HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

Similar documents
HITRUST CSF Assurance Program

Adopting HITRUST as the Backbone of Your Information Security Program. Mangoné Fall, Kelly Robertson, Sean Murphy

Navigating the New Health Economy

HITRUST Managing Third Party Compliance How the CSF Can Help

table of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6

CONSULTING & CYBERSECURITY SOLUTIONS

a physicians guide to security risk assessment

Driving healthy growth

HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

D A T A INTEGRITY THE CRUX OF COMPLIANCE AND RISK MANAGEMENT

Trusted KYC Data Sharing Framework Implementation

Outsourcing transparency evolution

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Optiv's Third- Party Risk Management Solution

Leveraging IT risk management to boost competitive advantage

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

ISC: UNRESTRICTED AC Attachment. Environmental & Safety Management- EnviroSystem Oversight Audit

HCL s HITRUST SOLUTION Redefining Healthcare Security Compliance

HCCA Compliance Institute : Intersection of Internal Audit & Compliance. April 17, Agenda. Where are we today?

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

The Unlocked Backed Door to Healthcare Data Vendor Intelligence Report By: CORL Technologies

Delivered by Sandra Fuller, MA, RHIA, FAHIMA. April 29, 2009

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

PMO Services Checklist

Best Practice Requirements for Successful Metrics Initiatives

Payroll and Workforce Support Services. Technology enabled. Service driven.

Payroll and Workforce Support Services. Technology enabled. Service driven.

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Certified Outsourcing Professional (COP) Exam Study Guide

Lessons Learned in Streamlining the Third-party Risk Assessment Process

Assessments for Certified and Non-Certified Vendors

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Enhancing Audit Committee Excellences through Internal Audit. 21 November 2017

Sponsor/CRO Partnership Optimization

Make money, save money and manage risk

Chemical Testing and Analytic Services

IT Risk Advisory & Management Services

Visualize Your Compliance

Right-sizing SOX Frameworks with Risk Management. Chris McClean Vice President, Research Director

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Security and risk governance. An operational model

Efficiency First Program

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach

ECDPO 1: Preparing for the EU General Data Protection Regulation

Quality Assurance and Improvement Program

PCI Force Multiplier. a refreshing approach to PCI DSS Compliance. silentsector Silent Sector, LLC

REGULATORY HOT TOPIC Third Party IT Vendor Management

Optum Intelligent EDI. Achieve higher first-pass payment rates and help your organization get paid quickly and accurately.

Measuring Compliance Program Effectiveness

International Standards for the Professional Practice of Internal Auditing (Standards)

Internal controls over financial reporting

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

ANTI-MONEY LAUNDERING SERVICES EXPERTS WITH IMPACT

Mastering new and expanding financial services regulations and audits

Trusted KYC Data Sharing Framework Implementation

The power of the Converge platform lies in the ability to share data across all aspects of risk management over a secure workspace.

Presentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley

ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

MOVING UP THE INTERNAL AUDIT MATURITY CURVE MODEL

CAQH CORE Town Hall Webinar

Draft Recommendations for the Predictability Roadmap. October 2018

GSR Management System - A Guide for effective implementation

Compliance in Multiple Regulatory Settings. a Holistic Approach

Industry insight and global experience: the intelligent connection

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

Government Relations (GR) Strategic Plan February 2017

ECDPO 1: Preparing for the EU General Data Protection Regulation

Summary Report Special Funding Project: Establishing an Evaluation Framework for the Culture of Safety in Manitoba

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

ISO 50001:2018 The next generation of Energy Management

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2016

ADP ihcm Supporting Strategy and Execution ADP ihcm Executive Briefing for CEOs

All-in-One Compliance for All.

Compliance Monitoring and Enforcement Program Implementation Plan. Version 1.7

On the road(map) again. Balancing the emerging regulatory requirements in the Middle East public sector

MRO s CMEP Approach Ten-Year Retrospective and A Bright Future

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

STATE OF INTERNAL AUDIT 2013

Provincial Government Review of the Professional Reliance Model Submission from Association of Consulting Engineering Companies of BC

Enterprise Risk Management Montana State Fund

Internal controls over financial reporting

ISO/IEC Service Management. Your implementation guide

CERTIFICATION REGIME: FITNESS AND PROPRIETY DEFINITIONS, SOURCES OF INFORMATION AND ASSESSMENT RECORD TEMPLATE

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

Supplier risk compliance obligation or source of competitive advantage? Improve supplier reliability to lift business performance

