Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Introduction This presentation is intended to address how an organization can implement the HITRUST Risk Management Framework (RMF) for healthcare, a more efficient, effective and consistent approach to managing risk in a healthcare environment It is intended to: Describe the HITRUST RMF and its principle components Common Security Framework (CSF) CSF Assurance Program Methods and tools Explain how the HITRUST RMF can be leveraged in an entity s risk management program Selecting framework components to meet specific needs Implementing the framework in a risk management program 2

HITRUST RMF Background (1) Multitude of challenges Significant Oversight Evolving requirements Complex clinical and business relationships Uncertain standard of care Reasonable & appropriate? Adequate protection? HITRUST Risk Management Framework (RMF) Provides healthcare industry standard of due care and diligence Components include: Common Security Framework (CSF) CSF Assurance Program Related methodologies, services and tools 3

HITRUST RMF Background (2) Healthcare-centric RMF Rationalizes healthcare-specific requirements Leverages international & U.S. RMFs ISO/IEC 27000-series; NIST SP 800-series Single industry approach Current, prescriptive & relevant Risk-based vs. compliance-oriented Baselines tailored based on multiple risk factors Managed alternate control process Consumable by organizations with limited resources Free to qualified healthcare organizations Provides industry standard of due diligence and due care Specifies reasonable and appropriate controls Defines adequate protection Now used by the State of Texas to support formal certification of a covered entity s compliance with state & federal privacy and security requirements, including HIPAA 4

HITRUST RMF CSF (1) The Common Security Framework (CSF) is: Specific to the healthcare industry Built by the healthcare industry Maintained by the healthcare industry Better for the healthcare industry Requirement CSF COBIT PCI ISO NIST HIPAA Comprehensive general security Yes Yes Yes Yes Yes ParIal Comprehensive regulatory, statutory, and business req ts Yes No No No No No PrescripIve Yes No Yes ParIal Yes No PracIcal and scalable Yes Yes No No No Yes Audit or assessment guidelines Yes Yes Yes Yes Yes No CerIfiable Yes Yes Yes Yes No* No Support for third- party assurance Yes Yes Yes Yes No No Open and transparent update process Yes No Yes Yes Yes Yes Cost Free Free Free Subsc. Free Free * Not cerifiable at the organizaional level; system- level only 5

HITRUST RMF CSF (2) Integrated, rationalized framework ISO provides the foundation NIST provides additional prescription Authoritative sources include: 16 CFR Part 681 Identity Theft Red Flags 201 CMR 17.00 State of Massachusetts Data Protection Act Cloud Security Alliance (CSA) Cloud Controls Matrix v1 CMS Information Security ARS 2010 v1 COBIT 4.1 and 5 Encryption & Destruction Guidance Federal Register 45 CFR Parts 160 & 164 Federal Register 21 CFR Part 11 HIPAA Federal Register 45 CFR Part 164 Sections 308, 310, 312, 314, 316 ISO/IEC 27002:2005 ISO/IEC 27799:2008 HITECH Act Federal Register 45 CFR Parts 160 and 164 Joint Commission NIST Special Publication 800-53 r4 NIST Special Publication 800-66 NRS: Chapter 603A State of Nevada PCI Data Standard v2 Texas Health and Safety Code 181 and Texas Administrative Code 390 State of Texas Enhanced annually with updates to existing sources and additional added as appropriate 6

HITRUST RMF CSF (3) The CSF contains 135 controls organized : into 13 domains: Information Security Mgmt Program Access Control Human Resources Security Risk Management Security Policy Organization of Information Security Compliance Asset Management Physical and Environmental Security Communications and Operations Mgmt Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Controls are grouped into 3 levels based on 3 types of risk factors 7

HITRUST RMF CSF (4) Risk factors used to determine implementation level: Organiza9onal Regulatory System Volume of Business (e.g., paient visits) Geographic Scope (e.g., muli- state) PCI Compliance FISMA Compliance FTC Red Flags Rules HITECH Breach NoIficaIons Requirements Massachuse_s Data ProtecIon Act Nevada Security of Personal InformaIon Joint Commission AccreditaIon CMS Minimum Security Requirements (HIGH) Stores, processes or transmits PHI Accessible from the Internet Access by a third party Exchanges data with a third party or business associate Publically accessible Mobile devices are used Connects with an HIE Number of interfaces to other (external) systems Number of users Number of transacions/day 8

