HITRUST Framework Update DescribedProvides Guide to Security Compliance
In an interview (transcript below), Hourihan:
- Outlines how organizations are using the free framework to help with efforts to comply with HIPAA, the HITECH Act and other regulations.
- Describes how the framework serves as an encyclopedia of security controls for healthcare organizations and offers guidance on how to implement them;
- Provides details on the latest framework updates, including the incorporation of the Centers for Medicare & Medicaid Services' new Information Security Information Acceptable Risk Safeguards for its contractors.
At HITRUST, Hourihan leads the ongoing development of the Common Security Framework. Before joining HITRUST, he worked at Pricewaterhouse Cooper's security advisory practice, focusing on healthcare. In an earlier interview, Hourihan offered a health information breach prevention checklist. And in a new webinar from HealthcareInfoSecurity.com, Hourihan provides detailed advice on risk assessment techniques.
HOWARD ANDERSON: HITRUST recently released an updated version of its common security framework. Tell us about the framework and how it works, and then tell us some details about the nature of the updates.
CHRIS HOURIHAN: I liken the CSF to an encyclopedia of security controls for healthcare organizations. So any type of control that an organization should be implementing is documented in the CSF. What makes the CSF special is that we also document how to go about implementing a control, what the requirements are, making sure the control is implemented and operating properly. Another unique aspect to the framework is that we define various levels for a particular control based on organizations' risk profiles. Not all organizations are equal when it comes to controls and risks. While one organization should do one thing with respect to a control, another organization may or may not have to do the same thing. ...
The framework defines levels of risk for each control, and we define specific risk factors that an organization can use to identify what level of control they need to implement. The CSF was founded on the ISO series of security standards, 27000-1 and 27000-2. And then what we did throughout 2008 was, with the support and help from our members, we integrated different standards, regulations and compliance requirements into that base of a framework and we ended up with the CSF.
So what you have is, for any given control and any set of requirements or level of control, a mapping back to the various compliance requirements that organizations may be subject to in the healthcare industry. You may see an access control that is mapped to your HIPAA requirements, your ISO requirements, your PCI requirements, etc. That provides organizations with a really easy-to-use and simple-to-understand means of figuring out where their gaps with respect to compliance are and where they already are ... meeting their compliance requirements.
Since we released the framework in 2009, we've been committed to maintaining the framework and updating it based on new regulations that come out and different standards that have changed since we first did the analysis. ... We've made some minor updates for state requirements that we hadn't had a chance to get in the initial development or that had only recently come out. Notably, the state of Massachusetts had a pretty rigid security standard that we wanted to integrate to the CSF, which we did in 2010.
Then for the 2011 version of the framework, we implemented the CMS (Centers for Medicare & Medicaid Services) Information Security Acceptable Risk Safeguards, which are a very extensive set of requirements, or a control framework, for organizations that are CMS contractors. A lot of the insurers in the healthcare industry and some of their business partners are all subject to these requirements, so we wanted to integrate those requirements into the CSF similar to the way we do with other regulations. This allows organizations to better manage their compliance activities with respect to information security so that they can take a more unified approach, understanding that if I implement this CMS control I'm also addressing my HIPAA requirement or PCI requirement. ...
We've made some other minor changes to some of the controls based on feedback that we had received from our membership as they were adopting the framework. One area that comes to mind involves passwords -- adjusting some of those requirements with respect to password links and complexity and things like that to align with what businesses have been doing or what they can reasonably do. Also, we made changes to make sure that we are keeping up with the changes and threats as machines become more powerful and efficient at cracking passwords. We want to make sure things like that are being adjusted to maintain the control and reduce the risk that organizations may be subject to.
Security ComplianceANDERSON: So how can healthcare organizations go about accessing the updated framework for free? And describe how an organization might put the framework to use as it crafts a security compliance strategy.
HOURIHAN: HITRUST makes the CSF freely available to all covered entities, business associates or any organization that uses the CSF internally for purposes of defining or maintaining their own internal information security program. Organizations access it at our website, HITRUSTCentral.net and all you have to do is register your name, organization, e-mail address, and then you'll be able to download the CSF for free.
We do have a paid version that is available through an online portal. It has some additional bells and whistles in terms of functionality and search ability, but the free version contains all the same content. We want to make sure that we're enabling organizations to address their security risks and we're enabling trust in the industry, which is why we make that available for free.
Organizations use the CSF in a number of different ways. ... The first step is ... to take a quick look at the framework and see what it contains to make sure you are comfortable with it and understand the concept, and then leverage it based on where your organization is in terms of its security program.
Some organizations are just using the CSF as a reference source ... as they are implementing security controls or managing their controls that are already in place, they're looking back to the framework to figure out what are the specific requirements that they need to meet. ... There is also the compliance aspect, which is: I have this particular control in place or these controls in place, how do I stack up from a HIPAA perspective?
Then HITRUST makes available a CSF assurance program, which is an assessment process that organizations can use to evaluate their security programs. ... Organizations can use the program ... to evaluate their high risk areas with respect to security.
Something that HITRUST does within the framework is defined as certification controls and requirements. They are all noted within the CSF, and it's a subset of the controls within the CSF that are required for certification. This is essentially a prioritized list of controls and requirements that organizations should be focusing in on this year and for the near future based on analysis that HITRUST does and feedback from the industry.