SELF-ASSESSMENT CHECKLIST

JOB DESCRIPTION & PERSON SPECIFICATION. Director of Regulatory Assurance. REPORTS TO: Deputy Commissioner - Operations PURPOSE OF POST

2005 OIG Supplemental Compliance Guidance for Hospitals Focus on Culture & Leadership Hospitals with an organizational culture that values compliance

PREVENTIA. Where security begins... Five Best Practices of Vendor Application Security Management

Addressing Perceived Barriers to the Acceptance of Third Party Certification

Auditing Identity & Access Management: Addressing the Root Causes

SRP. Sustainability Resource Planning ENVIRONMENT ENERGY ASSETS

Sphera is the largest global provider

Transcription:

The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance February 2017

Contents Background and Challenges.... 3 Improving Risk Management While Reducing Cost and Complexity... 3 Incremental Path to Compliance.... 4 How the Process Works.... 5 Self-Assessments.... 5 CSF Validated.... 6 CSF Validated with Certification.... 6 Why HITRUST CSF Assurance?.... 6 Learn More... 7 CSF Assurance Committee.... 7 MyCSF... 7 Vehicle for Monitoring Compliance of Third Parties.... 8 CSF Assessors.... 8 Access Your Copy of the CSF.... 8 About HITRUST... 9

3 Background and Challenges Compliance requirements for healthcare organizations and their business associates and partners are becoming more stringent as organizations face multiple and varied assurance requirements from internal and external auditors and other third parties such as business partners and federal and state agencies. The increasing pressure and penalties associated with the enforcement efforts of HIPAA and the HITECH Act as well as several high profile breaches have led to a growing need to simplify the compliance process for the healthcare industry. As breaches become more costly, the need for increased due diligence by all parties to ensure that essential security and privacy controls are in place is greater now than ever before. Unfortunately, the existing model of unique and inconsistent requirements and processes to validate compliance and mitigate risks associated with third parties is leading to an inordinate level of effort being spent on the negotiation of requirements, data collection, assessment, and reporting. This is costly to both healthcare organizations 1 and their business associates and partners, detracting from the implementation of an effective overall risk management program. Improving Risk Management While Reducing Cost and Complexity The utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations. Through the CSF Assurance Program, healthcare organizations and their business associates and partners can improve efficiencies and reduce the number and costs of security assessments. The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place. At a high level, both healthcare organizations and their business associates and partners experience issues leading to greater cost, complexity, and risk such as: Broad range of inconsistent expectations with respect to security Maintenance and tracking of disparate requirements and corrective actions Expensive and time-intensive audits occurring at random intervals Inability to consistently and effectively report and communicate between organizations Lack of assurance that risk is appropriately managed The wide range of assessment and reporting requirements has contributed to inefficiencies and exposure that will only be resolved with the standardization and adoption of a common, industry-wide approach. 1 Certain healthcare organizations may function both as a healthcare organization (i.e., covered entity) and a business associate. The CSF Assurance Program meets the reporting needs of the organization as a covered entity (i.e., internal and regulatory stakeholders) and as a business associate (i.e., customer requirements)

4 Incremental Path to Compliance An integral component to achieving HITRUST s goal to advance the healthcare industry s protection of health information is the establishment of a practical mechanism for validating an organization s compliance with the HITRUST CSF. The CSF is an overarching security and privacy framework that incorporates and leverages the existing security requirements placed upon healthcare organizations, including federal (e.g., HIPAA and HITECH), state, third party (e.g., PCI and COBIT), and other government agencies (e.g., NIST, FTC, and CMS). The CSF was developed in collaboration with healthcare and information security professionals and is already being widely adopted by leading healthcare payers, providers, and state exchanges as their security framework. HITRUST has developed the common requirements, methodology, and tools that enable both healthcare organizations and their business associates and partners to take a consistent and incremental approach to managing compliance: the. This program is the mechanism that allows healthcare organizations, business associates and business partners to assess and report against multiple sets of requirements. Unlike other programs in healthcare and in other industries, the oversight, vetting and governance provided by HITRUST and the CSF Assurance Committee affords greater assurances and security across the industry. By utilizing the CSF Assurance Program, organizations can proactively or reactively, per a request, perform an assessment against the requirements of the CSF. This single assessment will give an organization insight into its security program and state of compliance against the various requirements incorporated into the CSF. For organizations that are already striving to implement the information protection controls defined in the CSF, the program allows them to receive immediate and incremental value from the CSF through common reporting tools and processes. Current State Proprietary Assessment Self-Assessment CSF Validated CSF Certified Wide range of inconsistent controls and results from organization to organization Wide range of inconsistent questionnaires, tools and processes from organization to organization Wide range of formats for reporting and tracking corrective action plans (CAPs) No oversight No third party validation of assessment results Common set of controls based on existing standards and regulations Standard set of questionnaires, tools and processes for assessing Standard report, compliance scorecard, Corrective Action Plan Risk factors encompassing all sizes and risks of organizations Oversight and governance by HITRUST Self-Assessment, plus: Performed by a HITRUST CSF Assessor Prioritized requirements based on industry output and breach analysis HITRUST validates the results and corrective action plans (CAPs) Risk factors encompassing all sizes and risks of organizations Oversight and governance by HITRUST CSF Validated, plus: No gaps with the prioritized requirements based on CSF controls Established, industry accepted baseline of security requirements Reduced risk and compliance exposure Increased assurance of data protection with third parties HITRUST certifies the results and CAP

