cyber Security Strategy at HITRUST, gave the group a view into Cyber Threat XChange, HITRUST’s cyber threat sharing platform developed in partnership with Anomali and that automates the process of collecting and analyzing cyber threats and distributing actionable indicators of compromise (IOCs) that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses. A few key points were made by Nasrallah:
- The program is open to all of healthcare: payers, providers, hospitals, clinics, doctors; subscriptions are available at no cost
- Working with Epic and Cerner, this program changes the healthcare industry from laggards to leaders; it brings some real game-changing capabilities to bear especially in the deceptive decoy space
- Information becomes actionable by mapping the threat catalogue to the HITRUST CSF; this allows organizations to apply controls to handle all phases of an attack based on the threats seen in the field
General Scoping Your Assessments
With 149 controls, of which 75 are required for certification and 14 of those being privacy related, getting a view into how and where to begin a HITRUST assessment is always a hot topic during these CEPs; Irvine was no exception. HITRUST’s Parisi shared a number of points with the group to help them understand the value of the HITRUST framework applied to their program based on the goals and maturity level, the first of which was to remind organizations that they don’t need to scope everything in; only take the subset of controls needed in order to achieve compliance down the line.
“Start by scoping, do a self (or “readiness”) assessment,” said Parisi, noting that organizations need to be careful to not rate themselves higher than they really are. “With the help of a third party in performing a “facilitated” self-assessment, organizations will generally obtain more accurate and unbiased scores relative to where they are with the controls and requirements, Parisi added.
Even though your org may need to comply with a specific regulation, organizations don’t always have to include it in their assessment or certification.
“It’s up to you, at your own discretion,” said Huckeby. “You are not required to include them in the scope in order to achieve certification.”
How you define your organization can play a big part in the scope as well.
“Be careful. If you are not a business associate (BA), don’t sign a business associate agreement (BAA) and sign up for being BA,” said Parisi. “Doing so, you sign up for higher standards and become part of the OCR pool and could be tagged for random assessments,” Parisi added.
Parisi also recommended taking two more actions:
- Consider engaging an assessor to get an objective view
- Then engage a third party to validate the scoping
“This is where HITRUST differs from other certifications—the certifying body is NOT doing the validation,” said Parisi. “As a certifying body, HITRUST wants to remain separate and independent,” he added.
HITRUST maintains a list of approved assessors. They will validate the scope, do the assessment under the HITRUST-provided assessment guidance, and then submit the results to HITRUST to determine the final certification status.
“Unlike AICPA, HITRUST has no restrictions that prevent an assessor from helping to scope, identify, design, remediate and implement controls,” said Parisi. “The one limitation is that the assessor cannot do these things and also operate the controls on behalf of their client or as acting in the capacity of management.”
“You can run the scoping exercise multiple times to see how different answers change the scope and requirements,” suggested Huckeby.
Preparing for the Certification
Leading off of Parisi’s overview, John Huckeby spent some time taking a deep walk through the assessment and certification process his team employs at Tevora.
“The first step is to identify the data types,” said Huckeby. “Most data types that fall in scope are protected health information (PHI). But some data types—typically driven by the Minimum Acceptable Risk Standards for Exchanges (MARS-E)—are starting to include personally identifiable information (PII), and certainly credit card information for Payment Card Industry Data Security Standard (PCI DSS),” he added.
Next, it’s important to look at what facilities store, transmit, or process the data types identified.
Following this, the next step should look to identify what systems host and interact with the data.
“More and more medical devices are hitting the system list—so don’t forget to include those,” said Huckeby.
“Systems that fall into scope could include an individual system or a stack of systems,” added Parisi. “It could even include a datacenter where everything sits or the infrastructure where things run, which is popular in the cloud environment.”
Huckeby provided some guidance for grouping the systems: “You can group your servers (say 50 Unix servers supporting a data warehouse—logically organize them to capture the environment as efficiently as possible,” he said. “If you can find a number of common factors to group the systems, assessors will typically recognize and understand (and appreciate) this.”
Per Huckeby, it’s important to answer the factors accurately. “Spend the time here—these things drive your requirements and if done incorrectly can significantly delay your certification,” cautioned Huckeby.
Once the data and system scoping is in place, Tevora leverages a 3-phase approach:
- Self-gap assessment
- Validate assessment for certification (9 times out of 10, this is the goal)
“Typically, we find an average organization will be good on their policy—there may be a few gaps, but nothing terrible,” said Huckeby. “However, many are weak on process—not a lot of companies do well with procedure, including a written procedure,” he added.
This is where Tevora spends a lot of time; helping to update policies and procedures for their clients; according to Huckeby more than half of Tevora’s clients work on policy and procedure development.
“We give our clients policies, procedure templates, and other best practice guidelines for free as part of our engagement,” he added. “The goal for applying the HITRUST framework is to strengthen the control environment, focusing on a long-term plan of improved security and compliance posture with regular improvement.”
Following the policy and procedure portion of the certification process, the majority of the time and effort invested by the organization can be attributed to the remediation of the things that would prevent a certification from being completed.
“In terms of timing, most clients take 2-6 months for remediation,” said Huckeby. “After that, the audit takes 4-5 weeks for Tevora to test and score the requirements and submit the results to HITRUST. HITRUST will then take 6-8 weeks to validate the submission and deliver the certification. HITRUST is very thorough—which is important to keep the credibility of the certification at top notch.”
While certifications may seem daunting as a general rule, it’s important to note that the HITRUST certification does not require 100% coverage across the board.
“Partial credit is OK,” said Huckeby. “Policies and process and implementation at 100% each would get you 75% which is enough to get certified.”
“This is correct—you don’t have to be a 5 for everything,” added Parisi, noting that achieving perfection isn’t the goal; an increased security posture in line with compliance requirements is what really matters.
On a final note from Huckeby, he reminded the group that compliance and security can’t be just a moment in time.
“HITRUST expects controls implemented for a minimum of 60 days,” Huckeby said. “You need to demonstrate that the requirements are being met and controls are operating properly—you need a solid burn-in period, showing that you are able to maintain things for some period of time.”
With a few under our belt now and 2017 at a close, we’ve only just begun the conversation. We have 50 CEP sessions planned and will consider adding more if the demand is there. 2018 will be a great year for the community to come together to continue the conversation.
If Princeton doesn’t suit, be sure to check out the full CEP schedule to see if your town is listed. If not, you can always request your town be added to the list – or, better yet, you could offer to host a session if you are so inclined. It’s a safe bet that your community will thank you for it.