HITRUST CSF Assurance Program

Similar documents
HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

Adopting HITRUST as the Backbone of Your Information Security Program. Mangoné Fall, Kelly Robertson, Sean Murphy

Navigating the New Health Economy

HITRUST Managing Third Party Compliance How the CSF Can Help

table of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6

CONSULTING & CYBERSECURITY SOLUTIONS

a physicians guide to security risk assessment

Driving healthy growth

HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT

Trusted KYC Data Sharing Framework Implementation

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Best Practice Requirements for Successful Metrics Initiatives

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

Delivered by Sandra Fuller, MA, RHIA, FAHIMA. April 29, 2009

Leveraging IT risk management to boost competitive advantage

Optiv's Third- Party Risk Management Solution

D A T A INTEGRITY THE CRUX OF COMPLIANCE AND RISK MANAGEMENT

Visualize Your Compliance

ISC: UNRESTRICTED AC Attachment. Environmental & Safety Management- EnviroSystem Oversight Audit

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Draft Recommendations for the Predictability Roadmap. October 2018

Assessments for Certified and Non-Certified Vendors

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

HCCA Compliance Institute : Intersection of Internal Audit & Compliance. April 17, Agenda. Where are we today?

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Outsourcing transparency evolution

PCI Force Multiplier. a refreshing approach to PCI DSS Compliance. silentsector Silent Sector, LLC

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Right-sizing SOX Frameworks with Risk Management. Chris McClean Vice President, Research Director

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Payroll and Workforce Support Services. Technology enabled. Service driven.

Payroll and Workforce Support Services. Technology enabled. Service driven.

HCL s HITRUST SOLUTION Redefining Healthcare Security Compliance

Presentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley

Trusted KYC Data Sharing Framework Implementation

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

LI & FUNG LIMITED ANNUAL REPORT 2016

All-in-One Compliance for All.

Security and risk governance. An operational model

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

Sponsor/CRO Partnership Optimization

CORROSION MANAGEMENT MATURITY MODEL

Mastering new and expanding financial services regulations and audits

Make money, save money and manage risk

Efficiency First Program

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

IT Risk Advisory & Management Services

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

CAQH CORE Town Hall Webinar

Our Approach to Risk Management

Certified Outsourcing Professional (COP) Exam Study Guide

Lessons Learned in Streamlining the Third-party Risk Assessment Process

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

t: +44 (0) f: +44 (0) e: w:

Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2016

Compliance in Multiple Regulatory Settings. a Holistic Approach

REPORT ON THE PRINCIPLE OF ACCOUNTABILITY IN THE CONTEXT OF THE REALIZATION OF THE HUMAN RIGHTS TO WATER AND SANITATION United Nations Special

International Standards for the Professional Practice of Internal Auditing (Standards)

Supplier risk compliance obligation or source of competitive advantage? Improve supplier reliability to lift business performance

ISO 50001:2018 The next generation of Energy Management

Chemical Testing and Analytic Services

EX0-114_Wins_Exam. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0

GSR Management System - A Guide for effective implementation

Sphera is the largest global provider

Achieve Continuous Compliance via Business Service Management (BSM)

STATE OF INTERNAL AUDIT 2013

IT Service Management Foundation based on ISO/IEC20000

SRP. Sustainability Resource Planning ENVIRONMENT ENERGY ASSETS

ANTI-MONEY LAUNDERING SERVICES EXPERTS WITH IMPACT

Enterprise Risk Management Montana State Fund

The Unlocked Backed Door to Healthcare Data Vendor Intelligence Report By: CORL Technologies

Simple, Scalable, Real-time Protection

ISO/IEC Service Management. Your implementation guide

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

PREVENTIA. Where security begins... Five Best Practices of Vendor Application Security Management

Ensuring Food Safety. Through Accredited Third-Party Conformity Assessment. An ANSI-ASQ National Accreditation Board White Paper

IMPLEMENTATION GUIDELINES FOR THE PRINCIPLES ON FREEDOM OF EXPRESSION AND PRIVACY

Compliance Monitoring and Enforcement Program Implementation Plan. Version 1.7

Recruitment Solutions for a Sustainable World.

