Watch to learn about the reasons why an organization might get HITRUST certified.
Having issues accessing the video above? Watch the video here.
“Assess once, report many.” If you’re in the healthcare industry, you’ve no doubt heard about HITRUST; the Health Information Trust Alliance.
As Trevor Hansen explains to attendees, HITRUST was created to help them reach information risk management and compliance objectives. Although it’s a relatively new certification, HITRUST is already widely accepted in the healthcare industry with 81% of hospitals and health systems and 83% of health plans utilize HITRUST’s certification standard framework (CSF). Trevor explains the differences between HITRUST and HIPAA, whether HITRUST can replace HIPAA, and the reasons why an organization might get HITRUST certified.
HITRUST is expanding from healthcare to being more applicable to payment card data and personal data protection, and security professionals need to know what it covers and if it may apply to their organizations.
This webinar was hosted on September 24th, 2020, as part of SecurityMetrics Summit 2020.
Hi. I'm Trevor Hansen. Welcome to my presentation on HITRUST assessment basics.
This is where you get to learn about what HITRUST is and what it means to be assessed against it.
Just a little background about myself.
I have twenty years of experience in IT, and eight years of those were in compliance.
I'm a CCSFP in the QSA.
Those are certifications related to HITRUST and PCI.
I also have an auditing certificate called the CISA.
My roles with SecurityMetrics involve me working on assessments and audits with customers, so I help assess and audit them. I also do consulting with customers to help prepare them for these types of assessments, answering questions and identifying gaps, helping them to to know what they have to do to be able to be compliant to these requirements.
You're probably already familiar with SecurityMetrics, but in case you weren't, we offer data security and compliance technology to help our customers avoid possibilities of data breach. If you've watched or read the news in the last ten years, you've probably seen that the need for data security and data compliance is growing immensely. SecurityMetrics helps close those data security and compliance gaps to help prevent breaches.
The agenda for this presentation is, first, we'll we'll give you a quick introduction to HITRUST.
We'll talk about why you should get HITRUST certified and how to get HITRUST certified.
So what is HITRUST?
HITRUST is the Health Information Trust Alliance. It was founded in two thousand seven to support organizations in all sectors, but, especially the health organizations.
It helps them reach information risk management and compliance objectives.
And, in fact, according to the HITRUST Alliance, eighty one percent of hospitals and health systems and eighty three percent of health plans utilize HITRUST CSF or the certification standard framework.
HITRUST was created to provide an option for health care sector to address information risk management using a matrix of third party assessments.
The idea is to consolidate efforts and reduce the need for multiple reports. You'll hear this said a lot in HITRUST, and you'll hear it said a lot in this presentation that they like they like to say assess once and report many. We'll talk a little bit about why that what that means.
So HITRUST was created to provide an option for the health care sector to address information risk management using a matrix of third party assessments. The idea is to consolidate efforts and reduce the need for multiple reports.
I I just said that, but it's important to keep repeating it because that's that's the whole purpose of HITRUST. The HITRUST approach, along with the HITRUST certification, gives vendors and covered entities a way to demonstrate compliance to HIPAA requirements based on a standardized framework.
But not just HIPAA requirements. There's other ones that you included as well, like PCI and some of the privacy requirements in various states. The ultimate goal of HITRUST certification is for our business to effectively manage data, information risk, and compliance to multiple standards.
Recently, HITRUST has turned their focus from health care data security to improve all data security.
The standard can be used to implement multiple safeguards to protect other forms of sensitive data such as cardholder data, sensitive or proprietary corporate information, patient data. They want you to be able to use it to to protect data in general or specific sets of data and not just health care data.
So HITRUST includes elements from risk management frameworks like HIPAA, the payment card industry data security standard of the PCI DSS, the NIST eight hundred dash fifty three, the NIST CSF, and the ISO twenty seven zero one.
There's other ones listed here as well like FISMA, FedRAMP, GDPR.
HITRUST helps bring all these under one standard so that multiple multiple things can be assessed in the same assessment.
Since HITRUST initially began with a focus on health care information, let's discuss the differences between HIPAA and HITRUST.
While HIPAA is a law created by lawyers and lawmakers, and it's used to mandate the protection of privacy and health information, HITRUST is a framework created and is created by security industry experts. It includes aspects of HIPAA as well as other data security standards and frameworks.
