Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework
|
|
- Matthew Chambers
- 8 years ago
- Views:
Transcription
1 Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework
2 Introduction This presentation is intended to address how an organization can implement the HITRUST Risk Management Framework (RMF) for healthcare, a more efficient, effective and consistent approach to managing risk in a healthcare environment It is intended to: Describe the HITRUST RMF and its principle components Common Security Framework (CSF) CSF Assurance Program Methods and tools Explain how the HITRUST RMF can be leveraged in an entity s risk management program Selecting framework components to meet specific needs Implementing the framework in a risk management program 2
3 HITRUST RMF Background (1) Multitude of challenges Significant Oversight Evolving requirements Complex clinical and business relationships Uncertain standard of care Reasonable & appropriate? Adequate protection? HITRUST Risk Management Framework (RMF) Provides healthcare industry standard of due care and diligence Components include: Common Security Framework (CSF) CSF Assurance Program Related methodologies, services and tools 3
4 HITRUST RMF Background (2) Healthcare-centric RMF Rationalizes healthcare-specific requirements Leverages international & U.S. RMFs ISO/IEC series; NIST SP 800-series Single industry approach Current, prescriptive & relevant Risk-based vs. compliance-oriented Baselines tailored based on multiple risk factors Managed alternate control process Consumable by organizations with limited resources Free to qualified healthcare organizations Provides industry standard of due diligence and due care Specifies reasonable and appropriate controls Defines adequate protection Now used by the State of Texas to support formal certification of a covered entity s compliance with state & federal privacy and security requirements, including HIPAA 4
5 HITRUST RMF CSF (1) The Common Security Framework (CSF) is: Specific to the healthcare industry Built by the healthcare industry Maintained by the healthcare industry Better for the healthcare industry Requirement CSF COBIT PCI ISO NIST HIPAA Comprehensive general security Yes Yes Yes Yes Yes ParIal Comprehensive regulatory, statutory, and business req ts Yes No No No No No PrescripIve Yes No Yes ParIal Yes No PracIcal and scalable Yes Yes No No No Yes Audit or assessment guidelines Yes Yes Yes Yes Yes No CerIfiable Yes Yes Yes Yes No* No Support for third- party assurance Yes Yes Yes Yes No No Open and transparent update process Yes No Yes Yes Yes Yes Cost Free Free Free Subsc. Free Free * Not cerifiable at the organizaional level; system- level only 5
6 HITRUST RMF CSF (2) Integrated, rationalized framework ISO provides the foundation NIST provides additional prescription Authoritative sources include: 16 CFR Part 681 Identity Theft Red Flags 201 CMR State of Massachusetts Data Protection Act Cloud Security Alliance (CSA) Cloud Controls Matrix v1 CMS Information Security ARS 2010 v1 COBIT 4.1 and 5 Encryption & Destruction Guidance Federal Register 45 CFR Parts 160 & 164 Federal Register 21 CFR Part 11 HIPAA Federal Register 45 CFR Part 164 Sections 308, 310, 312, 314, 316 ISO/IEC 27002:2005 ISO/IEC 27799:2008 HITECH Act Federal Register 45 CFR Parts 160 and 164 Joint Commission NIST Special Publication r4 NIST Special Publication NRS: Chapter 603A State of Nevada PCI Data Standard v2 Texas Health and Safety Code 181 and Texas Administrative Code 390 State of Texas Enhanced annually with updates to existing sources and additional added as appropriate 6
7 HITRUST RMF CSF (3) The CSF contains 135 controls organized : into 13 domains: Information Security Mgmt Program Access Control Human Resources Security Risk Management Security Policy Organization of Information Security Compliance Asset Management Physical and Environmental Security Communications and Operations Mgmt Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Controls are grouped into 3 levels based on 3 types of risk factors 7
8 HITRUST RMF CSF (4) Risk factors used to determine implementation level: Organiza9onal Regulatory System Volume of Business (e.g., paient visits) Geographic Scope (e.g., muli- state) PCI Compliance FISMA Compliance FTC Red Flags Rules HITECH Breach NoIficaIons Requirements Massachuse_s Data ProtecIon Act Nevada Security of Personal InformaIon Joint Commission AccreditaIon CMS Minimum Security Requirements (HIGH) Stores, processes or transmits PHI Accessible from the Internet Access by a third party Exchanges data with a third party or business associate Publically accessible Mobile devices are used Connects with an HIE Number of interfaces to other (external) systems Number of users Number of transacions/day 8
