By BJ Webb, Chief Marketing Officer, HITRUST
Keeping their own organization and their business partners secure from cyber threats is a top priority for IT security teams across all industries and business sectors. If a third-party partner in the supply chain – as well as fourth- or fifth-party vendor – has a weak security posture, a breach in their IT infrastructure can impact the entire ecosystem. Plus, it goes without saying–I will anyway–the first party (your own business) needs to maintain information security protections commensurate with your organization’s risk appetite.
Solving these challenges was the main theme at last week’s HITRUST Collaborate 2021 conference. The virtual event featured two days of informative sessions attended by a variety of IT security and risk executives, managers, and practitioners.
Here’s a summary of my top five takeaways:
#1 – HITRUST is Expanding its Assessment Portfolio to Address Market Gaps in Reliability
To meet the need for varying levels of information security assurances with higher reliability, HITRUST is adding two offerings to the HITRUST assessment portfolio later this year. These new assessments aid in understanding security control effectiveness as well as cyber preparedness and resilience:
- The HITRUST Basic Current State (bC) Assessment is a “good hygiene” assessment and offers higher reliability than self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine™ (AI Engine) to identify errors, omissions, and deceit.
- The HITRUST Implemented 1-Year (i1) Assessment is a “best practices” assessment and recommended for situations that present moderate risk or where a baseline risk assessment is needed. The i1 is designed to provide higher levels of transparency, integrity, and reliability over existing moderate assurance reports, with comparable levels of time, effort, and cost.
With these two offerings coming into the HITRUST assessment portfolio, HITRUST is renaming the existing CSF Validated Assessment, which now will be called the HITRUST Risk-Based 2-Year (r2) Assessment. This tailorable assessment continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, and other risk factors.
#2 – Results Distribution System Offers a Better Way to Exchange and Consume Third-Party Assessment Results
To meet supply chain demands for transparent IT security posture assurances, HITRUST will soon add a new offering—the Results Distribution System (RDS). The RDS will allow organizations to address the highly inefficient process of obtaining, interpreting, and analyzing assessment results from third-party vendors. RDS will allow assessed entities to deliver their HITRUST CSF Assessment results directly to business partners through a secure, centralized portal or via an API.
RDS will eliminate the need to manually review lengthy PDF files and will provide customizable dashboards to view HITRUST assessment results. The system also will integrate with relying party GRC (governance, risk, and compliance) and VRM (vendor risk management) platforms so users can fully leverage advanced analytics capabilities.
#3 – HITRUST Continues to Innovate the HITRUST MyCSF Tool
This year, HITRUST has rolled out substantial updates to the MyCSF SaaS Information Risk Management Platform and will continue to implement additional changes for the remainder of 2021.
The following five major enhancements are available in MyCSF:
- New workflow for all assessment types by streamlining our legacy assessment process steps and moving them into phases. This includes assigned owners for each phase to clarify ownership and reduce back-and-forth communications to generate reports.
- Web forms that eliminate manually prepared templates that are uploaded into MyCSF. These electronic tools put data directly into MyCSF to streamline and reduce redundancies within each assessment. This enhancement includes DocuSign for e-docs — so no more manual signing and uploading.
- Notifications that provide more information, clarity, and additional understanding of the steps required to complete the assessment.
- Streamlined quality assurance with task ticket creation and tracking, including completed assessment action items: who is assigned to each action item; what’s left to do; and how long any action items have been left open.
- A Kanban-style status dashboard with additional metadata and the ability to drill down into each phase of an assessment. This helps address common questions, such as how long an assessment has been in a particular phase, when the assessment was submitted, and an overview of remaining tasks.
These enhancements to MyCSF, along with the Assurance Intelligence Engine (AIE) and the MyCSF Compliance and Reporting Pack for HIPAA, all demonstrate how HITRUST is dedicated to innovating and making ongoing improvements that address the needs of the global HITRUST community.
#4 – Shared Responsibility Streamlines Security in the Cloud
With third-party service providers implementing and migrating their IT infrastructures into the cloud, shared responsibility for security between the ecosystem of third parties and their cloud providers is increasing in importance. During the “How the Shared Responsibility Program Streamlines Security in the Cloud” panel discussion, the participants talk about their approaches to gaining sufficient and timely assurances from cloud service providers. Antiquated methods for vendor governance over third-party risk management are no longer suited to effectively and efficiently manage a “cloudy” risk posture.
This session also provided a real-world, practical perspective from a leading cloud service provider (AWS) and a HITRUST customer (Intraprise Health) who shared how joint participation in the HITRUST Shared Responsibility and Inheritance Program enables a more strategic and SLA-driven approach to cloud-based customer compliance assurances.
#5 – Not All Cybersecurity and Privacy Assurances are Created Equal
Communicating and receiving information protection assurances is a critical part of risk management, however knowing which assurance mechanisms to rely on and when to do so is easier said than done. Transparency and quality are paramount.
To help the HITRUST community understand how others are addressing this challenge, HITRUST hosted a panel, including representatives from UPMC and Schellman, that discussed how risk managers may find themselves relying too heavily on one type of assessment or unknowingly undervaluing another assessment. The panel also demystified what an appropriate level of assurance really means, discussed what makes an assessment report reliable, and explored which assessment reports are suitable for different scenarios.
Key Takeaways from HITRUST Collaborate 2021 Lead to Effective Risk Management, Compliance, and Information Protection
For IT security professionals responsible for safeguarding sensitive information, HITRUST Collaborate 2021 provided an opportunity to learn from and collaborate with colleagues to ultimately deliver more effective methods for risk management, compliance, and information protection — with transparency, quality, reliability.
We hope you plan to join us in-person at Collaborate 2022 in Dallas, TX. We’ll announce the dates later this year.
About the Author
BJ Webb, Chief Marketing Officer, HITRUST
BJ is responsible for planning, developing, and executing the HITRUST marketing strategy and elevating the brand, ensuring that HITRUST messages are clearly communicated across channels and to targeted audiences. She oversees marketing communications, product marketing, lead generation, public relations, voice of the customer, and market research.
BJ earned her MBA from the University of Illinois Gies College of Business in 2020 with specializations in Digital Marketing, Strategic Innovation, and Finance. She also holds a certificate in Design Thinking from the University of Texas at Austin, a certificate in Data Driven Marketing from Cornell University, and a BS in Business Administration from the University of Illinois. BJ is also a HITRUST Certified CSF Practitioner.