5 Incremental Path to Compliance Healthcare organizations require different levels of assurance based on the risk of the relationship with each business associate and/or partner. The levels of assurance include self-assessments for small and low-risk business associates and on-site analysis and testing for associates that present the most risk to organizations. The results of the assessment are documented in a standard report. Remediation activities are included in a corrective action plan (CAP) and can be regularly tracked. Once vetted by HITRUST, the assessed entity can leverage the single assessment to report to multiple internal and external parties (e.g., state and federal agencies, customers, healthcare organizations, business associates), saving time and containing costs. Assisting in the documentation of findings and preparation of reports are CSF Assessors - those organizations uniquely qualified to deliver services under the CSF Assurance Program. Using CSF Assessors ensures that highly trained security professionals knowledgeable in healthcare and the CSF are accurately reporting findings to HITRUST, providing the increased level of assurance that relying entities demand. The CSF Assurance Program enables trust in health information protection through an efficient and manageable approach by defining an achievable path: Self Assessment, CSF Validated and/or CSF Validated with Certification all leverage the same tools and processes, but provide different levels of assurance. Healthcare Organization Healthcare Organization Healthcare Organization Analyze Results and Mitigate HITRUST CSF Assurance Program Assess and Report Status with Corrective Actions Business Associate Business Associate Business Associate Self-Assessments Self-assessments can be conducted by utilizing the tools and methodologies of the CSF Assurance Program. The assessment results are then prepared by HITRUST for reporting to third parties. The self-assessment option removes any potential barriers for organizations that lack the resources for an onsite assessment, but nonetheless must still implement data protection controls, maintain HIPAA/HITECH compliance, and report to external parties.

6 CSF Validated CSF Validated assessments are conducted by CSF Assessors and allow both healthcare organizations and their business associates and partners to realize the benefits of more assurance with fewer resources, which is achieved by aligning with the CSF and leveraging of common reporting processes and tools. These assessments involve onsite interviews, documentation review and system testing and provide a greater level of assurance, meant for those organizations with higher impact and higher risk relationships. CSF Validated with Certification CSF Validated with Certification is a means of recognizing that an organization has met all of the certification requirements of the CSF as defined by the industry. Utilizing the same tools, processes and reporting components as CSF Validated, CSF Validated with Certification provides internal and external parties with the greatest level of assurance that an organization is appropriately managing risk by meeting those industry-defined and accepted security requirements. Certification is designed to remove the variability in acceptable security requirements by establishing a baseline defined by and to be used for the healthcare industry, removing unnecessary and costly negotiations and risk acceptance. By becoming CSF Certified, an organization is communicating to external parties that sensitive information protection is both a necessity and priority, essential security controls are in place, management is committed to information security, and the risk of a breach has been reduced to a reasonable level. Why HITRUST CSF Assurance? The establishes a common approach for addressing industry and regulatory requirements and helps keep compliance costs and risk exposures from spiraling out of control. Reduced costs and complexity. Through the adoption of a common set of security objectives and assessment processes, the CSF Assurance Program streamlines how healthcare organizations manage business-associate compliance. Business associates can assess once and report to their many constituents, while healthcare organizations and other external parties benefit from a more complete and effective assessment process. Managed risk. Through a commercially reasonable process, organizations will achieve increased insight into their internal and third-party risks. By freeing resources from reacting to new requirements and audits, organizations can take a proactive approach focusing on the other building blocks of an effective security management program. Simplified compliance. Organizations benefit from a consistent and efficient approach for reporting compliance with internal stakeholders, HIPAA, HITECH, state, and business associates.