9 HITRUST RMF CSF (5) Each implementation level is cross referenced with all applicable authoritative sources 9
10 HITRUST RMF CSF Assurance (1) Significant risks from sharing health data Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated with enforcement efforts e.g., HIPAA/HITECH & TX Standards Inordinate level of effort on negotiation of requirements, data collection, assessment and reporting Risk increasingly addressed thru the CSF Assurance Program Many healthcare entities accept CSF validated and certified reports for evaluating 3 rd party information protection Six (6) major institutions now transitioning to require CSF validated or certified reports HITRUST news ( 10
11 HITRUST RMF CSF Assurance (2) CSF Assurance Program Provides a common set of information security requirements, assessment tools and reporting processes Reduces the number and costs of business partner security assessments HITRUST governance and quality control enable trust between third parties 11
12 HITRUST RMF CSF Assurance (3) Cost-effective risk assessment Focuses on 63 high-risk controls (based on historical breach data analysis & HIPAA implementation requirements) OrganizaIons can use targeted risk assessments, in which the scope is narrowly defined, to produce answers to specific quesions or to inform specific decisions[,] have maximum flexibility on how risk assessments are conducted, [and] are encouraged to use guidance in a manner that most effecively and cost- effecively provides the informaion necessary to senior leaders/execuives to facilitate informed decisions. NIST Guidance 12
13 HITRUST RMF CSF Assurance (4) Examples of requirement statements in the baseline assessment questionnaire The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed The security policies are regularly reviewed, updated and communicated throughout the organization Firewalls are configured to deny or control any traffic from a wireless environment into the covered data environment The access authorization process addresses requests for access, changes to access, removal of access, and emergency access The organization maintains and updates a formal, comprehensive program to manage the risk associated with the use of information assets The organization has formally appointed a data protection officer responsible for the privacy of covered information 13
14 HITRUST RMF CSF Assurance (5) Defined Assessment Methodology HITRUST leverages the concepts and rating scheme of the NISTIR 7358 standard - Program Review for Information Security Management Assistance (PRISMA) to rate an organization s security management program Level Descrip9on 1. Policy Current, documented informaion security policies or standards in the organizaion s informaion security program fully address the control s implementaion specificaions. 2. Procedures Documented procedures or processes developed from the policies or standards reasonably apply to the organizaional units and systems within scope of the assessment. 3. Implemented ImplementaIon specificaions are applied to all the organizaional units and systems within scope of the assessment. 4. Measured TesIng or measurement (metrics) of the specificaion s implementaion is conducted to determine if they coninue to remain effecive. 5. Managed Control implementaions are acively managed based on tesing or measurement (metrics). 14
15 HITRUST RMF CSF Assurance (6) Defined Assessment Methodology The HITRUST control maturity model also incorporates the following 5- point compliance scale which is used to rate each level in the model Score Non- Compliant (NC) Somewhat Compliant (SC) Par9ally Compliant (PC) Mostly Compliant (MC) Fully Compliant (FC) Descrip9on Very few if any of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 0% (point esimate) or 0% to 12% (interval esimate). Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 25% (point esimate) or 13% to 37% (interval esimate). About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 50% (point esimate) or 38% to 62% (interval esimate). Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 75% (point esimate) or 63% to 87% (interval esimate). Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 100% (point esimate) or 88% to 100% (interval esimate). 15
16 HITRUST RMF CSF Assurance (7) Controls grouped into key areas to improve efficiency and support focused assessment by subject matter experts Information Protection Program Endpoint Protection Portable Media Security Mobile Device Security Wireless Protection Configuration Management Vulnerability Management Network Protection Transmission Protection Password Management Access Control Audit Logging & Monitoring Education, Training & Awareness Third Party Security Incident Management Business Continuity & Disaster Recovery Risk Management Physical & Environmental Security Data Protection & Privacy 16
