What can HITRUST do for me?

What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com

Introduction 2 Purpose Discuss HITRUST support for information protection in the healthcare industry and utility for CMS & CMS contractor organizations Learning Objectives Attendees will: Understand regulatory and business drivers for an industrywide information protection and assurance framework Understand resultant issues and outstanding pain points for healthcare entities, including CMS contractor organizations Understand the role of HITRUST in promoting the adoption of sound risk management practices by healthcare organizations HITRUST RMF (CSF, CSF Assurance Program, Tools such as MyCSF) Other industry support (HITRUST C3, HITRUST Academy, professional certifications)

Outline 3 Introduction Background Health Information Trust Alliance (HITRUST) Overview HITRUST Risk Management Framework (RMF) Common Security Framework (CSF) CSF Assurance Tool Support (HITRUST Central / MyCSF) Healthcare Industry Support Cyber Threat Intelligence & Incident Coordination Center (C3) HITRUST Academy Professional Certification Summary/Conclusion Q&A

Background Regulatory Drivers 4 Requires a fundamental and holis2c change in the way healthcare manages informa2on security and privacy- related risk HIPAA Established RA requirement for covered entities HITECH Expanded scope to BAs Incentives and penalties Meaningful Use & data breach notification ( harm provision) Increased penalties & enforcement Omnibus Rule Expanded definition of BA Strengthened harm provision Other regulatory drivers PCI, FTC Red Flag, FDA, etc.

Background Business Drivers (1) 5 Evolving business relationships and increased complexity Increasingly more data shared with business partners Data dispersed through a complicated web of relationships Multiple/varied assurance requirements from a variety of parties Inordinate level of effort being spent on assurance Negotiation of requirements, data collection, assessment and reporting

Background Business Drivers (2) 6 Covered Entities Increasingly more data shared with business partners Complex contracting process due to unique security requirements Low response rate of questionnaires Inaccurate and incomplete responses Inadequate due diligence of questionnaires Costly and time-intensive data collection, assessment and reporting processes Inability to proactively identify and track risk exposures at BA Lack of visibility into downstream risks related to BA (i.e., BAs own business partners and sub-contractors) Lack of consistent reporting to management on BA risks

Background Business Drivers (2) 7 Business Associates Complex contracting process due to unique security requirements Broad range / inconsistent expectations for questionnaires Cannot effectively leverage responses between organizations Complexity with: Maintaining broad range of reporting requirements Expensive and time-intensive audits by organizations Lack of focus on high risk issues and actual remediation Inability to consistently and effectively report to and communicate with organizations

Pain Points & Value Statements 8 Common Pain Points: Change, Change, Change Customer Demands Audit Fatigue Third Party / Partner Risk Exposure HITRUST Value Proposition: Increased Customer Engagement Ease Lower Cost to Partner Assurance HIPAA Police Defense Tipping Point Insight Ecosystem Entrance Criteria Threat Intelligence Information Sharing

HITRUST Overview 9 Health Information Trust Alliance Born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges Led by a seasoned management team and governed by a Board of Directors made up of leaders from across the healthcare industry and its supporters Driving adoption and widespread confidence in sound risk management practices through education, advocacy and other outreach activities

HITRUST RMF (1) 10 Multitude of challenges Significant Oversight Evolving requirements Complex business relationships Uncertain standard of care Reasonable & appropriate? Adequate protection? HITRUST Risk Management Framework (RMF) Provides healthcare industry standard of due care and diligence Components include: Common Security Framework (CSF) CSF Assurance Program Related methodologies, services and tools

HITRUST RMF (2) 11 Healthcare-centric RMF Rationalizes healthcare-specific requirements Leverages international & U.S. RMFs Single industry approach Current, prescriptive & relevant Free to qualified healthcare organizations Risk-based vs. compliance-oriented Baselines tailored based on multiple risk factors Managed alternate control process Consumable by organizations with limited resources Provides industry standard of due diligence and due care Specifies reasonable and appropriate controls Defines adequate protection

HITRUST RMF CSF 12 Rationalized framework ISO provides the foundation NIST provides additional prescription Three risk-based control baselines Organizational, system & regulatory factors Managed tailoring via alternate controls One-time or general use

HITRUST RMF CSF Assurance (1) 13 CSF Assurance Program Cost-effective risk assessment High-risk controls (based on breach data analysis) & HIPAA implementation requirements Certified assessor organizations provide consistency / repeatability Risk Exposure HIGH MEDIUM CSF Compliance Assurance with (Self) HIPAA CSF Assurance (3rd Party) Compliance with ISO The CSF Assurance Program balances the cost of assurance with the risk exposure. The program is designed to cost effec?vely gather the informa?on about security controls that is required to appropriately understand and mi?gate risk. Compliance with PCI Compliance with NIST LOW Cost of Assurance

