Health Industry Implementation of the NIST Cybersecurity Framework

Similar documents
Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

CSF Support for HIPAA and NIST Implementation and Compliance

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Applying Framework to Mobile & BYOD

Framework for Improving Critical Infrastructure Cybersecurity

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Frequently Asked Questions about the HITRUST Risk Management Framework

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Cybersecurity Framework: Current Status and Next Steps

Framework for Improving Critical Infrastructure Cybersecurity

Healthcare Sector Cybersecurity Framework Implementation Guide

What can HITRUST do for me?

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Managing Cybersecurity Risk in a HIPAA-Compliant World

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

How To Write A Cybersecurity Framework

HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry

HITRUST CSF Assurance Program

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

PROTIVITI FLASH REPORT

Why you should adopt the NIST Cybersecurity Framework

How To Manage Cybersecurity In Healthcare

Healthcare s Model Approach to Critical Infrastructure Cybersecurity

BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

The NIST Cybersecurity Framework

Obtaining CSF Certification Lessons Learned and Why Do It

HIPAA and HITRUST - FAQ

Why you should adopt the NIST Cybersecurity Framework

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Building Security In:

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework What It Means for Energy Companies

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Understanding the NIST Cybersecurity Framework September 30, 2014

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

How To Understand And Manage Cybersecurity Risk

Which cybersecurity standard is most relevant for a water utility?

Applying IBM Security solutions to the NIST Cybersecurity Framework

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Business Continuity in Healthcare

Cyberprivacy and Cybersecurity for Health Data

CRR-NIST CSF Crosswalk 1

Cybersecurity: What CFO s Need to Know

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

How to Lead the People in a Program Based Environment

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

Ecom Infotech. Page 1 of 6

MU Security & Privacy Risk Assessments: What It Is & How to Approach It

CForum: A Community Driven Solution to Cybersecurity Challenges

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

HITRUST. Risk Management Frameworks

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Cybersecurity The role of Internal Audit

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Changing Legal Landscape in Cybersecurity: Implications for Business

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Strategies for Integra.ng the HIPAA Security Rule

Cybersecurity Framework Security Policy Mapping Table

Critical Manufacturing Cybersecurity Framework Implementation Guidance

INFORMATION SECURITY STRATEGIC PLAN

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

FFIEC Cybersecurity Assessment Tool

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Information Security Management System for Microsoft s Cloud Infrastructure

HIPAA Breaches, Security Risk Analysis, and Audits

Business Continuity / Disaster Recovery Context

HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

Cybersecurity for Medical Devices

America s New Cybersecurity Framework: Help or New Source of Exposure?

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Transcription:

Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1

Your presenters HHS Steve Curren, Acting Director, Division of Resilience (ASPR/OEM) Dr. Laura Kwinn Wolf, Acting Branch Chief, Critical Infrastructure Protection (ASPR/OEM) NIST Kevin Stine, Leader, Cybersecurity and Privacy Applications Group, Applied Cybersecurity Division HITRUST Dr. Bryan Cline, Vice President, Standards & Analytics Deloitte Raj Mehta, Partner, Cyber Risk Services Seattle Children s Hospital Dr. Cris Ewell, Chief Information Security Officer 2

What we ll do today Provide information on the HPH CISR and various programs in support of industry (HHS) Provide an overview and background of the NIST CsF, along with its purpose and potential benefits (NIST) Review the cybersecurity implementation approach outlined in the updated health industry implementation guidance on cybersecurity (HITRUST) Discuss how the HITRUST CSF integrates the NIST CsF and adds industry context to help healthcare organizations improve the management of cybersecurity risk (Deloitte) Discuss how Seattle Children s Hospital and others leverage the HITRUST CSF to implement cybersecurity within their organizations (Seattle Children s) 3

HHS CRITICAL INFRASTRUCTURE & RESILIENCE (CISR) INITIATIVES 4

Critical Infrastructure Protection HHS/ASPR s Critical Infrastructure Protection Program Leveraging resources to enhance the security and resilience of our nation s healthcare and public health critical infrastructure through partnerships with FSLTT governments and the private sector http://phe.gov/cip 2015-2019 Sector Goals Risk Management Information-Sharing Partnership Coordination Response and Recovery Healthcare and Public Health Sector Direct Healthcare Pharmaceuticals Blood Plans and Payers Public Health Medical Materials Mass Fatality Management Labs Health IT Physical structures and virtual systems Critical foreign dependencies Interdependencies with other sectors: energy, water, power Climate Resilience Intelligence Sharing 5