17 HITRUST RMF CSF Assurance (8) Defined Assessment Methodology Example requirement statement: 01.a, Access Control Policy Access control rules and rights for each user or group of users for each application are clearly defined in standard user access profiles (e.g., roles) based on need-to-know, need-to-share, least privilege and other relevant requirements Level Illustra9ve Procedures 1. Policy Obtain and examine the access control policy to determine if requirements for establishing access control rules and rights for each user or a group of users are defined. 2. Procedures Obtain and examine access control procedure documentaion to determine if a process is defined for defining and assigning access control rules and rights to each user or groups of users. 3. Implemented Interview the individual(s) responsible for access management to determine if a process has been implemented for defining and assigning access control rules and rights to each user or groups of users in accordance with the documented procedures. For a sample of users and systems, determine if access profiles are enforced for each user or group of users in accordance with the user and/or group s roles and responsibiliies. 4. Measured Interview key personnel to determine if reviews, tests or audits are completed by the organizaion to verify users and groups of users are assigned appropriate user access roles. 5. Managed Obtain and examine supporing documentaion maintained as evidence of these reviews, tests or audits to determine if issues idenified were invesigated and corrected. 17
18 HITRUST RMF CSF Assurance (9) Defined Assessment Methodology PRISMA-based control maturity model supports repeatable likelihood estimates For any CSF requirement statement, response is a 5 x 5 matrix Level (Points) NC SC PC MC FC Policy (25) X Procedures (25) X Implemented (25) X Measured (15) X Managed (10) X Level NC SC PC MC FC Defini9on Non Compliant (0%) Somewhat Compliant (25%) ParIally Compliant (50%) Mostly Compliant (75%) Fully Compliant (100%) Example in the table yields maturity score of 66, or a maturity rating of 3 Maturity Level Cutoff PRISMA Score < 10 < 19 < 27 < 36 < 45 < 53 < 62 < 71 < 79 < 83 < 87 < 90 < 94 < 98 < 100 Model supports reporting of scores across controls, objectives, domains, etc. 18
19 HITRUST RMF CSF Assurance (10) Defined Assessment Methodology The rating obtained by assessing against the PRISMA-based model is an indicator of an organization s ability to protect information in a sustainable manner 19
20 HITRUST RMF CSF Assurance (11) Defined Assessment Methodology Addition of non-contextual impact ratings supports risk calculations (included in the Risk Analysis Guide for HITRUST Organizations & Assessors) Derived from work performed by the Defense Department Risk ratings support HIPAA risk analysis requirement and remediation (corrective action) planning Rollup of risk ratings can be performed similar to the maturity scores High impact yields risk of.272, score of 73 & grade of C for prior example See Risk Analysis Guide for HITRUST Organizations & Assessors for details h_ps:// blog/risk_analysis_guide_now_available Addition of non-contextual impact ratings provides initial risk estimates for analysis Maturity and risk calculations support internal baselines and external benchmarking 20
21 HITRUST RMF CSF Assurance (12) CSF Certified Assessor Organizations Must meet specific requirements for their assessment methods and tools, including experience and qualifications of personnel Ensure assessment results are consistent and repeatable regardless of the assessor selected by an organization Provides high-levels of assurance when exchanging risk information with regulators and business partners Refer to for more information on program requirements. Include a broad cross-section of organizations focused on various types and sizes of healthcare entities CSF Assessors include such organizations as AT&T Consulting;CoalFire Systems, Inc.; Epstein Becker & Green, PC; Ernst & Young LLP; PricewaterhouseCoopers LLP; and UHY Advisors Refer to for a complete list 21
22 HITRUST RMF CSF Assurance (13) Degrees of Assurance Self-assessments conducted by low risk BA or other partner Third-party assessments provide independent assurances Certified report issued when minimal compliance is demonstrated Validated report results when certification requirements aren t met Assess once, report many model allows for standardization and efficiency across the industry 22