PMO Services Checklist

How to Measure the Value of Your Internal Audit Group

Industry insight and global experience: the intelligent connection

What is ISO/IEC 20000?

JOB DESCRIPTION & PERSON SPECIFICATION. Director of Regulatory Assurance. REPORTS TO: Deputy Commissioner - Operations PURPOSE OF POST

MRO s CMEP Approach Ten-Year Retrospective and A Bright Future

Optum Intelligent EDI. Achieve higher first-pass payment rates and help your organization get paid quickly and accurately.

Communications. Purpose. Introductory Notes

Position Description

ECDPO 1: Preparing for the EU General Data Protection Regulation

TEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program

ISO A Tool For Continual Improvement

Internal controls over financial reporting

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

Leading the way in management system certification ISO 9001 ISO ISO18001

Is securing personal information a priority? Reassure clients and achieve data protection compliance with BS 10012

Transcription:

HITRUST CSF Assurance Program Common healthcare industry approach for assessing security and reporting compliance Background and challenges Compliance requirements for healthcare organizations and their business associates are becoming more stringent as organizations face multiple and varied assurance requirements from internal and external auditors and other third parties such as health information organizations (HIOs) and federal and state agencies. The increasing pressure and penalties associated with the enforcement efforts of HIPAA and the HITECH Act have led to a growing need to simplify the compliance process for the healthcare industry. As breaches become more costly, the need for increased due diligence by all parties to ensure that essential security and privacy controls are in place is greater now than ever before. Unfortunately, the existing model of unique and inconsistent requirements and processes to validate compliance and mitigate risks associated with third parties is leading to an inordinate level of effort being spent on the negotiation of requirements, data collection, assessment, and reporting. This is costly to both healthcare organizations 1 and their business associates, detracting from the implementation of an effective overall risk management program. Current state of reporting Requirements Audit Report 1 Requirements Audit Report Y Audit Report X Requirements Audit Report 1 Audit Report 2 Improving risk management while reducing cost and complexity The HITRUST CSF Assurance Program utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations. Through the CSF Assurance Program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments. The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place. 1 Certain healthcare organizations may function both as a healthcare organization (i.e., covered entity) and a business associate. The CSF Assurance Program meets the reporting needs of the organization as a covered entity (i.e., internal and regulatory stakeholders) and as a business associate (i.e., customer requirements).

