Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6



Similar documents
INFORMATION SYSTEMS. Revised: August 2013

ISO 27002:2013 Version Change Summary

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ISO Controls and Objectives

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev Seite 1 von d Seite 1 von 11

ISO27001 Controls and Objectives

Information Shield Solution Matrix for CIP Security Standards

INFORMATION TECHNOLOGY SECURITY STANDARDS

I n f o r m a t i o n S e c u r i t y

ISO/IEC 27001:2013 Thema Ă„nderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum

Security and Privacy Controls for Federal Information Systems and Organizations

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

This is a free 15 page sample. Access the full version online.

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Information Security Management. Audit Check List

A Comparison of Oil and Gas Segment Cyber Security Standards

How To Manage Security On A Networked Computer System

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information security management systems Specification with guidance for use

Newcastle University Information Security Procedures Version 3

Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013

Security Controls What Works. Southside Virginia Community College: Security Awareness

SARBANES OXLEY: ACHIEVING COMPLIANCE BY STARTING WITH ISO 17799

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

HITRUST CSF Assurance Program

INFORMATION SECURITY PROCEDURES

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Our Commitment to Information Security

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

HITRUST Common Security Framework

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Altius IT Policy Collection Compliance and Standards Matrix

Central Agency for Information Technology

Information Security Policy version 2.0

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Intel Enhanced Data Security Assessment Form

How to Use the NYeC Privacy and Security Toolkit V 1.1

Frequently Asked Questions about the HITRUST Risk Management Framework

Attachment A. Identification of Risks/Cybersecurity Governance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Information Security Policies. Version 6.1

Supplier Security Assessment Questionnaire

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information security controls. Briefing for clients on Experian information security controls

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

OCIE CYBERSECURITY INITIATIVE

HITRUST CSF Assurance Program

Logging In: Auditing Cybersecurity in an Unsecure World

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Bridging the HIPAA/HITECH Compliance Gap

Public Cloud Service Definition

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

HIPAA Compliance Guide

Technical Report Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 2: Guidelines for Assessors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Health Industry Implementation of the NIST Cybersecurity Framework

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

HITRUST Common Security Framework Summary of Changes

ISSeG Integrated Site Security for Grids

Datto Compliance 101 1

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

Security Controls in Service Management

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

HIPAA and HITRUST - FAQ

Information Technology Branch Access Control Technical Standard

HIPAA Security Rule Compliance

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Microsoft s Compliance Framework for Online Services

ULH-IM&T-ISP06. Information Governance Board

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Healthcare Compliance Solutions

CSF Support for HIPAA and NIST Implementation and Compliance

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Network Security Policy

Bellevue University Cybersecurity Programs & Courses

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Transcription:

to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized the increasing risks posed by cyber attacks and growing concerns about the state of cybersecurity within the healthcare industry and established the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). The HITRUST C3 provides cyber threat intelligence and incident coordination specific to healthcare organizations and acts as a vehicle for sharing cyber threat information between healthcare organizations and the government. Having access to cyber threat intelligence and sharing information regarding threats, attacks and incidents is extremely important; however, a prerequisite is ensuring organizations have the appropriate safeguards in place. Organizations must have a means by which to review their current level of preparedness, which is contingent upon the identification of an appropriate subset of controls most directly related to detecting and thwarting cyber-related breaches. The HITRUST Cybersecurity Working Group was established to review the HITRUST Common Security Framework (CSF) and ensure the controls fully incorporate best practices consistent with the various risk factors relating to cybersecurity for healthcare organizations. The working group is also responsible for coordinating the submission of HITRUST s recommendations to the National Institute of Standards and Technology (NIST) as part of the Cybersecurity Framework outlined in the Executive Order. Individuals are welcome to submit their recommendations to the HITRUST Cybersecurity Working Group, regarding the relevance of these controls, the associated risk factors, and any other suggestions or guidance you believe is appropriate. However, given the heightened awareness and concerns about cybersecurity, organizations have asked for immediate guidance on how they can perform an assessment to evaluate their state of cybersecurity preparedness. To support such an assessment, HITRUST has identified a specific set of CSF controls that are highly related to cybersecurity. HITRUST will also add a cybersecurity assessment option to MyCSFTM to simplify the data collection and reporting process. HITRUST is committed to ensuring the CSF incorporates relevant standards, regulations and guidance and will update the CSF to address the NIST Cybersecurity Framework and provide a single risk management framework for healthcare. HITRUST will review the working group s recommendations for updates to related CSF controls, but only after factoring in the timing of the release and scope of the NIST Cybersecurity Framework. It is important that organizations incorporate cybersecurity requirements as part of their overall information protection risk management strategy and not an independent set of requirements. Managing Risk HITRUST, on behalf of the healthcare industry, integrated and adapted multiple international, federal, state and industry regulations, standards, and best practices to develop the CSF an industry standard of due diligence and due care that can be tailored to an individual organization based upon its specific business requirements. In addition, the HITRUST CSF Assurance Program provides organizations with a single approach for conducting an assessment and reporting against these multiple requirements. As with any qualitative or quasi-quantitative approach to risk management, a compliance-based control assessment (i.e., gap analysis) provides organizations with a relative indication of excessive risk based on implementation of the entire control framework as well as an indication of the relative risk associated with individual controls or groups of controls within the framework. For example, healthcare providers have used CSF Baseline Assessments to demonstrate compliance with the Health Information Portability and Accountability Act (HIPAA) Security Rule, support attestation for the meaningful use of an electronic health record (EHR) system as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and provide assurances around the protection of covered health information to business partners, associates, regulators and other third parties. The CSF can also be used to prepare for external audits by the Office of Civil Rights (OCR) based on the OCR Audit Protocol. In fact, organizations can use the CSF to demonstrate compliance with virtually any regulatory, industry or best practice security framework if all of the CSF controls are implemented and assessed/monitored. For more information on using the CSF and CSF Assurance Program as a risk management framework, download the white paper.

to Assess Cybersecurity Preparedness 2 of 6 Organizations should note that any security control framework, whether it be the HITRUST CSF, NIST s Special Publication (SP) 800-53, or the International Standards Organization (ISO) 27002 controls, must be implemented fully or as much as it can be legitimately tailored by the organization in order to provide an acceptable reduction in risk. As an example, merely focusing on the OCR Audit Protocol requirements will not ensure an adequate level of protection for covered information as required under HIPAA. Such a focused assessment will only provide an organization a level of assurance around the implementation of the specific requirements addressed. The OCR Audit Protocol does not address all the HIPAA Security Rule implementation specifications, which would be required to support the attestation of meaningful use. However, it s clear that these relatively limited assurances provided by a focused assessment are extremely important, as they address specific risk issues considered to be of high interest to executive leadership, such as with HIPAA compliance, meaningful use or OCR audits, as already mentioned, or for assurances regarding more recent concerns such as cybersecurity. Cybersecurity Preparedness On February 13, 2013, President Obama issued the Executive Order on Improving Critical Infrastructure Cybersecurity and directed the director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure, of which healthcare is a part. The new Cybersecurity Framework will incorporate existing consensus-based standards such as the CSF to the fullest extent possible in order to address concerns raised by the Government Accountability Office (GAO) in its December 2011 report Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use. In its report, the GAO found similarities in cybersecurity guidance and practices across multiple sectors, even though much of this guidance is tailored to business needs or to address unique risks and operations, and recommended promoting existing guidance to assist individual entities within a sector to identify the guidance that is most applicable and effective in improving their security posture. As noted above, HITRUST recognized the implications cyber attacks pose on the healthcare industry, both with regards to safety and privacy, and established the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) a year ago. But given the increasing volume, sophistication and risks associated with cyber attacks perpetrated on healthcare organizations and increased awareness by legislators and regulators, HITRUST believes there is real value in providing additional guidance to organizations wanting to review their current level of preparedness. The CSF already incorporates the controls that would address cybersecurity threats and notes that any assessment should be incorporated into an organization s broader risk and regulatory compliance and assessment strategy. But given the heightened sensitivity and increasing threat, organizations may want to perform an assessment that focuses specifically on cybersecurity. As such, HITRUST has identified specific CSF controls that are highly related to cybersecurity or more specifically to the prevention of cyber intrusions by external human threat actors and their identification and response when preventative safeguards fail. Cybersecurity Controls HITRUST considered healthcare industry breach data and external guidance on safeguards related to cybersecurity to determine this initial set of cyber-related controls. The table below separates all 135 CSF controls into three categories based on their assessed relevance to cybersecurity threats: most relevant, relevant and least relevant. (Note, this table was reviewed and updated by cybersecurity workshop participants from the broader healthcare community during HITRUST 2013, held May 20 22, 2013, in Grapevine, TX.)