23 HITRUST RMF CSF Assurance (14) CSF Validated Self Assessment Assessed entity completes a baseline assessment questionnaire within MyCSF tool Focuses on the 63 controls required for certification May be expanded to include additional controls to demonstrate compliance with specific requirements or standards, e.g, Texas Covered Entity Privacy and Security Certification, or provide greater assurances to internal & external stakeholders Baseline consolidated requirements for 63 high-risk controls Comprehensive consolidated requirements for all 135 controls HITRUST performs very limited validation of the results and issues a CSF Validated Self Assessment report 23
24 HITRUST RMF CSF Assurance (15) CSF Validated Third Party Assessment Assessed entity completes baseline questionnaire within MyCSF tool May be expanded as needed (e.g., comprehensive or detailed assessment) Additional on-site testing is performed by a third party CSF Assessor Interviews, documentation reviews, walkthroughs, technical testing Questionnaire and supporting documentation sent to HITRUST for review HITRUST performs increased level of quality review of assessment results HITRUST issues CSF Validated report CSF Certified Third Party Assessment Organization meets all CSF certification requirements All 63 controls meet minimum implementation requirements Corrective action plans for controls that are not fully implemented Risk formally accepted for low risk control requirements May be expanded as needed (e.g., comprehensive assessment) 24
25 HITRUST RMF Methods & Tools (1) Methods and guidance documents provide significant support to the HITRUST community For example, the Risk Analysis Guide for HITRUST Organizations and Assessors provides guidance and process for conducting a risk assessment of alternate (compensating) controls, including a rubric for assessing the validity/rigor of the risk analysis Are threats appropriately identified & described? Is the alternate control adequately specified? Is the risk analysis adequate (reasonable, correct/accurate)? Are compensating controls specified if an equivalent type and amount risk not addressed? Are additional risk issues ( unintended consequences ) identified & described? Are compensating controls adequately specified for any additional risk issues ( unintended consequences )? Are all risks addressed satisfactorily (i.e., is there a rough equivalency)? Are any unmitigated risks formally identified and accepted by management? 25
26 HITRUST RMF Methods & Tools (2) HITRUST Central User portal HITRUST RMF content News / updates Blogs / chats TX Certification support Provide specific guidance Address user questions 26
27 HITRUST RMF Methods & Tools (3) MyCSF Fully managed and supported tool incorporating CSF and CSF Assurance Leverages illustrative procedures for assessing controls Workflow management for assessments and remediation Documentation repository for test plans, CAPs, and supporting documentation Dashboards and reporting; benchmarking data Automated submission of assessments for validation and certification 27
28 Leveraging the RMF Like ISO and NIST, the HITRUST RMF consists of multiple components, including standards, methods and tools Many components are mix and match depending on an organization s needs CSF provides industry standard for due diligence and due care CSF Assurance provides consistent and repeatable sharing of risk information with business partners, customers and regulators CSF tools like HITRUSTCentral and MyCSF provide assessment and implementation support 28
29 Leveraging the RMF Selecting Components (1) CSF provides industry standard for due diligence and due care Use as reference for industry best practices Use as baseline for comparison with internal control framework Use to identify additional requirements or practices to supplement internal control framework Use to identify control requirements for third party contracts Use as basis for internal control framework Use as basis for selecting third party contract requirements Use as basis for asserting compliance with federal and state requirements 29
30 Leveraging the RMF Selecting Components (2) CSF Assurance supports sharing of risk information (internal/external) Methodology (assessment, scoring) Basis for internal risk assessment of controls, regardless of framework Basis for evaluating impact, likelihood, & risk in a consistent, repeatable way General risk to the organization Specific risks associated with deficiencies & prioritization of corrective action plans Specific risks associated with selection of alternate/compensating controls Risk acceptance Self- assessments Basis for shared assurance Demonstrate good faith compliance efforts Remote assessments TX certification of small providers w/ <$15M annual revenue Third party assessments Basis for higher-level of shared assurance Provide high-assurance demonstration of compliance efforts Obtain formal CSF and/or TX certification 30