HITRUST RMF CSF Assurance (2) 14 CSF Assurance Program Standardized reporting Supports third-party assurance for entities, BAs and regulators Maturity /risk scores support internal baselines / external benchmarking

HITRUST RMF CSF Assurance (3) 15 Degrees of Assurance Self-assessments conducted by low risk BA or other partner Third-party assessments provide independent assurances Certified report issued when minimal compliance is demonstrated Validated report results when certification requirements aren t met

HITRUST RMF CSF Assurance (4) 16 Significant risks from sharing health data Smaller practices (1 to 100 physicians) accounted for >60% of reported breaches As of mid-2012, BA s were implicated in only 21% of breaches but accounted for 58% of the records breached Many breaches may be under reported or remain undiscovered HITRUST report, A Look Back: U.S. Healthcare Data Breach Trends (http://www.hitrustalliance.net/breachreport/) Addressing shared risk thru the CSF Assurance Program Many healthcare entities accept CSF validated and certified reports Six (6) major institutions now require CSF validated or certified reports HITRUST news (http://www.hitrustalliance.net/news/index.php?a=129)

HITRUST RMF Tool Support 17 HITRUST Central User portal HITRUST RMF content News / updates Blogs / chats MyCSF GRC-based platform CSF controls Illustrative procedures Assessment scoping Workflow management for assessments and remediation Documentation repository for test plans, CAPs, and supporting documentation Dashboards and reporting Automated submission of assessments for HITRUST validation & certification

HITRUST Industry Support C3 18 Cyber Threat Information and Incident Response Coordination Center (C3) Created to protect the U.S. healthcare industry from cyber attacks Relies upon a community defense approach Enables industry s preparedness and response to cyber threats Facilitates knowledge sharing and enhanced preparedness Early identification, coordinated response and incident tracking Works with the U.S. Department of Health and Human Services Shares incident-related information and participates in the Critical Infrastructure Information Sharing and Collaboration Program Provides integrated Cyber Threat Analysis Service (C-TAS) General and sector-specific cyber intelligence Real-time collaborative platform for healthcare cyber defense http://www.hitrustalliance.net/c_tas_datasheet.pdf

HITRUST Industry Support Academy 19 Educate healthcare professionals on the concepts and principles of information protection and the utilization of the HITRUST CSF to manage risk (http://www.hitrustalliance.net/programs/certification/) Practical Applications for Health Information Protection Overview of the healthcare including analysis of industry trends Regulatory landscape for healthcare organizations Market dynamics & challenges facing healthcare Introduction to HITRUST and the CSF Discussion of risk management and the CSF Review of the CSF Assurance Program Practical Applications for the CSF & CSF Assurance Program Introduction to the tools and methodology for utilizing the CSF Thorough review of the CSF structure and detailed explanation of MyCSF Includes discussion of components with case studies illustrating each component Overview of the CSF Assurance Program Program review, including specific requirements for CSF Certification Review of CSF Validated and Certified Reports and their value to relying organizations

HITRUST Industry Support Certification 20 HITRUST Certified CSF Practitioner (CCSFP) Certifies assessor personnel to conduct independent, thirdparty HITRUST CSF assessments for validation/certification Requires successful completion of both HITRUST Academy courses with a minimal passing score (ISC)2 Healthcare Information Security & Privacy Professional (HCISPP) Certifies minimum requirements for entry-level information protection professionals in the healthcare industry HITRUST began work on initiative with (ISC)2 in Jan 2012 (ISC)2 Board approved development in Sep 2012 Anticipated delivery to market in late Fall, early Winter 2013 HITRUST will provide training and education materials

Summary / Conclusion 21 Healthcare security & privacy Constant change in the threat & regulatory landscape Complex business and clinical relationships increase risk Lack of funding and skilled resources for custom programs Organizations can use targeted risk assessments, in which the scope is narrowly defined, to produce answers to specific questions or to inform specific decisions[,] have maximum flexibility on how risk assessments are conducted, [and] are encouraged to use [NIST] guidance in a manner that most effectively and cost- effectively provides the information necessary to senior leaders/executives to facilitate informed decisions. HITRUST Risk Management Framework CSF provides harmonized set of tailorable safeguards CSF Assurance provides: Standardized, cost-effective assessment Risk-based vs. compliance check-the-box approach Tools support healthcare information protection community HITRUST Central supports information sharing MyCSF supports automated risk assessment & management

Questions? Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, ASEP, CAP-II, MCIATT, NSA-IAM/IEM ( (469) 269-1118 * Bryan.Cline@HITRUSTalliance.net Jason Taule, CMC, CPCM, C CISO, CISM, CGEIT, CRISC, CHSIII, CDPS, NSA-IAM ( (443) 393-2686 * Jason.Taule@FIEsystems.com The CSF, CSF Assurance Program and related methodologies and tools that make up the HITRUST RMF are needed more now than ever before. Dan Nutkis, CEO, HITRUST