Adopting HITRUST as the Backbone of Your Information Security Program. Mangoné Fall, Kelly Robertson, Sean Murphy

Transcription

1 Adopting HITRUST as the Backbone of Your Information Security Program Mangoné Fall, Kelly Robertson, Sean Murphy

2 Overview of Topics Discuss the process your organization went through to select an information security framework and program to implement Explain why you ultimately landed on HITRUST as the solution for your organization Give some examples of how you operationalized HITRUST within your organization including any key sub projects that you may have had to start Explain the process you went through to sell HITRUST internally to senior management, the board, etc. Talk about the journey and timeline it took for your organization to do this or where you are on the timeline/journey Highlight common pitfalls and common success factors in order to accomplish this What are key factors to making this a success or potential factors that could make it fail? HITRUST Alliance

3 Selling HITRUST To Leadership & Board Allows us to leverage the CSF as the baseline for our security program or assessment process in a way that is appropriate for our unique environment. Is Healthcare industry specific with a certifiable framework. Provides stakeholders with an ease of mind demonstrating we are doing everything we can to safeguard sensitive information Addresses HIPAA, Meaningful Use, PCI, and many others. Ensuring compliance with multiple standards is increasingly difficult. Reduces cost by assessing once and reporting on multiple mandates HITRUST Alliance

4 Information Security Framework Selection Process Framework must meet multiple regulatory requirements. Framework must address regulatory changes in a timely fashion. Framework must provide prescriptive requirements that ensure clarity of action HITRUST Alliance

5 Why HITRUST? Reduces risks to patient care, operations, and finances Has clear requirements to ensure clarity Enables effective remediation planning and roadmap development Shows commitment to the highest standards of privacy and security HITRUST Alliance

6 Selling HITRUST To Leadership & Board Allows us to leverage the CSF as the baseline for our security program or assessment process in a way that is appropriate for our unique environment. Is Healthcare industry specific with a certifiable framework. Provides stakeholders with an ease of mind demonstrating we are doing everything we can to safeguard sensitive information Addresses HIPAA, Meaningful Use, PCI, and many others. Ensuring compliance with multiple standards is increasingly difficult. Reduces cost by assessing once and reporting on multiple mandates HITRUST Alliance

7 Our Journey 2017 Oct Pre-Assessment Dec Hired 2018 Apr Build-Team May Secure partner with proven record Socialize initiative and timeline with board and execs Kick-off with SMEs June Begin iterative gap remediation process Review mitigation plans and close gaps Sep Kick-off validated report process with partner Dec Goal achieved HITRUST Alliance

8 Process Why HITRUST? Based on recognized standards (NIST, ISO, CMS, e.g.) Implementation specifications to help drive targeted investment. Emphasizes more than just implementation. Also policy, procedure, measured, and managed categories Doctrine: Foundational for generational change. Reputation for your brand; especially if you re a supplier to healthcare orgs. One component of measures for risk management and security maturity program; SOC2 + HITRUST + Attack and Penetration, + Self-Assessments, Internal, and External Audits. Informs the answer to the Board-level question, How do we know we are doing the right things? (because the CISO said so doesn t cut it). Reduces risks to patient care, operations, and finances. Provides prescriptive requirements to ensure clarity Enables effective remediation planning and roadmap development Shows commitment to the highest standards of privacy and security HITRUST Alliance

9 Perspective Lessons Learned Senior-most leader support and lots of communication to the org (of course). Involve internal audit as a partner. Get clear on scope; especially if this is your first certification. This may extend multiple years to get to baseline don t short-change yourself Know that audit once, report many is aspirational (or less). Prepare for the fact it will be viewed as hard and too much unplanned work. Demonstrate to the business what their role is and what the value is. Be aware of version changes (not a user-friendly process). Controls typically require collaboration; establish single POC accountability. Work with a knowledgeable HITRUST CSF assessor HITRUST Alliance

10 Pitfalls & Success Factors Define and know the scope early Get leadership involved early and keep them engaged Do not underestimate the HITRUST policies and procedures documentation requirements Ensure adequate resources are available Acquire new tools Engineering/architecture redesign Support changes in process Explain the why, who, and when (repeat) HITRUST Alliance

11 Key Factors To Making This Initiative Success Selecting a great partner that understand your business Assigning a program manager Listening to the team and fostering open to collaboration across departments. Focusing on the True North (don t complicate) Adopting an iterative process (incremental wins) HITRUST Alliance

12 Visit for more information To view our latest documents, visit the Content Spotlight HITRUST Alliance