Critical Infrastructure Protection Cybersecurity Working Group Mission: In alignment with existing policies and the NIST Cybersecurity Framework (CsF), leverage and build upon the work of existing organizations within the HPH Sector to provide a forum for discussion of issues and development of needed resources to enhance cybersecurity among a wide variety of HPH, IT and information security professionals, pharmaceuticals, device manufacturers, and health IT developers. Goals: 1) Safely and securely incorporating technology in to healthcare 2) Improving upon mechanisms of sharing information among government and private sector partners 3) Assessing threats to and vulnerabilities of Sector cyber systems to address risks 4) Coordinate development of tailored, Sector-wide Implementation Guide for the NIST Cybersecurity Framework 6

Critical Infrastructure Protection Enhancing Cybersecurity Information Sharing Outreach and Education Support for Information Sharing and Analysis Organizations (ISAOs) Information Sharing Planning Grant Homeland Security Information Network (HSIN) Information Coordination for Incident Management 7

NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 8

Cybersecurity Framework (CsF) As directed by Executive Order 13636, NIST convened industry to create the voluntary Framework for Improving Critical Infrastructure Cybersecurity. Workshops & Stakeholder Engagement EO 13636 Framework Request for Informa9on, Feedback on the Dra? & 5 Industry Workshops in 5 Different Ci9es 13 February 2013 Framework components are used to align The Framework has 3 main components Technology 12 February 2014 The Framework is used broadly Interna9onal Federal Transla'ons State Gov t Sector Guidance 10110 Mission Cybersecurity State Guidance 9 Industry White Papers

Cybersecurity Framework Components 10

Cybersecurity Framework Components Core What processes and assets need protec9on? What safeguards are available? What techniques can iden9fy incidents? What techniques can contain impacts of incidents? What techniques can restore capabili9es? 11

Cybersecurity Framework Components Core 12

Cybersecurity Framework Components Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities To maximize value, do the following things with your security requirements using a Profile: 1) Align 2) De-conflict 3) Prioritize Identify Protect Detect Respond Recover 13

Cybersecurity Framework Components Risk Informed Par;al Repeatable None Adap;ve Framework Implementation Tiers Allow for flexibility in implementation and bring in concepts of maturity models Reflect how an organization implements the Framework Core functions and manages its risk Progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier Characteristics are defined at the organizational level and can be applied to the Framework Core to determine how a category is implemented 14

Industry Use The Framework is designed to complement existing business and cybersecurity operations, and has been used to: Self-Assessment, Gap Analysis, Budget & Resourcing Decisions Standardizing Communication Between Business Units Harmonize Security Operations with Audit Communicate Requirements with Partners and Suppliers Describe Applicability of Products and Services Identify Opportunities for New or Revised Standards As a Part of Cybersecurity Certifications The Framework also supports: Consistent dialog, both within and amongst countries Common platform on which to innovate, and Identify market opportunities where tools and capabilities may not exist today http://www.nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm 15

Current & Near-Term Framework Activities Collect, Reflect, and Connect understand where industry is having success, help others understand those successes, and facilitate relationships that support use and implementation Continue education efforts, including creation of self-help and re-use materials for those who are new to the Framework Continue awareness and outreach with an eye toward industry communities who are still working toward basal Framework knowledge and implementation Educate on the relationship between the Framework and the larger risk management process, including how organizations can use Tiers Obtain feedback on Framework use and opportunities to improve Continue Community Dialogs with International Governments, Standards Organizations, Domestic Industry, Regulators, Auditors, Insurance, Legal, and others 16

Where to Learn More and Stay Current Where to learn more and stay current NIST Website is available at http://www.nist.gov NIST Computer Security Resource Center is available at http://csrc.nist.gov The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework For additional NIST Cybersecurity Framework info and help email: cyberframework@nist.gov 17