HITRUST RMF CSF (5) Each implementation level is cross referenced with all applicable authoritative sources 9

HITRUST RMF CSF Assurance (1) Significant risks from sharing health data Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated with enforcement efforts e.g., HIPAA/HITECH & TX Standards Inordinate level of effort on negotiation of requirements, data collection, assessment and reporting Risk increasingly addressed thru the CSF Assurance Program Many healthcare entities accept CSF validated and certified reports for evaluating 3 rd party information protection Six (6) major institutions now transitioning to require CSF validated or certified reports HITRUST news (http://www.hitrustalliance.net/news/index.php?a=129) 10

HITRUST RMF CSF Assurance (2) CSF Assurance Program Provides a common set of information security requirements, assessment tools and reporting processes Reduces the number and costs of business partner security assessments HITRUST governance and quality control enable trust between third parties 11

HITRUST RMF CSF Assurance (3) Cost-effective risk assessment Focuses on 63 high-risk controls (based on historical breach data analysis & HIPAA implementation requirements) OrganizaIons can use targeted risk assessments, in which the scope is narrowly defined, to produce answers to specific quesions or to inform specific decisions[,] have maximum flexibility on how risk assessments are conducted, [and] are encouraged to use guidance in a manner that most effecively and cost- effecively provides the informaion necessary to senior leaders/execuives to facilitate informed decisions. NIST Guidance 12

HITRUST RMF CSF Assurance (4) Examples of requirement statements in the baseline assessment questionnaire The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed The security policies are regularly reviewed, updated and communicated throughout the organization Firewalls are configured to deny or control any traffic from a wireless environment into the covered data environment The access authorization process addresses requests for access, changes to access, removal of access, and emergency access The organization maintains and updates a formal, comprehensive program to manage the risk associated with the use of information assets The organization has formally appointed a data protection officer responsible for the privacy of covered information 13

HITRUST RMF CSF Assurance (5) Defined Assessment Methodology HITRUST leverages the concepts and rating scheme of the NISTIR 7358 standard - Program Review for Information Security Management Assistance (PRISMA) to rate an organization s security management program Level Descrip9on 1. Policy Current, documented informaion security policies or standards in the organizaion s informaion security program fully address the control s implementaion specificaions. 2. Procedures Documented procedures or processes developed from the policies or standards reasonably apply to the organizaional units and systems within scope of the assessment. 3. Implemented ImplementaIon specificaions are applied to all the organizaional units and systems within scope of the assessment. 4. Measured TesIng or measurement (metrics) of the specificaion s implementaion is conducted to determine if they coninue to remain effecive. 5. Managed Control implementaions are acively managed based on tesing or measurement (metrics). 14

HITRUST RMF CSF Assurance (6) Defined Assessment Methodology The HITRUST control maturity model also incorporates the following 5- point compliance scale which is used to rate each level in the model Score Non- Compliant (NC) Somewhat Compliant (SC) Par9ally Compliant (PC) Mostly Compliant (MC) Fully Compliant (FC) Descrip9on Very few if any of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 0% (point esimate) or 0% to 12% (interval esimate). Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 25% (point esimate) or 13% to 37% (interval esimate). About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 50% (point esimate) or 38% to 62% (interval esimate). Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 75% (point esimate) or 63% to 87% (interval esimate). Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured or managed). Rough numeric equivalent of 100% (point esimate) or 88% to 100% (interval esimate). 15

HITRUST RMF CSF Assurance (7) Controls grouped into key areas to improve efficiency and support focused assessment by subject matter experts Information Protection Program Endpoint Protection Portable Media Security Mobile Device Security Wireless Protection Configuration Management Vulnerability Management Network Protection Transmission Protection Password Management Access Control Audit Logging & Monitoring Education, Training & Awareness Third Party Security Incident Management Business Continuity & Disaster Recovery Risk Management Physical & Environmental Security Data Protection & Privacy 16