So lawmakers created HIPAA, and they said you must follow this.
But data security experts created HITRUST and said that if you put these together and follow them, you'd be more secure.
The HITRUST CSF gives organizations a way to show evidence of compliance with HIPAA mandated security controls as well as other security controls.
HITRUST takes the requirements of HIPAA and it builds on them and incorporates them into a framework based on security and risk.
According to the HHS, the HIPAA privacy rule requires that covered entities apply appropriate administrative, technical, and physical safeguards. Remember that because that'll come up. So this wording specifically from the HHS's website, it says HIPAA privacy rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form.
This means that covered entities must implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection, with the disposal of such information.
HITRUST can help you provide measurable criteria and objectives for applying appropriate administrative, technical, and physical safeguards.
It does not replace HIPAA compliance, and it doesn't prove that you are HIPAA compliant, but it's a widely accepted, approach for evaluating risk and evaluating your status against that compliance. So you can't turn in a HITRUST assessment to the government and say I'm HIPAA compliant, but you can do a HITRUST assessment against your organization to help you understand how close to that HIPAA compliance you really are, and and it gives you a pretty good benchmark for it. So you might ask, if if you're HITRUST certified, does it mean you're HIPAA compliant?
Well, from what we just said, no. HITRUST is widely accepted as a good approach for evaluating risk, but it does not replace HIPAA compliance. It doesn't prove that an entity is HIPAA compliant.
Many of you attending this webinar are familiar with SecurityMetrics is with with our PCI related services.
HITRUST also incorporates the standards from PCI DSS. There are other standards involved too. HIPAA and and PCI are the two biggest ones that that I would say are included in HITRUST.
So does high being HITRUST certified guarantee that you're compliant with HIPAA sorry, with PCI DSS and that you'll be able to turn that into your bank? It doesn't. You can't turn it into you can't turn it into your acquiring bank and say, hey. I'm PCI DSS compliant.
But if you get assessed against HITRUST with the PCI DSS option in there, it'll tell you what requirements you need to work on to be prepared for that actual PCI assessment. It's a good way to give gap assessment for it.
HITRUST is also based on the ISO and IEC twenty seven zero zero one two thousand five as well as the twenty seven zero zero two two thousand five and the NIST SP eight hundred dash fifty three r two controls.
Again, gaining HITRUST certification does not necessarily mean that your organization satisfies all aspects of these other security frameworks, but it does tell you that you're well on the way, and it can help you understand how far along the way you are.
So HITRUST certification basis.
What is the HITRUST CSF certification?
Organizations that create access or exchange sensitive information can use the HITRUST common security framework, the CSF, assessment as a roadmap to data security and compliance.
The CSF is a certifiable by security assessors standard and was designed as a risk based approach to organization security.
It's supposed to a compliance based approach. So you're not there to check boxes and say, yes. We have this and this and this in place. You're there to evaluate, how good are we doing with these things and how well are we meeting these requirements.
Among CSF's nineteen reporting domains, there's a hundred and forty nine control specifications, which can each be assessed to one of three implementation levels. So it's a little more complicated than a pass or fail thing. It's it's a graded assessment and a graded evaluation where, you will be evaluated against different levels of compliance.
So why get HITRUST certified? It helps to show your commitment to seriously follow security and compliance standards, especially for HIPAA compliance.
You might be attending this because you've already had people within your organization or or you've had customers asking if you're HITRUST certified.
Many health care organizations require their business associates to become HITRUST certified Because like I said before, you can't be HIPAA certified. You can't prove that you're HIPAA compliant.
But you can get a HITRUST certification, which helps tell your business associates or helps tell the covered entities that you're a business associate for. Helps tell them that that you are taking data security seriously and that you're protecting that data.
As previously mentioned, HITRUST also helps you to better save time and money when it comes to those audits, because many of the HITRUST controls overlap a number of regulatory complaints, requirements.
The idea is to consolidate efforts and reduce the need for multiple reports. Again, that statement, assess once, report many. If you have customers that are asking for some evidence that you're security that you're following good security and they want to know how you meet these different requirements, a HITRUST assessment can put these different requirements all in one place, and you can give them a report that shows where you stand there. It's a really good way for them to do a risk evaluation against your company through a third party.