to Assess Cybersecurity Preparedness 3 of 6 # CSF Controls Most Relevant 1 01.a* Access Control Policy CSF Controls Relevant (Requires Further Analysis) 0.a*- Information Security Management Program 2 01.b* User Registration 02.a* Roles and Responsibilities 3 01.c Privilege Management 4 01.d* User Password Management 5 01.e Review of User Access Rights 04.a* Information Security Policy Document 05.a* Management Commitment to Information Security 05.b* Information Security Coordination CSF Controls Least Relevant 01.g Unattended User Equipment 01.h* Clear Desk and Clear Screen Policy 01.k Equipment Identification in Networks 01.p Secure Log-on Procedures 01.t Session Time-out 6 01.f* Password Use 05.f Contact with Authorities 01.u Limitation of Connection Time 7 8 9 01.i* Policy on the User of Network Services 01.j* User Authentication for External Connections 01.l Remote Diagnostic & Configuration Port Protection 10 01.m* Segregation in Networks 11 01.n* Network Connection Control 05.g Contact with Special Interest Groups 05.i* Identification of Risks Related to External Parties 05.k* Addressing Security in Third Party Agreements 06.f Regulation of Cryptographic Controls 06.j Protection of Information Systems Audit Tools 02.b Screening 02.c Terms and Conditions of Employment 02.d* Management Responsibilities 02.f* Disciplinary Process 02.g Termination or Change Responsibilities 12 01.o* Network Routing Control 07.c* Acceptable Use of Assets 02.h Return of Assets 13 01.q* User Identification and Authentication 14 01.r* Password Management System 07.d Classification Guidelines 07.e Information Labeling and Handling 15 01.s Use of System Utilities 08.j* Equipment Maintenance 16 01.v* Information Access Restriction 08.l* Secure Disposal or Re-use of Equipment 17 01.w* Sensitive System Isolation 09.c* Segregation of Duties 18 01.x* Mobile Computing and Communications 09.d Separation of Dev., Test and Op. Environments 19 01.y* Teleworking 09.i System Acceptance 20 02.e* Information Security Awareness, Education and Training 21 02.i* Removal of Access Rights 09.o* Management of Removable Media 09.w Interconnected Business Information Systems 04.b* Review of the Information Security Policy 05.c Allocation of Information Security Responsibilities 05.d Authorization Process for Info. Assets and Facilities 05.e Confidentiality Agreements 05.h Independent Review of Information Security 05.j Addressing Security When Dealing with Customers 06.a Identification of Applicable Legislation 06.b Intellectual Property Rights 06.c Protection of Organizational Records

to Assess Cybersecurity Preparedness 4 of 6 # CSF Controls Most Relevant 22 03.a* Risk Management Program Development CSF Controls Relevant (Requires Further Analysis) 10.c Control of Internal Processing CSF Controls Least Relevant 06.i Information System Audit Controls 23 03.b* Performing Risk Assessments 10.e Output Data Validation 07.b Ownership of Assets 24 03.c* Risk Mitigation 10.l* Outsourced Software Development 08.a Physical Security Perimeter 25 03.d Risk Evaluation 11.e Collection of Evidence 08.b* Physical Entry Controls 26 27 28 06.d* Data Protection and Privacy of Covered Information 06.e* Prevention of Misuse of Information Assets 06.g* Compliance with Security Policies & Standards 29 06.h Technical Compliance Checking 30 07.a* Inventory of Assets 12.a Including Info. Security in the Business Continuity Mgmt. Process 12.b Business Continuity and Risk Assessment 12.e Testing, Maintaining, Reassessing Business Continuity Plans 08.c Securing Offices, Rooms and Facilities 08.d* Protecting Against External and Environmental Threats 08.e Working in Secure Areas 08.f Public Access, Delivery and Loading Areas 08.g Equipment Siting and Protection 31 09.b** Change Management 08.h Supporting Utilities 32 09.j* Controls against Malicious Code 33 09.k Controls Against Mobile Code 08.i Cabling Security 08.k Security of Equipment Offpremises 34 09.l** Back-up 08.m Removal of Property 35 09.m* Network Controls 09.a Documented Operations Procedures 36 09.n* Security of Network Services 09.e* Service Delivery 37 38 09.q* Information Handling Procedures 09.s* Information Exchange Policies and Procedures 09.f* Monitoring and Review of Third Party Services 09.g* Managing Changes to Third Party Services 39 09.v Electronic Messaging 09.h Capacity Management 40 09.x Electronic Commerce Services 09.p* Disposal of Media 41 09.y On-line Transactions 09.r Security of System Documentation 42 09.aa* Audit Logging 09.t Exchange Agreements