31 Leveraging the RMF Selecting Components (3) CSF tools provide various types and levels of implementation support HITRUST Central Forum for communication among peers in health information protection Repository for CSF and CSF Assurance-related documentation, e.g., CSF crossreferences with authoritative sources or whitepapers on specific topics like risk analysis MyCSF Automated support for managing assessment workflows and generating dashboards Automated support for submission of self-, remote and third party assessments for HITRUST quality review and the generation of HITRUST assessment reports and TX certification recommendations MyCSF Plus Automated support for prioritizing and managing corrective actions to address control deficiencies identified through self-, remote or third party assessment Additional tools/support Cyber Threat Intelligence and Incident Coordination Center (C3) Training for HITRUST Certified CSF Practitioner (CCSFP) and (ISC)2 HealthCare Information Security and Privacy Practitioner (HCISPP) candidates HITRUST Conferences 31
32 Leveraging the RMF Implementing Components (1) General approach for implementing the CSF in an entity s information security and privacy risk management program Implement controls through normal budgetary, project and operational work processes Integration leverages multiple RMF components 32
33 Leveraging the RMF Implementing Components (2) Risk management architecture 2009, 2010 by Bryan S. Cline, Ph.D. 33
34 Leveraging the RMF Implementing Components (3) Risk program architecture by Bryan S. Cline, Ph.D. 34
35 Leveraging the RMF Implementing Components (4) Resource planning by Bryan S. Cline, Ph.D. 35
36 Leveraging the RMF Implementing Components (5) Resource planning (continued) Mapping personnel resources to CSF controls and informa;on security and privacy risk management services by Bryan S. Cline, Ph.D. 36
37 Leveraging the RMF Implementing Components (6) Improvement planning 37
38 Leveraging the RMF Implementing Components (7) Work planning 38
39 Leveraging the RMF Implementing Components (8) Work prioritization Use impact to determine risk of a control deficiency One way of computing risk using HITRUST s PRISMA-based approach is: R = L x I = [(100 - MS) / 100] x [(IR - 1) x 25], where, R = risk, L = likelihood, I = impact, MS = HITRUST CSF control maturity score, and IR = impact rating HITRUST provides impact ratings for all 135 controls contained in the CSF, some of which are provided in the table on the right Ratings are: Based on an analysis of impact ratings provided by the Department of Defense for controls contained in their RMF Non-contextual in that they do not consider other variables in the environment such as the status of other controls Meant to provide an indicator of the relative impact among the controls in the CSF, all else being equal May be adjusted based on contextual factors for use by an organization, e.g., internal risk reporting and CAP prioritization 39
40 Leveraging the RMF Implementing Components (9) Use priority codes to help prioritize work with similar risk HITRUST provides priority codes for all 135 controls contained in the CSF, some of which are provided in the table on the right Codes are: Based on an analysis of priorities provided by NIST for the controls contained in their RMF Meant to provide an indicator of implementation dependencies among the controls in the CSF Utility of priority codes will depend on the deficiencies evaluated Example based on a single deficient requirement for 4 controls for business continuity 40
41 Summary / Conclusion The state of healthcare security & privacy Constant change in the threat & regulatory landscape Complex business and clinical relationships increase risk HITRUST is the only information protection body that: Is devoted to the healthcare industry and its unique needs and Has provided standards-based certification since 2008 Supports the Texas Covered Entity Privacy and Security Certification HITRUST RMF consists of multiple re-enforcing components CSF: harmonized set of tailorable safeguards CSF Assurance: standardized, cost-effective assessment & reporting Tools: general support healthcare information protection community Many ways for an entity to leverage RMF components CSF: best practice reference thru full adoption of control requirements CSF Assurance: best practice reference thru CSF & TX certification Tools: information sharing thru automated assessment & reporting support 41
42 Questions? HITRUST RMF, CSF, Assessment & Risk Analysis Methodologies: Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP CISO & VP, CSF Development & Implementation ( (469) * Bryan.Cline@HITRUSTalliance.net CSF Assurance Program: Michael Frederick, CISSP, CCSFP VP, Assurance Services ( (469) * Michael.Frederick@HITRUSTalliance.net 2013 HITRUST, Frisco, TX. All Rights Reserved. 42
What can HITRUST do for me?
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry
HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP CISO & VP, CSF Development & Implementation
More informationBIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor
1 CSF Roadmap 2015 BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Steve Penn is an experienced security professional with 15+ years of informa;on security experience. He currently
More informationAssessment Process. 2013 HITRUST, Frisco, TX. All Rights Reserved.
Assessment Process Assessment Process Define Scope The assessment scope gives context to the security controls and those organizations and individuals relying on the results Organization scope defines
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,
More informationPerspectives on Navigating the Challenges of Cybersecurity in Healthcare
Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP CISO & VP, CSF Development & Implementation Health Information Trust Alliance
More informationManaging Cybersecurity Risk in a HIPAA-Compliant World
1 P a g e AN EXECUTIVE REVIEW Managing Cybersecurity Risk in a HIPAA-Compliant World by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead, Coalfire Dr. Bryan
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationCSF Support for HIPAA and NIST Implementation and Compliance
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST Why does HITRUST exist? Multitude of challenges Significant government oversight Evolving
More informationUnderstanding HITRUST s Approach to Risk vs. Compliance-based Information Protection
Understanding Compliance vs. Risk-based Information Protection 1 Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Why risk analysis is crucial to HIPAA compliance and
More informationHITRUST Common Security Framework
HITRUST Common Security Framework 2014 Version 6.1 Page 1 of 470 Summary of Changes Version Description of Change Author Date Published 1.0 Final Version of Initial Release HITRUST September 11, 2009 2.0
More informationHITRUST. Risk Management Frameworks
Risk Management Frameworks How provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment
More informationHITRUST. Assessment Methodology. Version 2.0
HITRUST Assessment Methodology Version 2.0 Table of Contents 1 Introduction... 4 1.1 Assessment Process Flow... 5 2 Project Startup (Step 1)... 7 2.1 Identify Project Coordinator... 7 2.2 Define Project
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationHITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry
HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP CISO & VP, CSF Development & Implementation
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationFramework for Reducing Cyber Risks to Critical Infrastructure
Framework for Reducing Cyber Risks to Critical Infrastructure Response from the Health Information Trust Alliance (HITRUST) Perspective Many of the questions within the NIST RFI are geared towards gathering
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationHealth Industry Implementation of the NIST Cybersecurity Framework
Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationSECURETexas Health Information Privacy & Security Certification Program FAQs
What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare
More informationObtaining CSF Certification Lessons Learned and Why Do It
Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationCloud Security Alliance and Standards. Jim Reavis Executive Director March 2012
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
More informationPCI Compliance 2012 - The Road Ahead. October 2012 Hari Shah & Parthiv Sheth
PCI Compliance 2012 - The Road Ahead October 2012 Hari Shah & Parthiv Sheth What s the latest? Point-to-Point Encryption (P2PE) Program Guide Updated Solution Requirements and Testing Procedures for hardware-based
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More informationStrategies for Integra.ng the HIPAA Security Rule
Strategies for Integra.ng the HIPAA Rule Kaiser Permanente: Charles Kreling, Execu.ve Director Sherrie Osborne, Director Paulina Fraser, Director Professional Strategies S21 2013 Fall Conference Sail to
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationSensitive Data Management: Current Trends in HIPAA and HITRUST
Sensitive Data Management: Current Trends in HIPAA and HITRUST Presented by, Cal Slemp Managing Director, New York, NY June 12, 2012 Speaker Presenter Topic Objective Cal Slemp Managing Director, New York
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationNEC Managed Security Services
NEC Managed Security Services www.necam.com/managedsecurity How do you know your company is protected? Are you keeping up with emerging threats? Are security incident investigations holding you back? Is
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationGuided HIPAA Compliance
Guided HIPAA Compliance HIPAA Solutions for Office Managers and Practitioners SecurityMetrics We protect business Since its founding in 2000, privately-held SecurityMetrics has grown from a small security
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationEcom Infotech. Page 1 of 6
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance
More informationThird Party Security: Are your vendors compromising the security of your Agency?
Third Party Security: Are your vendors compromising the security of your Agency? Wendy Nather, Texas Education Agency Michael Wyatt, Deloitte & Touche LLP TASSCC Annual Conference 3 August 2010 Agenda
More informationConsolidated Audit Program (CAP) A multi-compliance approach
Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015 About Coalfire We help our clients recognize and control cybersecurity risk,
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationData Security Standard (DSS) Compliance. SIFMA June 13, 2012
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationHITRUST Common Security Framework Summary of Changes
HITRUST Common Security Framework Summary of Changes Apr-14 CSF 2014 V6.1 Incorporates changes in PCI-DSS v3 and updates stemming from the HIPAA Omnibus Final Rule. Includes mappings to the v1. Fundamental
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationHITECH & The Cloud: Control and Accessibility of Data Downstream
HITECH & The Cloud: Control and Accessibility of Data Downstream David Holtzman, OCR (Moderator) James Koenig, Privacy Leader; Health Information Privacy & Security Practice Co-Leader, PricewaterhouseCoopers
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationSecure HIPAA Compliant Cloud Computing
BUSINESS WHITE PAPER Secure HIPAA Compliant Cloud Computing Step-by-step guide for achieving HIPAA compliance and safeguarding your PHI in a cloud computing environment Step-by-Step Guide for Choosing
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationPCI DSS READINESS AND RESPONSE
PCI DSS READINESS AND RESPONSE EMC Consulting Services offers a lifecycle approach to holistic, proactive PCI program management ESSENTIALS Partner with EMC Consulting for your PCI program management and
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE
SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE The Shared Assessments Trust, But Verify Model The Shared Assessments Program Tools are used for managing the vendor risk
More informationBringing Box into HIPAA Alignment. Bob Flynn & Anurag Shankar University Information Technology Services Indiana University
Bringing Box into HIPAA Alignment Bob Flynn & Anurag Shankar University Information Technology Services Indiana University Outline 1. Introduction 2. Service Partnership 3. Legal Requirements 4. Risk Management
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationWell-Documented Controls Reduce Risk and Support Compliance Initiatives
White Paper Risks Associated with Missing Documentation for Health Care Providers Well-Documented Controls Reduce Risk and Support Compliance Initiatives www.solutionary.com (866) 333-2133 Many Health
More informationCorporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.
Corporate Overview MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.com IS&P Practice Areas Core Competencies Clients & Services
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationArchitecting Security to Address Compliance for Healthcare Providers
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationHIPAA Security & Compliance
Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationLocking Down the Cloud for Healthcare. Kurt Hagerman Chief Information Security Officer
Locking Down the Cloud for Healthcare Kurt Hagerman Chief Information Security Officer SECURITY TRENDS Healthcare businesses are fighting REAL threats Threats are growing over time by percent of breaches
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationSecuring Patient Portals
Securing Patient Portals What you need to know to comply with HIPAA Omnibus and Meaningful Use Brian Selfridge, Partner, Meditology Services, LLC Blake Sutherland, VP Enterprise Business, Trend Micro Brian
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationGRC Stack Research Sponsorship
GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationHow To Evaluate A Cooperative For Safety
NARUC 2013 Cyber Security Risk Assessment & Risk Mitigation Plan Review for the Kentucky Public Service Commission NARUC Grants & Research December 2013 The National Association of Regulatory Utility Commissioners
More informationBusiness Associates and HIPAA
Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More information