So you may not be able to submit a HITRUST certification to your acquiring bank and convince them that you're PCI compliant.
But being certified HITRUST, you can know that you're meeting those requirements, and you can understand what gaps you have before you go, before you begin going through a PCI assessment or any sort of post breach HIPAA assessment. Get started with this, and you'll know where you stand before before anything happens that really matters.
So, again, we're we're still on why or who should get HITRUST certified.
HITRUST is becoming more widely used and adaptive regulatory standard since it incorporates and helps consider many different security and compliance regulations.
HITRUST is intended to be used to protect sensitive data, not just PHI, not just PII, but all sensitive data. If you wanna know how you measure up against these various standards, placed in the context of protecting your sensitive data, HITRUST certification can provide a lot of value.
Recently, HITRUST, changed some of their wording to help, some of the wording in their product to help move away from the dependence on security of privacy information to focus on protecting all sensitive data.
So how can you get HITRUST certified?
What HITRUST calls the HITRUST approach provides organizations a comprehensive information risk management compliance program.
So this blend of security and compliance mandates provides an integrated approach that ensures all programs are aligned, maintained, and comprehensively support an organization's information risk management and compliance objectives.
HITRUST certification requires an independent assessment. So to get the HITRUST certification, you need an assessor to come in and evaluate it. The length of the assessment depends on the size and complexity of your organization.
It depends on your scope and the amount of consulting that's involved to get you to that state to be ready. Because if you've done other security assessments in the past, you'll realize that, it takes a little bit of work to actually be compliant beyond the point of when you think that you're doing security pretty well. According to HITROS, the certification process can take up to six weeks after the assessment itself is complete. There's a little bit of time that occurs after your after the on-site and during all the submittal process.
The first step to to preparing for the HITRUST assessment and beginning on that road is you first need to understand your scope.
Part of the scoping activity to to define your scope internally is you should include creating, documenting, and reviewing how data enters your network, specifically how the sensitive data enters your network, all the systems it touches, and how it flows through your network, and at any point in which it may leave your network.
So, for example, you should create some network diagrams and data flow diagrams so you can understand where this data goes. You wanna know what it touches, how it's handled, what systems can see it.
After you define the scope, you wanna determine which, HITRUST assessment that you're gonna prepare for. There's different assessments regarding whether you're gonna do a self assessment or a validated certification or something in between.
After you thoroughly scope your environment, you're gonna wanna purchase access to the myCSF portal that's managed by the HITRUST Alliance itself.
You get access to that and it allows you to do use their different tools. They also have a scoping tool within there. First, I would do the things I mentioned on the previous slide where you can actually, identify how your data moves through the system. Because once you purchase that access to the myCSF portal, then, you can begin the scoping process in there where it's gonna ask you questions that you already answered with those flow diagrams.
The scoping exercise in the myCSF portal is gonna be used to actually generate an assessment for you. It'll create a specific set of requirements for your environment. So depending on the size of your environment, how many systems there are, how many records and transactions you have, depending on all these things, it'll determine how many requirements you actually have to follow. And, you know, you could be you could be have to follow over a thousand requirements or it could be close to five hundred. It just depends on your scope.
Before you get a high trust assessment, it's highly, highly recommended, and and it's it's just under being required that you you've gotta understand, that HITRUST has multiple levels of validation.
Most importantly, they they differ in whether an assessor validates it or not. So you you've gotta understand that there's lots of requirements that you're gonna have to meet, and it's gonna take a lot of effort to be able to be, to be compliant and be certified.
So they have multiple levels of assessments, and some of them one of them specifically, the self assessment product is designed to help you do basically a gap assessment. It's where you evaluate the requirements and you evaluate your environment against those requirements, and you can identify what gaps you have. This this will help you understand where you are, but it helps you understand what things you have to fix as well. So you have these different levels of assessments, the lowest being doing that self assessment. We highly, highly recommend that you start with a self assessment or have a third party come in and and do an official gap assessment on it.
This allows you to view all the requirements that are applicable to you and the grading criteria that'll be applied to them, and then you can evaluate your environment against those requirements. And then you won't be going in blind.
When you do a self assessment or when you do a gap assessment, understand that, whatever risks you discover, remember that it's gonna require time and resources to address those issues.
For example, some issues take take a lot of time to remediate. Some things take a lot of time to fix.
For example, data encryption.
It's an issue that won't go away, but it's very high risk. If you have a whole lot of records, if you have hundreds of thousands of records of data that are stored in clear text, there's a lot of risk. But if there's a breach in your environment, they'll be able to get all the data that matters. And so there's a lot of risk involved. And to fix the solution, you're gonna have to sort out an encrypting solution. You're gonna have to sort out how you do your key management, and you're probably gonna have to read you're probably gonna have to encrypt all those records, and it changes the way that your data flows. So that can take a while to fix.
Other issues can be really quick to fix. For example, any risk that maybe that a virus infects your environment, it can be solved with solutions like antivirus or file integrity monitoring.
Or or another one we see all the time with small shops that can be fixed really easily is they they might have their environment open to the Internet, and you can fix it by fortifying your firewall rules. Some of these things can be fixed overnight. Some things take many months.
So just understand that when you begin this gap process, you're gonna need some time to fix those solutions. Don't expect to start talking about HITRUST today and get your certification in a week from now. You you need to plan some time for it.
The process of the assessment itself, the validated HITRUST assessment, which which I assume that's what your ultimate goal is, is to get this certification.
The process for the assessment itself takes anywhere from four to ten weeks.
The the assessor sorry. The assessed entity uploads evidence to the portal.
So this is where you look at your systems, you collect the data, you collect the evidence, you're gonna upload it to the portal, and you're gonna assign us a score or a grade to each required statement.
Then you submit that for the assessor to review. The assessor is gonna review that evidence, and he's either gonna accept your self assigned score or he's gonna reject it. You don't really get an opportunity to correct the things that he rejects. So if you say that we are, that that we have this solution fully implemented and the assessor thinks that you only have a policy implemented, but the solution's not, then his score is gonna stick.
So you wanna work on a gap assessment before coming in so that the assessor and you will be more likely on the same page when you finally start this assessment because there isn't a remediation phase inside the HITRUST assessment itself.
There's there are some other things that are similar to it. We're not gonna go into that kind of detail, but it doesn't allow you to change scores. Once once an item is not fully compliant, it's not fully compliant. You can't go back and change it.
Also, keep in mind that due to the sheer number of required statements that apply to most entities, expect it to take some time to work through the assessment. I mentioned a thousand requirements before. You could have well over a thousand requirements that apply to you. So be prepared to to answer lots and lots of questions, provide lots and lots of evidence.
Also, another thing you might hear of, another type of assessment you might hear of with HITRUST is called the interim assessment. The HITRUST CSF certification, reports they're good for two years, but an interim assessment is required at the one year mark. So so where the regular assessment is is good for two years, you still have to get an inter interim assessment in between in order to show that you're staying compliant. This usually involves HITRUST selecting a subset of requirements that need to be revalidated. So they they notify you which which items you're gonna have to upload new evidence for.
So takeaways. Here are the main things that you should get from this presentation.
Remember that HITRUST goals allow you to assess once and report to many. If you have customers who rely on various frameworks and standards of security, a HITRUST assessment can help bring all those standards into a single assessment, and and it can allow you to provide assurance to those customers. So make sure to check with those those that require assurance from you and understand whether or not they'll they'll accept HITRUST certification, to appease their demands.
The second thing is your scope.
Determine your scope. It determines the applicable requirements and really the amount of work involved in preparing for your assessment. So this is critical to the process.
The recommended method of a gap assessment is to do a HITRUST self assessment through the myCSF portal or engage with a third party assessor and have them work through the process with you.
So that's the gap assessment process. Don't just hope you can casually fall into compliance, to these standards and pass it on your first assessment.
Gas a gap assessment's gonna help you understand where you really are in the compliance process and help you focus on the important items.
And then finally, remember to take time for remediation.
There will be findings in the gap assessment, whether you do it yourself or have a third party. If you have a third party, you're probably gonna find more gap assessment or more gaps, more things that that need to be remediated. That's just the nature of the beast. So take time. Plan time to fix these items before you get your before you begin your official assessment.
That's that's all our basics for HITRUST and the assessments. If you have any questions, feel free to email me. My email is trevor dot hinson at securing metrics dot com, or you can talk to our sales department. They know lots of things about HITRUST and get you going in the right direction.
Thank you for attending my presentation. I hope you all have a wonderful day.
.svg)