to Assess Cybersecurity Preparedness 5 of 6 # CSF Controls Most Relevant CSF Controls Relevant (Requires Further Analysis) CSF Controls Least Relevant 43 09.ab* Monitoring System Use 09.u Physical Media in Transit 44 09.ac* Protection of Log Information 09.z Publically Available Information 45 09.ad Administrator and Operator Logs 10.d Message Integrity 46 09.ae Fault Logging 10.i Protection of System Test Data 47 09.af* Clock Synchronization 48 10.a Security Requirements Analysis and Specification 10.j Access Control to Program Source Code 12.d Business Continuity Planning Framework 49 10.b* Input Data Validation 50 10.f* Policy on the Use of Cryptographic Controls 51 10.g* Key Management 52 10.h* Control of Operational Software 53 10.k** Change Control Procedures 54 55 10.m* Control of Technical Vulnerabilities 11.a* Reporting Information Security Events 56 11.b Reporting Security Weaknesses 57 11.c* Responsibilities and Procedures 58 59 11.d Learning from Information Security Incidents 12.c* Developing and Implementing Continuity Plans Including Info. Security * Control required for CSF 2014 v6.0 Certification ** Control proposed for Certification in the 2015 CSF v7.0 release) (text also italicized) Bold Text Controls deemed critical to cybersecurity but have not been identified for future inclusion in the controls required for CSF Certification The set of fifty-nine (59) critical cybersecurity controls identified in the first column of the table includes forty-one (41) controls already required for 2014 certification and three (3) controls for consideration in the 2015 CSF v7.0 release. Fifteen (15) of the controls determined to be most relevant to cybersecurity are not currently being considered as a certification requirement

to Assess Cybersecurity Preparedness 6 of 6 It s important to note once again that the assessment of the cybersecurity controls presented here addresses a different question than using our previous example the controls that map to the OCR Audit Protocol. While both have CSF controls in common such as 01.a, 01.b and 01.c, which are related to access control, there are other controls for which they do not. For example cybersecurity-relevant controls not shared with the OCR Audit Protocol include technical vulnerability management controls such as 10.m and change management controls such as 10.h and 10.k. OCR Audit Protocol controls not shared with cybersecurity include physical and environmental controls such as 08.a, 08.b, 08.c, 08.e, 08.g, 08.j, 08.l and 08.m. As long as one understands the question that frames the control selection how to prevent cyber intrusions by external human threat actors and their identification and response when preventative safeguards fail the assurances obtained from an assessment of the selected controls have significant value. HITRUST Cybersecurity Working Group Results from the Working Group were used in HITRUST s proposal to NIST for a recommended healthcare cybersecurity framework and related set of best practices. HITRUST appreciates the Working Group s input regarding the relevance of these controls to cybersecurity and looks forward to future recommendations regarding risk factors, CSF implementation levels (1, 2 or 3), tailoring of requirements based on risk factors, and any other suggestions or guidance you believe is appropriate. Please send any additional comments to workgroup@hitrustalliance.net. More information on the HITRUST Cybersecurity Working Group can be found at http://hitrustalliance.net/cyber-threat-intelligence.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information