7 When an organization asks their business associates or external parties to report or accept assessment results using the CSF Assurance Program, they do so with confidence in the comprehensiveness of both the report and process. They are also aware of the fact that the report aligns with the existing regulatory and statutory requirements placed upon healthcare organizations as well as internationally recognized standards such as ISO 27001 and 27002. For business associates and other organizations being assessed, this means one assessment encompassing important compliance requirements such as HIPAA and HITECH that can be consistently reported to various customers. For healthcare organizations and other external parties, this means an industry-accepted process based on a comprehensive set of requirements to validate the security program of business associates and partners. Because HITRUST continually oversees the process and vets the assessment results, all parties benefit from reduced time, resources and confusion regarding the reporting and monitoring of compliance. With the establishment and acceptance of the CSF and related tools, HITRUST is uniquely positioned to support the healthcare community and their business partners in adopting common assessment and reporting processes. With HITRUST s guidance and oversight, healthcare organizations, business partners and business associates, supported by the CSF Assessor organizations, are able to realize the benefits of a single, complete risk and compliance review. There is simply no other practical option that is sustainable, helps contain costs, and actually improves security compliance over time. Learn More Please call 469.269.1110 for more information on the and CSF Assessors or visit HITRUSTalliance.net/csf-assurance. CSF Assurance Committee The CSF Assurance Committee is responsible for the creation and management of the policies and procedures that ensure the quality, accuracy, and fairness of assessments and the resulting reports. The committee also serves as an arbitrator to help resolve any issues between an organization being assessed and its CSF Assessor. MyCSF Instrumental to the CSF Assurance Program is the user-friendly MyCSF tool that provides healthcare organizations of all types and sizes with a secure, Web-based solution for accessing the CSF, performing assessments, managing remediation activities, and reporting and tracking compliance. Managed and supported by HITRUST, MyCSF provides organizations with up-to-date content, accurate and consistent scoring, reports validated by HITRUST, and benchmarking data unavailable anywhere else in the industry, thus going far beyond what a traditional GRC tool can provide. Learn more about MyCSF at HITRUSTAlliance.net/mycsf.

8 Vehicle for Monitoring Compliance of Third Parties Healthcare organizations must have confidence in their business partners ability to implement a privacy and security program that safeguards protected health information. More often than not, it is the healthcare organization s name that is used in public reports of a data privacy breach and other high-profile violations; thus, making the businesspartner relationship a critical component in protecting their reputation and managing compliance efforts. The CSF Assurance Program provides healthcare organizations with a standard, cost-efficient means to assess the security program of business associates and obtain the results as required by HIPAA. By using the CSF Assurance Program, organizations are no longer left to work in isolation to develop unique requirements that consume time and money and are not accepted industry-wide. CSF Assessors A component of the is the utilization of professional services organizations to provide the assessment and remediation services. These organizations must meet certain criteria initially and continue to maintain their standing to receive HITRUST s approval to perform any CSF Assurance Program related work. Information security experience and technical competence with healthcare organizations (e.g., medical facilities/ providers, health plans/payers, clearinghouses) are among the criteria. Individuals from CSF Assessor organizations must also attend a specialized training course and pass a comprehensive exam to become a HITRUST Practitioner, a designation of technical competence in healthcare security, risk management, and use of the CSF. The purpose of the criteria established by HITRUST is to provide an added level of assurance that the assessment is conducted in a comprehensive and appropriate manner. To learn more, visit HITRUSTalliance.net/csf-assessors. Access Your Copy of the CSF The HITRUST CSF is available through both MyCSF and the HITRUST Downloads page. The HITRUST CSF: Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC, and Cobit Scales according to type, size, and complexity of an implementing organization Provides prescriptive requirements to ensure clarity Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds Allows for the adoption of alternate controls when necessary Evolves according to user input and changing conditions in the healthcare industry and regulatory environment

<< Back to Contents 9 About HITRUST Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST in collaboration with public and private healthcare technology, privacy and information security leaders has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use. HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.hitrustalliance.net.

855.HITRUST (855.448.7878) www.hitrustalliance.net

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback