Written by Jason Newman, Chief Information Security Officer at Blue Cross and Blue Shield of Minnesota.

If you’re a new CISO in healthcare and you’re starting from square one where you don’t yet have any HITRUST experience, a step in the right direction would be to adopt HITRUST CSF as the framework or foundation for your program. With it, you can be sure you have coverage across the various standards and regulations pertinent to the healthcare industry. You can also use it to focus on which assets are most critical and the security safeguards in place to protect them. Then you can go into rolling out your security safeguards in your organization necessary to address any identified risks or control gaps. Whether you are new or not, when you are ready to begin the rollout of HITRUST CSF within your environment, start with a finite, risk-based scope. Don’t try to do it all at once. We hired a third-party service provider to help us only because we wanted to move fairly quickly. However, the HITRUST CSF is straightforward enough to do the work internally as well.

When we started our HITRUST CSF rollout, we looked at it more from an application perspective rather than by system. We ended up with ‘here’s our top 10 applications’. We then applied an inherent risk mindset to this view; which applications have high volumes of data, a large number of users, are accessed externally or remotely – all the different things that might factor into a basic application risk profile. Then we just moved through the CSF to understand, based upon what’s spelled out in the CSF, how we measure our risks with respect to those application environments.

From that position, you can then begin to see the common risk themes. Most systems leverage common processes or capabilities (a common provisioning and access management process, for example), so you begin to form basic risk themes around things like access control, access management, and policies; and from there you can begin to bring those risk themes together to get a clearer view of your key security risks. You can say, “Okay, based on the HITRUST CSF and the assessment of this clearly-defined scope, I now have a good understanding of what my big-ticket risk areas are going to be.”

With this, you can take that through your risk decision-making process, looking at what safeguards are appropriate based upon your organization’s risk tolerances to address in those big-ticket areas. You can then form a plan in terms of a multi-step roadmap, outlining the remediation items necessary in order to implement the required safeguards necessary to address your identified risks.

While we were implementing the HITRUST CSF, we continuously went back and validated the implementation against our requirements. We started to look at phase two, which consisted of additional components within our environment, measuring them against the HITRUST CSF. It was an ongoing effort – and continues to be as our systems and processes change.

Getting as much of the things that matter under the guise of your HITRUST framework is going to make management of your information risk and security management program easier.

Advice for CISOs Whose Organization Is Using HITRUST and Wants to Get More Out of It

Most companies start building the program with the HITRUST CSF to measure themselves and quickly realize they also need a way to measure third-party risk. I am seeing that a fair bit with my peers. The challenge we often discuss is consuming third-party risk information back into our programs in a consistent manner. To be successful in this, there’s some sort of translation that needs to occur.

For us, our third-party control assessment processes are HITRUST-based, whether we are talking about assessment questionnaires or risk assessment and reporting processes. The common language HITRUST provides is extremely beneficial in having productive conversations with the not only our vendors but our internal business units as well. It takes away any perception that we are pulling requirements “out of thin air” and the traceability we have to source standards (i.e., HIPAA) helps them understand exactly where we are coming from with our inquiries.

If you’re a HITRUST adopter but haven’t leveraged the HITRUST CSF as your foundation for third-party risk management, the third-party risk and controls assessment data won’t fit nicely into your program. You will either need to build that translation yourself or find a way to be consistent with how you’re evaluating and measuring controls across anything and everything, whether it’s your own risk or that of your third parties’.

Does Having This Program in Place Change the Way You Look at Your Larger Security Program?

The short answer is yes. The use of the HITRUST CSF has really helped us to focus on what matters, especially in terms of the risks that are most important to address for our business. I will concede that HITRUST is just a framework so it’s not going to get into identifying specific technologies to use to obstruct adversaries and detect certain information security events – it’s your environment; you need to look at it with this framework in mind in terms of risk. However, the framework does help facilitate the discussions that lead to those types of decisions regarding the solutions needed and the operational processes to ensure they work. It’s really helped us focus our disciplines on making smart decisions based on risk, not security decisions based upon shiny new objects.

I think most organizations struggle with which areas of the business to focus on: do you focus on that one internal application the internal business team is using for marketing or is it the external-facing portal that warrants the investment? What the HITRUST CSF can really do is help drive priorities, such as helping facilitate vulnerability and patch management decisions based upon asset type and risk.

Becoming a Better CISO

We live in a risky world. Some risks are worth taking, and some are not. By having this risk lens, I believe that I (or any CISO, for that matter) can come to the table with risk-based facts and educate a business

leader as opposed to presenting a policy that reads “You can’t do this” or a presentation that leads with “It’s a big scary world out there” (which I think is a bad idea, by the way). Most leaders respect you when you say “Let’s have a dialogue around a security risk in the context of your business.”

This conversation is much more powerful. Security can be complex, so if you can boil security risks down into simpler business risk terms, then you’re back on a level playing field, speaking the same language and enabling an intelligent conversation. It really does make you a more effective CISO if you break through the fear, uncertainty and doubt (FUD) game and come to the table with the risks and potential solutions in a way that someone who’s not a security professional or even a technology professional can understand. To put it another way, using FUD-type concepts to get your points across doesn’t go over well around here.

My job is not to make business risk decisions for the company. My job is to provide business leaders with guidance and make sure they are informed of the risks and solution options, because ultimately, it’s their call. I advise on the fact-based risks so that our business leaders can make decisions based on real information, not misinformation or non-information.