HITRUST HEALTHCARE SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDE 18

Road to Sector-wide Guidance HITRUST has published multiple guidance documents over the past several years, e.g.: Risk Management and Analysis Risk vs. Compliance-based Information Protection Healthcare s Model Implementation of the NIST CsF New Healthcare Sector Cybersecurity Framework Implementation Guide Integrated/expanded prior documentation per discussions w/ HHS Draft guide reviewed by HITRUST community in the September and October 2015 timeframe Final version published in October 2015 and available now (https://hitrustalliance.net/documents/cybersecurity/hitrust_healthcare_sector_cybersecurity_framework_implementation_ Guide.pdf) 19

Joint HPH Sector CsF Implementation Guide Risk Management Sub-working Group (SG) of the Joint HPH Cybersecurity WG Co-chaired by HITRUST and ONC Office of the Chief Privacy Officer Formed to address Goal 4 for the development of Sector-wide guidance Joint GCC/SCC guidance to be based on existing documentation and efforts Healthcare Sector CsF Implementation Guide HITRUST guide under review by the Risk Mgmt. SG Use of existing guide will expedite development Public comment scheduled in November 2015 Anticipate submitting final draft to Joint HPH Cybersecurity WG by the end of December 2015 RM SG Review Industry Review Joint HPH Cybersecurity WG Review 20

Guidance should Be consistent with other Sector implementation guidance Fully address NIST Cybersecurity Framework implementation Use an implementation process consistent with the NIST process Provide prescriptive guidance for all NIST Cybersecurity Framework Subcategories Utilize an organizational maturity model consistent with NIST Tiers Address unique HPH-sector requirements Provide additional prescription not addressed by NIST Framework Specifically address HIPAA Security Rule requirements Integrate other relevant regulatory & best practice requirements, e.g., PCI, NIST Support broad range of HPH Sector entities, including small entities Provide additional value-added guidance, e.g., risk analysis 21

Healthcare Sector Implementation Guide Introduction to the NIST CsF NIST CsF guidance and terminology 22

Healthcare Sector Implementation Guide Healthcare s model implementation Compliance drivers Approach to risk analysis and management Relationship to the NIST CsF 23

Healthcare Sector Implementation Guide Standard NIST implementation approach outlined in NIST CsF document and other Sector-level implementation guides Energy Critical Manufacturing (Draft) 24

Healthcare Sector Implementation Guide Modified implementation approach that leverages use of a control frameworkbased risk analysis Target Profile created first Then risk (control) assessment Gaps identify Current Profile Gap analysis used to prioritize gaps and support corrective action planning 25

Healthcare Sector Implementation Guide Control-level maturity model that can be used to estimate NIST CsF Implementation Tier level Cybersecurity Implementation Tiers Cybersecurity Implementation Tier Description Approximate HITRUST Maturity Levels Approximate HITRUST Maturity Rating Tier 0: Partial Organization has not yet implemented a formal, threat-aware risk management process and may implement some portions of the framework on an irregular, case-by-case basis; may not have capability to share cybersecurity information internally and might not have processes in place to participate, coordinate or collaborate with other entities. Level 1 Partial Level 2 Partial Level 3 Partial Level 4 Non-compliant Level 5 Non-compliant 1 to 3- Tier 1: Risk-Informed Organization uses a formal, threat-aware risk management process to develop [target] profile [control requirements]; formal, approved processes and procedures are defined and implemented; adequate training & resources exist for cybersecurity; organization aware of role in ecosystem but has not formalized capabilities to interact/share info externally. Level 1 Partial Level 2 Compliant Level 3 Compliant Level 4 Non-compliant Level 5 Non-compliant 3- to 3+ Tier 2: Repeatable Organization regularly updates [target] profile [control requirements] due to changing threats; riskinformed policies, processes and procedures are defined, implemented as intended, and validated; consistent methods are in place to provide updates when a risk change occurs; personnel have adequate skills & knowledge to perform tasks; organization understands dependencies/partners and can consume information from these partners. Level 1 Compliant Level 2 Compliant Level 3 Compliant Level 4 Partial Level 5 Partial 4- to 5- Tier 3: Adaptive Organization proactively updates [target] profile [control requirements] based on predictive indicators; actively adapts to changing/evolving cyber threats; risk-informed decisions are part of organizational culture; manages and actively shares information with partners to ensure accurate, current information is distributed and consumed to improve cybersecurity before an event occurs. Level 1 Compliant Level 2 Compliant Level 3 Compliant Level 4 Compliant Level 5 Compliant 5 to 5+ 26

Healthcare Sector Implementation Guide Impact ratings to help organizations evaluate relative residual risk Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code 0.a 3 01.o 3 02.e 5 05.e 3 06.i 4 08.i 4 09.k 3 09.z 5 10.i 4 01.a 5 01.p 3 02.f 5 05.f 4 06.j 3 08.j 4 09.l 3 09.aa 3 10.j 4 01.b 5 01.q 5 02.g 5 05.g 4 07.a 4 08.k 5 09.m 4 09.ab 3 10.k 4 01.c 5 01.r 4 02.h 5 05.h 5 07.b 3 08.l 5 09.n 4 09.ac 3 10.l 3 01.d 5 01.s 4 02.i 5 05.i 4 07.c 5 08.m 5 09.o 3 09.ad 3 10.m 3 01.e 5 01.t 3 03.a 3 05.j 5 07.d 4 09.a 5 09.p 5 09.ae 3 11.a 3 01.f 5 01.u 3 03.b 3 05.k 5 07.e 5 09.b 4 09.q 4 09.af 3 11.b 4 01.g 4 01.v 3 03.c 3 06.a 4 08.a 5 09.c 5 09.r 4 10.a 4 11.c 3 01.h 3 01.w 3 03.d 3 06.b 4 08.b 5 09.d 4 09.s 5 10.b 4 11.d 3 01.i 4 01.x 5 04.a 3 06.c 3 08.c 5 09.e 4 09.t 3 10.c 4 11.e 3 01.j 5 01.y 5 04.b 3 06.d 3 08.d 4 09.f 4 09.u 3 10.d 3 12.a 3 01.k 4 02.a 4 05.a 4 06.e 5 08.e 5 09.g 4 09.v 4 10.e 4 12.b 3 01.l 4 02.b 5 05.b 5 06.f 4 08.f 4 09.h 3 09.w 4 10.f 3 12.c 3 01.m 3 02.c 5 05.c 3 06.g 4 08.g 4 09.i 4 09.x 4 10.g 3 12.d 3 01.n 4 02.d 4 05.d 3 06.h 4 08.h 3 09.j 4 09.y 4 10.h 4 12.e 3 27

Healthcare Sector Implementation Guide Meaningful measures for comparison, benchmarking amongst entities and the sharing of meaningful assurances 28

Healthcare Sector Implementation Guide Mapping of HITRUST CSF controls to NIST CsF subcategories 29

Healthcare Sector Implementation Guide Mapping of healthcare CsF implementation process to control framework-based DHS risk analysis process Cyber Implementation Process 1. Prioritize & Scope Modified DHS Risk Analysis Process Conduct a complete inventory of where ephi lives Perform a BIA on all systems with ephi (criticality) Categorize & evaluate these systems based on sensitivity & criticality 2. Orient Conduct a complete inventory of where ephi lives 3. Create a Target Profile 4. Conduct a Risk Assessment 5. Create a Current Profile 6. Perform Gap Analysis Select an appropriate framework baseline set of controls Apply an overlay based on a targeted assessment of threats unique to the organization Evaluate residual risk (risk assessment) Rank risks and determine risk treatments Make contextual adjustments to likelihood & impact, if needed, as part of the corrective action planning process 7. Implement Action Plan Implement corrective actions and monitor the threat environment 30

Healthcare Sector Implementation Guide Cyber Threat Maturity Model 31

Healthcare Sector Implementation Guide Support for meaningful consumption of threat intelligence 32

Healthcare CsF Scorecard / Cyber Certification CsF to CSF mappings complete and available from NIST CsF Industry Resources Website: http://www.nist.gov/cyberframework/cybersecurity-frameworkindustry-resources.cfm Healthcare Sector CsF Scorecard available with the HITRUST CSF v8 release in early 2016 Scores NIST CsF subcategories Scores generated granularly at the HITRUST CSF implementation requirement-level Cyber preparedness cert under development Based on pre-nist CsF cybersecurity control analysis: https://hitrustalliance.net/content/uploads/2014/06/hitrust CSFCybersecurityTable.pdf 33

Deloitte IMPLEMENTING THE NIST CSF THROUGH THE HITRUST RISK MGMT FRAMEWORK 34

What is the Role of Frameworks? Helps to translate program direction or leverage to guide actions Provides a model for evaluation of an organization s maturity or readiness Provides confidence on program and actions taken Helps identify opportunities to improve management processes for cybersecurity risk Provides a taxonomy to describe their current cyber security posture Supports Risk and/or Compliance Management Aids in Communication with Management Helps benchmark programs 35

High-level HITRUST and NIST CSF Comparison HITRUST NIST Purpose A scalable, prescrip9ve and cer9fiable framework specific created in response to mul9ple compliance requirements, many of which are subject to interpreta9on In response to the President s Execu9ve Order 13636, Improving Cri9cal Infrastructure Cybersecurity (2013). It s a framework based on exis9ng standards, guidelines, and prac9ces - for reducing cyber risks to cri9cal infrastructure Industry Healthcare-specific Applies broadly across mul9ple industries Objec9ve Illustra9ve Sources A framework that can be leveraged to communicate, compare and benchmark cybersecurity AND can be used for cer9fica9on ISO, HIPAA, NIST, CMS, MARS-E, IRS, PCI, CSA-CCM, state laws A framework that can be leveraged to communicate, compare, and benchmark cyber security COBIT, NIST, ISA, CCS, ISO 36

High-level HITRUST and NIST CSF Comparison HITRUST and NIST CSF can be and are complementary frameworks While an organization can leverage either frameworks on its own, there is value in leveraging HITRUST as the Healthcare standard, with the NIST CSF being the mechanism to communicate maturity and comparison between industries NIST CSF was primarily created as a way to compare, communicate, and standardize how we think about cybersecurity HITRUST was primarily created to make healthcare security and privacy considerations clearer and more prescriptive as well as compare, communicate, and standardize how we think about information protection. 37

Illustrative Example HITRUST Informs cyber risk management prac9ces based on healthcare industry NIST CSF Demonstrates coordinated industry ac9on Sets industry-level direc9on consistent with other industries Priori9zes focus areas based on industry s inherent risk Shares peer-level insights Allows for flexibility to demonstrate risk-based responses to threats that are inherent to both the industry and the organiza9on and residual to only the organiza9on ID.GV-1: Organizational information security policy is established Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. NIST CSF: Sub-category NIST CSF: Func;on NIST CSF: Category HITRUST CSF Control 38

Illustrative Example Categories based on NIST Backend data based on HITRUST 39

Framework Implementation Considerations Already aligned with HITRUST? If yes, it is mostly a mapping & reporting exercise And communication Have not adopted a framework? Organization alignment Scoping and implementation plan 40

Seattle Children s Hospital CASE STUDY LEVERAGING HITRUST 41

Case Study Seattle Children s Hospital 42

Organization vs. Cybersecurity Risk Key elements of our risk program The is a continual process not a one time event Understand that the risk is a organizational risk, not strictly information security or compliance Integrated in our operational and business practices Integrated with our enterprise risk management (ERM) process 43

Understand the framework & regulations 21 CFR Part 11 PCI DSS HIPAA HITECH Act FISMA 44

Frameworks and risk help to determine What risks are we willing to accept that support the business and compliance needs What risks do we need to protect against to enable the business? 45

Identify Understand your assets Intellectual property Key service or products Applica9ons Business partners Key people Data 46

Dashboard examples 47

Keys to success Start by understanding both NIST and HITRUST Frameworks HITRUST guide to CsF implementation available now Joint private/public guidance should become available in 1Q FY16 Focus on what s important Continuous risk and improvement process Maintain a series of checks & balances DO SOMETHING determine the place to start 48

Q&A 49

Visit for more information To view our latest documents, visit the Content Spotlight 50

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information