HITRUST CSF Assurance Program At a high level, both healthcare organizations and their business associates experience issues leading to greater cost, complexity, and risk such as: Broad range of inconsistent expectations with respect to security Maintenance and tracking of disparate requirements and corrective actions Expensive and time-intensive audits occurring at random intervals Inability to consistently and effectively report and communicate between organizations Lack of assurance that risk is appropriately managed The wide range of assessment and reporting requirements has contributed to inefficiencies and exposure that will only be resolved with the standardization and adoption of a common, industry-wide approach. Incremental path to compliance An integral component to achieving HITRUST s goal to advance the healthcare industry s protection of health information is the establishment of a practical mechanism for validating an organization s compliance with the HITRUST Common Security Framework (CSF). The CSF is an overarching security framework that incorporates and leverages the existing security requirements placed upon healthcare organizations, including federal (e.g., HIPAA and HITECH), state, third party (e.g., PCI and COBIT), and other government agencies (e.g., NIST, FTC, and CMS). The CSF was developed in collaboration with healthcare and information security professionals and is already being widely adopted by leading healthcare payers, providers, and state exchanges as their security framework. HITRUST has developed the common requirements, methodology, and tools that enable both healthcare organizations and their business associates to take a consistent and incremental approach to managing compliance: the HITRUST CSF Assurance Program. This program is the mechanism that allows healthcare organizations and business associates to assess and report against multiple sets of requirements. Unlike other programs in healthcare and in other industries, the oversight, vetting and governance provided by HITRUST and the CSF Assurance Committee affords greater assurances and security across the industry. By utilizing the program, organizations can proactively or reactively, per a request, perform an assessment against the requirements of the CSF. This single assessment will give an organization insight into its security program and state of compliance against the various requirements incorporated into the CSF. For organizations that are already striving to implement the information protection controls defined in the CSF, the program allows them to receive immediate and incremental value from the CSF through common reporting tools and processes. Assessment Types Current State HITRUST CSF Assurance Program Proprietary Propiertary Assessment Assessment Types Self Assessment CSF Validated Proprietary CSF Validated Assessment CSF Certified Wide range of inconsistent controls and requirements from org. to org. Wide range of inconsistent questionnaires, tools, and processes from org. to org. Wide range of formats for reporting and tracking corrective action plans (CAPs) No oversight No third party validation of assessment results Common set of controls based on existing standards/reguations Standard set of questionnaires, tools, and processes for assessing Standard report, compliance scorecard, Corrective Action Plan Risk factors encompass all sizes and risks of organizations Oversight and governance by HITRUST Self assessment plus: Performed by a HITRUST CSF Assessor Prioritized requirements based on industry output and breach analysis HITRUST validates the results and CAP Risk factors encompass all sizes and risks of organizations Oversight and governance by HITRUST CSF Validated plus: No gaps with the prioritized requirements based on CSF controls Established, industry accepted baseline of security requirements Reduced risk and compliance exposure Increased assurance of data protection with third parties HITRUST certifies the results and CAP 2

How the process works organizations require different levels of assurance based on the risk of the relationship with each business associate. The levels of assurance include self-assessments for small and low-risk business associates and on-site analysis and testing for associates that present the most risk to organizations. The results of the assessment are documented in a standard report accompanied by a compliance scorecard. Remediation activities are included in a corrective action plan (CAP) and can be regularly tracked. Once vetted by HITRUST, the assessed entity can leverage the single assessment to report to multiple internal and external parties (e.g., state and federal agencies, HIOs, customers, healthcare organizations, business associates), saving time and containing costs. Assisting in the documentation of findings and preparation of reports are CSF Assessors - those organizations uniquely qualified to deliver services under the CSF Assurance Program. Using CSF Assessors ensures that highly trained security professionals knowledgeable in healthcare and the CSF are accurately reporting findings to HITRUST, providing the increased level of assurance that relying entities demand. The CSF Assurance Program enables trust in health information protection through an efficient and manageable approach by defining an achievable path: Self Assessment, CSF Validated and/or CSF Certified. All leverage the same tools and processes, but provide different levels of assurance. CSF Assurance Committee The CSF Assurance Committee is responsible for the creation and management of the policies and procedures that ensure the quality, accuracy, and fairness of assessments and the resulting reports. The committee also serves as an arbitrator to help resolve any issues between an organization being assessed and its CSF Assessor. Self Assessments Self assessments can be conducted by utilizing the tools and methodologies of the CSF Assurance Program. The assessment results are then prepared by HITRUST for reporting to third parties. The self-assessment option removes any potential barriers for organizations that lack the resources for an onsite assessment, but nonetheless must still implement data protection controls, maintain HIPAA/ HITECH compliance, and report to external parties. CSF Validated CSF Validated allows both healthcare organizations and their business associates to realize the benefits of more assurance with fewer resources, which is achieved by aligning with the CSF and leveraging of common reporting processes and tools. There are three levels of validation: CSF Validated assessments are conducted by CSF Assessors and allow both healthcare organizations and their business associates to realize the benefits of more assurance with fewer resources, which is achieved by aligning with the CSF and leveraging of common reporting processes and tools. HITRUST CSF Assurance Program Analyze results and mitigate HITRUST CSF Assurance Program Assess and report status with corrective actions 3

