HITRUST Managing Third Party Compliance How the CSF Can Help

Transcription

1 HITRUST 2016 Managing Third Party Compliance How the CSF Can Help Brenda Callaway Execu5ve Director, Informa5on Security HCSC Darin Clapp Contracts Manager Enterprise Informa5on Security Humana Inc. Bryan Sheehan Sr. Director, Informa5on Risk Management UnitedHealth Group

2 Need to Manage Third Party Compliance Industry organiza5ons, business partners, and suppliers recognize the need to maintain appropriate general compu5ng and security controls that support industry standards, regulatory and customer specific requirements. Many industry organiza5ons reserves the right to audit, and may require suppliers to provide periodic evidence of general compu5ng and security controls. Organiza5ons have implemented assessment processes to gauge each suppliers overall adherence to these security requirements. Thus ensuring a view into the availability, integrity, and confiden5ality of sensi5ve informa5on wherever it may be processed transmiled or reside.

3 Multiple Types of Assessments Within the Industry Supplier Onboarding Exis5ng supplier - Ongoing periodic assessments Ad Hoc Concerns with supplier, Incident, etc. Remote - Paper Based ques5onnaire Onsite Risk Assessment Mul5ple assessment methodologies used throughout the industry

4 Current Challenges Facing Our Industry Lack of third party alesta5ons from suppliers Inability for suppliers to demonstrate that effec5ve controls are in place Mul5ple Security Frameworks leveraged within the Industry Which to choose Inconsistent and proprietary ques5onnaires used throughout the industry Repe55ve, costly and 5me-intensive data collec5on, assessment and repor5ng processes Confusion in regards to mul5ple repor5ng formats (SOC1, SOC2, etc.) and lack of consistent control sets (e.g. CSF)

5 Customer Challenges Ability to demonstrate use of a secure supply chain to regulators and customers Inability to proac5vely iden5fy and track risk exposures at business associate Conduc5ng and managing risk assessments for numerous vendors Costly and 5me-intensive data collec5on, assessment and repor5ng processes Inaccurate and incomplete ques5onnaire responses Iden5fying, maintaining and monitoring the status and effec5veness of correc5ve ac5on plans Difficulty tracking down appropriate contacts at business associate Lack of visibility into downstream risks related to business associate (i.e., business associate s own business partners) Provide consistent repor5ng to management on business associate risks

6 Supplier Challenges Inefficiencies associated with responding to proprietary customer specific ques5onnaires Broad range and inconsistent expecta5ons from customers Tracking to varied expecta5ons around correc5ve ac5on plans Expensive and 5me-intensive on site audits by customers Inability to consistently and effec5vely report security posture to customers Costly and 5me-intensive data collec5on, assessment and repor5ng processes

7 Mul%ple Frameworks, Guidelines & Regulatory Requirements

8 Bringing it all together The HITRUST Common Security Framework eliminates the need for choosing one of many recognized frameworks HITRUST unifies all targeted frameworks and standards relevant to health care Iden5fies Control prac5ces tailored to the health care environment

9 Measurable The HITRUST CSF adds measurable value by integrating and enhancing (adding context and/or clarifying) specific components of U.S. and international standards: ISO control framework (27001/27002) NIST control implementation and audit procedures (800-66, ) PCI prescriptive security controls (PCI DSS) CobIT business process focus (CobIT 4.0) ITIL definitions HIPAA regulatory requirements

10 Leveraging the HITRUST CSF and Assurance Program An independent HITRUST assessment provides insight into suppliers processing environment and helps validate the effec5veness of supplier security controls. HITRUST My CSF assessment - Recognized by the customer along with other suppor5ng ar5facts HITRUST Validated Assessment Report Excepted in lieu of proprietary assessment HITRUST Cer5fica5on Excepted in in lieu of proprietary assessment By being HITRUST Cer5fied (or having any of the above assessment), demonstrates an organiza5on commitment to its business partners and other third-party en55es (e.g., state or federal agencies) that sensi5ve informa5on protec5on is both a necessity and priority, and that essen5al security controls are in place and opera5ng effec5vely.

11 Benefits to Customers Ease of alignment with other industry recognized frameworks, guidelines, standards and regulatory requirements Reduc5on in costs Reduces Risk within the supplier community Alignment with best prac5ces Increase customer confidence Reduces complexity associated with risk assessment Ability to leverage exis5ng recognized repor5ng format SOC2 to align with consistent control sets (CSF) HITRUST and Qualified Assessors Perform the Assessment Increased Assurances - Established assessment and audit process CSF Con5nuously Evaluated and Enhanced HITRUST s Established Framework is Scalable to the Organiza5ons Size

12 Benefit to Suppliers Marke5ng differen5ator - Increase customer confidence (both exis5ng and poten5al customers) Reduc5on in costs Asses once, use many CSF Assurance gaining recogni5on and trac5on within the industry Demonstrates alignment with industry best prac5ces Reduces Risk Reduces complexity associated with risk assessment: Inefficiencies associated with responding to proprietary customer specific ques5onnaires Broad range and inconsistent expecta5ons from customers Tracking to varied expecta5ons around correc5ve ac5on plans Expensive and 5me-intensive on site audits by customers Inability to consistently and effec5vely report security posture to customers Reduc5on in ques5onnaires, costs, etc.

13 Other Benefits HITRUST and Texas Health Services Authority (THSA) partnered to develop and implement the Texas Covered Entity Privacy and Security Certification Program,--the first staterecognized certification of its kind. It is a certification that Texas covered entities can introduce in an action or proceeding imposing an administrative penalty or assessing a civil penalty related to an unauthorized disclosure.

14 Why HITRUST Makes Sense for the industry The true value of the HITRUST CSF and associated Assurance Program Standardized requirements aligned with healthcare compliance requirements Industry benchmarks rather than company specific requirements Shared resources for assessment, repor5ng and compliance tracking Minimize repe55ve processes Simplified assessment and repor5ng processes Enhanced business partner communica5ons Timely and coordinated breach response processes Proac5ve alert of increased business partner risk

15 Ques5ons?