HITRUST RMF CSF Assurance (8) Defined Assessment Methodology Example requirement statement: 01.a, Access Control Policy Access control rules and rights for each user or group of users for each application are clearly defined in standard user access profiles (e.g., roles) based on need-to-know, need-to-share, least privilege and other relevant requirements Level Illustra9ve Procedures 1. Policy Obtain and examine the access control policy to determine if requirements for establishing access control rules and rights for each user or a group of users are defined. 2. Procedures Obtain and examine access control procedure documentaion to determine if a process is defined for defining and assigning access control rules and rights to each user or groups of users. 3. Implemented Interview the individual(s) responsible for access management to determine if a process has been implemented for defining and assigning access control rules and rights to each user or groups of users in accordance with the documented procedures. For a sample of users and systems, determine if access profiles are enforced for each user or group of users in accordance with the user and/or group s roles and responsibiliies. 4. Measured Interview key personnel to determine if reviews, tests or audits are completed by the organizaion to verify users and groups of users are assigned appropriate user access roles. 5. Managed Obtain and examine supporing documentaion maintained as evidence of these reviews, tests or audits to determine if issues idenified were invesigated and corrected. 17

HITRUST RMF CSF Assurance (9) Defined Assessment Methodology PRISMA-based control maturity model supports repeatable likelihood estimates For any CSF requirement statement, response is a 5 x 5 matrix Level (Points) NC SC PC MC FC Policy (25) X Procedures (25) X Implemented (25) X Measured (15) X Managed (10) X Level NC SC PC MC FC Defini9on Non Compliant (0%) Somewhat Compliant (25%) ParIally Compliant (50%) Mostly Compliant (75%) Fully Compliant (100%) Example in the table yields maturity score of 66, or a maturity rating of 3 Maturity Level 1-1 1+ 2-2 2+ 3-3 3+ 4-4 4+ 5-5 5+ Cutoff PRISMA Score < 10 < 19 < 27 < 36 < 45 < 53 < 62 < 71 < 79 < 83 < 87 < 90 < 94 < 98 < 100 Model supports reporting of scores across controls, objectives, domains, etc. 18

HITRUST RMF CSF Assurance (10) Defined Assessment Methodology The rating obtained by assessing against the PRISMA-based model is an indicator of an organization s ability to protect information in a sustainable manner 19

HITRUST RMF CSF Assurance (11) Defined Assessment Methodology Addition of non-contextual impact ratings supports risk calculations (included in the Risk Analysis Guide for HITRUST Organizations & Assessors) Derived from work performed by the Defense Department Risk ratings support HIPAA risk analysis requirement and remediation (corrective action) planning Rollup of risk ratings can be performed similar to the maturity scores High impact yields risk of.272, score of 73 & grade of C for prior example See Risk Analysis Guide for HITRUST Organizations & Assessors for details h_ps://www.hitrustcentral.net/news_repository/ blog/risk_analysis_guide_now_available Addition of non-contextual impact ratings provides initial risk estimates for analysis Maturity and risk calculations support internal baselines and external benchmarking 20

HITRUST RMF CSF Assurance (12) CSF Certified Assessor Organizations Must meet specific requirements for their assessment methods and tools, including experience and qualifications of personnel Ensure assessment results are consistent and repeatable regardless of the assessor selected by an organization Provides high-levels of assurance when exchanging risk information with regulators and business partners Refer to http://hitrustalliance.net/csf_assessor_requirements.pdf for more information on program requirements. Include a broad cross-section of organizations focused on various types and sizes of healthcare entities CSF Assessors include such organizations as AT&T Consulting;CoalFire Systems, Inc.; Epstein Becker & Green, PC; Ernst & Young LLP; PricewaterhouseCoopers LLP; and UHY Advisors Refer to http://hitrustalliance.net/assessors/ for a complete list 21

HITRUST RMF CSF Assurance (13) Degrees of Assurance Self-assessments conducted by low risk BA or other partner Third-party assessments provide independent assurances Certified report issued when minimal compliance is demonstrated Validated report results when certification requirements aren t met Assess once, report many model allows for standardization and efficiency across the industry 22

HITRUST RMF CSF Assurance (14) CSF Validated Self Assessment Assessed entity completes a baseline assessment questionnaire within MyCSF tool Focuses on the 63 controls required for certification May be expanded to include additional controls to demonstrate compliance with specific requirements or standards, e.g, Texas Covered Entity Privacy and Security Certification, or provide greater assurances to internal & external stakeholders Baseline consolidated requirements for 63 high-risk controls Comprehensive consolidated requirements for all 135 controls HITRUST performs very limited validation of the results and issues a CSF Validated Self Assessment report 23

HITRUST RMF CSF Assurance (15) CSF Validated Third Party Assessment Assessed entity completes baseline questionnaire within MyCSF tool May be expanded as needed (e.g., comprehensive or detailed assessment) Additional on-site testing is performed by a third party CSF Assessor Interviews, documentation reviews, walkthroughs, technical testing Questionnaire and supporting documentation sent to HITRUST for review HITRUST performs increased level of quality review of assessment results HITRUST issues CSF Validated report CSF Certified Third Party Assessment Organization meets all CSF certification requirements All 63 controls meet minimum implementation requirements Corrective action plans for controls that are not fully implemented Risk formally accepted for low risk control requirements May be expanded as needed (e.g., comprehensive assessment) 24

HITRUST RMF Methods & Tools (1) Methods and guidance documents provide significant support to the HITRUST community For example, the Risk Analysis Guide for HITRUST Organizations and Assessors provides guidance and process for conducting a risk assessment of alternate (compensating) controls, including a rubric for assessing the validity/rigor of the risk analysis Are threats appropriately identified & described? Is the alternate control adequately specified? Is the risk analysis adequate (reasonable, correct/accurate)? Are compensating controls specified if an equivalent type and amount risk not addressed? Are additional risk issues ( unintended consequences ) identified & described? Are compensating controls adequately specified for any additional risk issues ( unintended consequences )? Are all risks addressed satisfactorily (i.e., is there a rough equivalency)? Are any unmitigated risks formally identified and accepted by management? 25

HITRUST RMF Methods & Tools (2) HITRUST Central User portal HITRUST RMF content News / updates Blogs / chats TX Certification support Provide specific guidance Address user questions 26

HITRUST RMF Methods & Tools (3) MyCSF Fully managed and supported tool incorporating CSF and CSF Assurance Leverages illustrative procedures for assessing controls Workflow management for assessments and remediation Documentation repository for test plans, CAPs, and supporting documentation Dashboards and reporting; benchmarking data Automated submission of assessments for validation and certification 27

Leveraging the RMF Like ISO and NIST, the HITRUST RMF consists of multiple components, including standards, methods and tools Many components are mix and match depending on an organization s needs CSF provides industry standard for due diligence and due care CSF Assurance provides consistent and repeatable sharing of risk information with business partners, customers and regulators CSF tools like HITRUSTCentral and MyCSF provide assessment and implementation support 28

Leveraging the RMF Selecting Components (1) CSF provides industry standard for due diligence and due care Use as reference for industry best practices Use as baseline for comparison with internal control framework Use to identify additional requirements or practices to supplement internal control framework Use to identify control requirements for third party contracts Use as basis for internal control framework Use as basis for selecting third party contract requirements Use as basis for asserting compliance with federal and state requirements 29

Leveraging the RMF Selecting Components (2) CSF Assurance supports sharing of risk information (internal/external) Methodology (assessment, scoring) Basis for internal risk assessment of controls, regardless of framework Basis for evaluating impact, likelihood, & risk in a consistent, repeatable way General risk to the organization Specific risks associated with deficiencies & prioritization of corrective action plans Specific risks associated with selection of alternate/compensating controls Risk acceptance Self- assessments Basis for shared assurance Demonstrate good faith compliance efforts Remote assessments TX certification of small providers w/ <$15M annual revenue Third party assessments Basis for higher-level of shared assurance Provide high-assurance demonstration of compliance efforts Obtain formal CSF and/or TX certification 30

Leveraging the RMF Selecting Components (3) CSF tools provide various types and levels of implementation support HITRUST Central Forum for communication among peers in health information protection Repository for CSF and CSF Assurance-related documentation, e.g., CSF crossreferences with authoritative sources or whitepapers on specific topics like risk analysis MyCSF Automated support for managing assessment workflows and generating dashboards Automated support for submission of self-, remote and third party assessments for HITRUST quality review and the generation of HITRUST assessment reports and TX certification recommendations MyCSF Plus Automated support for prioritizing and managing corrective actions to address control deficiencies identified through self-, remote or third party assessment Additional tools/support Cyber Threat Intelligence and Incident Coordination Center (C3) Training for HITRUST Certified CSF Practitioner (CCSFP) and (ISC)2 HealthCare Information Security and Privacy Practitioner (HCISPP) candidates HITRUST Conferences 31

Leveraging the RMF Implementing Components (1) General approach for implementing the CSF in an entity s information security and privacy risk management program Implement controls through normal budgetary, project and operational work processes Integration leverages multiple RMF components 32

Leveraging the RMF Implementing Components (2) Risk management architecture 2009, 2010 by Bryan S. Cline, Ph.D. 33

Leveraging the RMF Implementing Components (3) Risk program architecture 2009-2011 by Bryan S. Cline, Ph.D. 34

Leveraging the RMF Implementing Components (4) Resource planning 2009-2011 by Bryan S. Cline, Ph.D. 35

Leveraging the RMF Implementing Components (5) Resource planning (continued) Mapping personnel resources to CSF controls and informa;on security and privacy risk management services 2009-2011 by Bryan S. Cline, Ph.D. 36

Leveraging the RMF Implementing Components (6) Improvement planning 37

Leveraging the RMF Implementing Components (7) Work planning 38

Leveraging the RMF Implementing Components (8) Work prioritization Use impact to determine risk of a control deficiency One way of computing risk using HITRUST s PRISMA-based approach is: R = L x I = [(100 - MS) / 100] x [(IR - 1) x 25], where, R = risk, L = likelihood, I = impact, MS = HITRUST CSF control maturity score, and IR = impact rating HITRUST provides impact ratings for all 135 controls contained in the CSF, some of which are provided in the table on the right Ratings are: Based on an analysis of impact ratings provided by the Department of Defense for controls contained in their RMF Non-contextual in that they do not consider other variables in the environment such as the status of other controls Meant to provide an indicator of the relative impact among the controls in the CSF, all else being equal May be adjusted based on contextual factors for use by an organization, e.g., internal risk reporting and CAP prioritization 39

Leveraging the RMF Implementing Components (9) Use priority codes to help prioritize work with similar risk HITRUST provides priority codes for all 135 controls contained in the CSF, some of which are provided in the table on the right Codes are: Based on an analysis of priorities provided by NIST for the controls contained in their RMF Meant to provide an indicator of implementation dependencies among the controls in the CSF Utility of priority codes will depend on the deficiencies evaluated Example based on a single deficient requirement for 4 controls for business continuity 40

Summary / Conclusion The state of healthcare security & privacy Constant change in the threat & regulatory landscape Complex business and clinical relationships increase risk HITRUST is the only information protection body that: Is devoted to the healthcare industry and its unique needs and Has provided standards-based certification since 2008 Supports the Texas Covered Entity Privacy and Security Certification HITRUST RMF consists of multiple re-enforcing components CSF: harmonized set of tailorable safeguards CSF Assurance: standardized, cost-effective assessment & reporting Tools: general support healthcare information protection community Many ways for an entity to leverage RMF components CSF: best practice reference thru full adoption of control requirements CSF Assurance: best practice reference thru CSF & TX certification Tools: information sharing thru automated assessment & reporting support 41

Questions? HITRUST RMF, CSF, Assessment & Risk Analysis Methodologies: Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP CISO & VP, CSF Development & Implementation ( (469) 269-1118 * Bryan.Cline@HITRUSTalliance.net CSF Assurance Program: Michael Frederick, CISSP, CCSFP VP, Assurance Services ( (469) 269-1205 * Michael.Frederick@HITRUSTalliance.net 2013 HITRUST, Frisco, TX. All Rights Reserved. 42