HITRUST CSF Assurance Program These assessments involve onsite interviews, documentation review and system testing and provide a greater level of assurance, meant for those organizations with higher impact and higher risk relationships. CSF Certified CSF Certified is a means of recognizing that an organization has met all of the certification requirements of the CSF as defined by the industry. Utilizing the same tools, processes and reporting components as CSF Validated, CSF Certified provides HITRUST CSF internal Assurance and Program external parties with the greatest level of assurance that an organization is appropriately managing risk by meeting those industry-defined and accepted security requirements. Certification is designed to remove the variability in acceptable security requirements Analyze results by establishing a baseline and mitigate defined by and to be used for the healthcare industry, removing unnecessary and costly negotiations and risk acceptance. By becoming CSF Certified, an organization is communicating to external parties that sensitive information protection is both a necessity and priority, essential security controls are in place, management is committed to information security, and the risk of a breach has been reduced to a reasonable level. HITRUST CSF Assurance Program Reduced costs and complexity. Through the adoption of a common set of security objectives and assessment processes, the CSF Assurance Program streamlines how healthcare organizations manage business-associate compliance. associates can assess once and report to their many constituents, while healthcare organizations and other external parties benefit from a more complete and effective assessment process. Managed risk. Through a commercially reasonable process, organizations will achieve increased insight into their internal and third-party risks. By freeing resources from reacting to new requirements and audits, organizations can take a proactive approach focusing on the other building blocks of an effective security management program. Simplified compliance. s benefit from a consistent and efficient approach for reporting compliance with internal stakeholders, HIPAA, HITECH, state, and business associates. When an organization asks their business associates or external parties to report or accept assessment results using the CSF Assurance Program, they do so with confidence in the comprehensiveness of both the report and process. They are also aware of the fact that the report aligns with the existing regulatory and statutory requirements placed upon healthcare organizations as well as internationally recognized standards such as ISO 27001 and 27002. For business associates and other organizations being assessed, this means one assessment Assess encompassing and important compliance requirements such report as status HIPAA and HITECH that can be consistently reported to with various corrective customers. For healthcare organizations and other external actions parties, this means an industry-accepted process based on a comprehensive set of requirements to validate the security program of business associates. Because HITRUST continually oversees the process and vets the assessment results, all parties benefit from reduced time, resources and confusion regarding the reporting and monitoring of compliance. Why HITRUST CSF Assurance? The HITRUST CSF Assurance Program establishes a common approach for addressing industry and regulatory requirements and helps keep compliance costs and risk exposures from spiraling out of control. With the establishment and acceptance of the CSF and related tools, HITRUST is uniquely positioned to support the healthcare community and their business partners in adopting common assessment and reporting processes. With HITRUST s guidance and oversight, healthcare organizations and business associates, supported by the CSF Assessor 4 4

organizations, are able to realize the benefits of a single, complete risk and compliance review. There is simply no other practical option that is sustainable, helps contain costs, and actually improves security compliance over time. Learn more Please call 469.269.1110 for more information on the HITRUST CSF Assurance Program and CSF Assessors or visit www.hitrustalliance.net/assurance. Sample Compliance Scorecard Index MyCSF Instrumental to the CSF Assurance Program is the user-friendly MyCSF tool which provides healthcare organizations of all types and sizes with a secure, Web-based solution for accessing the CSF, performing assessments, managing remediation Comparison activities, and reporting and tracking compliance. Proprietary Managed Assessement and supported CSF Validated by HITRUST, MyCSF Certified Wide provides range of inconsistent organizations Common with set of controls up-to-date HITRUST content, Validated plus: controls and requirements based on existing accurate and consistent scoring, reports validated from org. to org. standards/regulations by HITRUST, and benchmarking data unavailable Wide range of inconsistent Standard set of Prioritized requirements questionnaires, anywhere tools, else and in the questionnaires, industry, tools thus and going based on far industry beyond input and processes what from a traditional org. to org. processes GRC tool for assessing can provide. breach Learn analysismore Wide about range of MyCSF. formats for Standard report, No gaps with the prioritized reporting and tracking compliance scorecard, requirements based on CSF corrective action plans and corrective action controls (CAPs) plans (CAPs) No oversight No third party validation of assessment results Multiple assurance levels to encompass all sizes and risks of organizations Oversight and governance by HITRUST HITRUST validates the assessment results, CAP Established, industry accepted baseline of security requirements Reduced risk and compliance exposure Increased assurance of data protection with third parties Sample Compliance Scorecard HIPAA Security Rule Scorecard Example: Risk rating definition The risk rating is intended as a data point regarding security for the assessed third party. Your organization should consider this information within your overall risk management framework, and your response and mitigation strategy should align with your risk analysis. The assessment identified controls that are implemented and aligned with the requirements.: Fully Partially Non-compliant CSF Control HIPAA HITECH CA. MA. PCI COBIT NIST 800-53 0. Information Security Management X X 1. Access Control X X X X X 2. Human Resources Security X X X 3. Risk Management X X 4. Security Policy X X X 5. of Information Security X X X 6. Compliance X X X 7. Asset Management X X X 8. Physical and Environmental Security X X X 9. Communications and Operations Management X X X X 10. Information Systems Acquisition, Development and Maintenance X X X 11. Information Security Incident Management X X X X X 12. Continuity Management X X X 5 5

Vehicle for monitoring compliance of third parties organizations must have confidence in their business associates ability to implement a privacy and security program that safeguards protected health information. More often than not, it is the healthcare organization s name that is used in public reports of a data privacy breach and other high-profile violations; thus, making the business-associate relationship a critical component in protecting their reputation and managing compliance efforts. The CSF Assurance Program provides healthcare organizations with a standard, cost-efficient means to assess the security program of business associates and get the results as required by HIPAA. By using the CSF Assurance Program, organizations are no longer left to work in isolation to develop unique requirements that consume time and money and are not accepted industry-wide. CSF Assessors A component of the HITRUST CSF Assurance Program is the utilization of professional services organizations to provide the assessment and remediation services. These organizations must meet certain criteria initially and continue to maintain their standing to receive HITRUST s approval to perform any CSF Assurance Program related work. Information security experience and technical competence with healthcare organizations (e.g., medical facilities/providers, health plans/payers, clearinghouses) are among the criteria. Individuals from CSF Assessor organizations must also attend a specialized training course and pass a comprehensive exam to become a HITRUST Practitioner, a designation of technical competence in healthcare security, risk management, and use of the CSF. The purpose of the criteria established by HITRUST is to provide an added level of assurance that the assessment is conducted in a comprehensive and appropriate manner. To learn more, visit www.hitrustalliance.net/assessors. Access your copy of the CSF The HITRUST CSF is available through both MyCSF and HITRUST Central, the industry s first managed online community for health information security professionals. The HITRUST CSF: Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC, and Cobit Scales according to type, size, and complexity of an implementing organization Provides prescriptive requirements to ensure clarity Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds Allows for the adoption of alternate controls when necessary Evolves according to user input and changing conditions in the healthcare industry and regulatory environment In addition to providing access to the CSF, HITRUST Central includes a blog, question and answer forums, downloads, and group collaboration spaces. To learn more and to register, visit www.hitrustalliance.net/csf/hitrust_central_ information.php. About HITRUST The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information about HITRUST, the HITRUST CSF and other HITRUST offerings and programs, visit www.hitrustalliance.net. 6136 Frisco Square Blvd. Suite 327 Frisco, TX 75034 (469) 269-1100 (469) 269-1101 www.hitrustalliance.net

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback