Best Practices for Healthcare Risk Analysis and HITRUST CSF Certification

Organizations within or adjacent to the healthcare industry encounter challenges in managing risk assessment, regulatory compliance, and the overall security of their digital infrastructure. HITRUST certification can help healthcare organizations streamline healthcare risk analysis, achieve required HIPAA compliance, and protect the integrity of sensitive protected health information (PHI). 

 

Best Healthcare Risk Analysis Strategies

The HITRUST CSF framework offers broad recommendations for organizations to manage cybersecurity risk. Healthcare organizations can leverage the HITRUST CSF recommendations to perform healthcare risk analysis. 

Specifically, the recommendations in Control Category 03.0 – “Risk Management,” can help organizations develop best practices for healthcare risk analysis that include:

• Risk assessment
• Risk mitigation
• Risk management

The broad controls stipulated by the HITRUST CSF framework provide optimal healthcare risk analysis tools amenable to any organization. In addition, HITRUST CSF certification can also help healthcare organizations achieve necessary HIPAA protections.

---

Download Our HITRUST Compliance Checklist

---

What is the HITRUST CSF Framework?

The HITRUST CSF is a comprehensive framework that provides broad security protections and streamlined integration of various compliance standards. While the HITRUST CSF consists of 14 Control Categories, the most crucial for healthcare risk analysis is Control Category 03.0 – “Risk Management.”

The HITRUST Approach, offered by the HITRUST Alliance, defines aspects of risk management and compliance. Specific goals of the HITRUST Approach include:

• Aligning different compliance standards 
• Maintaining a risk management program
• Integrating various risk analysis components

The healthcare industry largely drives the enforcement of HITRUST, ensuring adoption and certification across hospitals and other healthcare providers. The goal of the HITRUST CSF framework is to ensure effective management of data protection, information risk, and compliance. 

Working with a HITRUST compliance partner can help healthcare organizations manage healthcare risk analysis.

 

Request a Free Consultation

 

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), established by the Department of Health and Human Services (HHS), protects sensitive PHI during processing by organizations within or adjacent to the healthcare industry. HIPAA comprises four rules, namely:

• Privacy Rule – The Privacy rule classifies organizations as covered entities and their business associates, establishing PHI as a type of protected information. The Privacy Rule also establishes guidelines for permitted uses and disclosures of PHI.
• Security Rule – Extending protections to ePHI, the Security Rule establishes administrative, physical, and technical safeguards for healthcare organizations to apply for optimal protection of PHI.
• Breach Notification Rule – This rule outlines guidelines for healthcare organizations to report data breaches. Conditions include organizations reporting the breach to affected parties, the Secretary of the HHS, and a local media station when more than 500 individuals are impacted.
• Enforcement Rule – The last rule establishes fines and penalties for non-compliance. It outlines the enforcement of HIPAA regulations, including processes covered by the Office for Civil Rights (OCR) and the Department of Justice (DOJ) (in certain cases).

HITRUST CSF certification helps organizations achieve HIPAA compliance with each of these rules, protecting PHI from potential threat attacks.

 

Ongoing Healthcare Risk Assessment

It is an essential practice for healthcare organizations to conduct an ongoing healthcare risk analysis of digital assets used for all PHI activity. According to the HITRUST CSF, healthcare organizations can manage risk by performing regular risk assessments.

 

Security Risk Assessment

Organizations must conduct periodic risk assessments that address domains of the HITRUST CSF and can identify security risks. The requirements for security risk assessment are covered in HITRUST CSF Control Reference 03.b, and apply to Level 1 and 2 organizations. 

HITRUST CSF Level 1 healthcare risk analysis is subject to the HIPAA Security Rule and can help identify risks from various sources, the most critical of which include:

• Prior threat incidents – Healthcare organizations are frequently targeted by hackers. The data obtained from previous breach attacks or penetration testing efforts can help identify commonly exploited security risks. Common risks to PHI include:

1. Web application vulnerabilities
2. Access control gaps
3. Social engineering attacks

• Changes in IT environments – Any changes to the digital assets used to store or transmit PHI can pose risks, some of which include:

1. New exploits used by threat actors, taking advantage of unpatched networks, systems, or applications
2. Variations to sources of threat attacks, based on attack sophistication
3. Increase in vulnerabilities and security gaps in critical networks or applications
   

•  Supervisory guidance – Working with third-party vendors comes with risks, most of which require vendors to           comply with relevant frameworks. Identifying risks posed by third-party vendors is a necessary component of              protecting PHI.

Security risk assessment is a critical component of healthcare risk analysis. Compliance with HITRUST CSF guidelines can help your organization mitigate security risks to PHI.

 

HITRUST CSF Level 2 and HIPAA 

HITRUST CSF level 2 healthcare risk analysis is subject to the HIPAA Security Rule and the Breach Notification Rule. Specifically, risk assessment can help determine how PHI breach should be reported (e.g., within the calendar year, within 60 days and to the Secretary of the HHS).

The methodology used to determine whether a breach is reportable must address:

• Nature of PHI involved in the breach—including types of identifiers
• The unauthorized person involved in the breach (i.e., source of disclosure or to whom PHI was disclosed)
• Indication of whether PHI was viewed or acquired
  • Note that encryption can help healthcare organizations demonstrate that a breach hasn’t occurred even if the data fell into a cyberattacker’s possession. If the data cannot be read, it’s not a breach.
• Level of risk mitigation to PHI
• Other factors decided by the Secretary of HHS

HITRUST CSF compliance helps healthcare organizations implement this methodology to navigate healthcare risk analysis and assess security risks to PH to comply with HIPAA.

 

Scheduled Risk Assessments (Level 1)

Risk analysis in healthcare also requires that organizations schedule ongoing security risk assessments. Note that HIPAA requires periodic assessments but does not define their frequency. Specifically, Level 1 HITRUST CSF Requirements recommend that the following assessment conditions are met:

• Assessments are conducted regularly
• Risk assessment is performed after significant changes to PHI environments
• Results from risk assessment are reviewed annually

Scheduling risk assessments enables organizations to prioritize resources for analysis and leverage the findings–ensuring better ROI on cybersecurity.

Watch the full webinar!
 

Healthcare Risk Mitigation

Risk mitigation requirements are covered under HITRUST CSF Control Reference 03.c, providing organizations with strategies to reduce risk to acceptable operational levels. Specifically, the Level 1 HITRUST CSF Implementation Requirements suggest four mitigation methods in a healthcare risk analysis program:

• Avoidance – Organizations can mitigate risk by avoiding activities associated with risks. Healthcare organizations can implement specific strategies, such as:
  • • Minimizing the use of unnecessary technologies and integrations in high-risk PHI environments 
    • Avoiding PHI storage in servers prone to threat attacks
    • Limiting the use of unpatched system components, especially those requiring critical security updates

• Reduction – Organizations can use controls to minimize the impact of risk to overall cybersecurity. Specific examples of controls include:
  • • Network encryption to minimize any compromise to PHI
    • Access control measures to prevent unauthorized intruder access to networks
    • Use of strong passwords for accounts with access to PHI
    • Privileged account usage to minimize non-business need access to PHI
• Transference – Organizations can transfer risk to an external entity or third party. Specifically, organizations can outsource services to experienced cybersecurity providers, including:
• Cloud security
  • • Penetration testing
    • Threat and vulnerability management
    • Risk management for third-party vendors
• Acceptance – Organizations can also choose to accept risk and must document management acceptance of such decisions.

Risk mitigation can help inform your organization’s healthcare risk analysis approach and improve cybersecurity results.

 

Considerations for Healthcare Risk Mitigation

Organizations must also define and document the criteria used to determine when to avoid, reduce, transfer, or accept risk. When healthcare organizations make decisions to mitigate risk, the most critical factors include:

• Industry frameworks – Organizations are expected to conduct operations based on industry best standards, regulations, and laws. For healthcare risk analysis, organizations must comply with HIPAA regulations.
• Business priorities – Healthcare organizations need to define business priorities, specifically those around:
  • System components used for PHI transactions (e.g., networks, applications)
  • Critical data protection (e.g., PHI best practices per the HIPAA Security Rule)
  • Third-party vendors (e.g., protections for PHI outlined in contracts)
• Coverage for threats – Healthcare organizations can implement robust threat monitoring to manage existing and materializing threats, ensuring that they are addressed immediately upon identification.

Risk mitigation is a critical component of healthcare risk analysis, especially for HIPAA compliance. With the help of a HITRUST CSF compliance specialist, your organization can determine the most effective HITRUST CSF applications for your digital assets.

 

Risk Management in Healthcare

Another critical component of healthcare risk analysis involves organizations managing various levels of risk. Broadly, risk management in healthcare covers aspects of risk assessment and mitigation. 

However, organizations can define risk management policies based on the following factors:

• Clearly defined objectives for the process of risk management
• Organizational management’s acceptable levels of risk, based on:
  • Role of risk in critical infrastructure
  • Business-specific risks, determined by healthcare risk analysis
• Defined connections between risk management and strategic planning
• Documentation of risk assessment processes

 

HITRUST CSF Certification

One of the most effective ways to achieve up-to-date compliance with compliance frameworks overseeing the healthcare industry is to undergo the HITRUST CSF certification process. HITRUST CSF certification allows your organization to effectively protect PHI during storage, processing, and transmission between entities.

Being a HITRUST CSF-certified organization communicates to business partners, vendors, and other industry stakeholders that your organization is committed to high standards of data protection and the security of PHI transactions. HITRUST certification facilitates the adoption of a compliant healthcare risk analysis model, as the certification process requires a thorough risk assessment of your organization’s digital assets and business operations.

 

Process for HITRUST Certification

The process to obtain HITRUST CSF certification for your organization can be summarized as follows:

• Perform a self-assessment in preparation for the validated assessment.
• Choose a HITRUST-qualified assessor.
• Complete a validated assessment using the MyCSF tool (all implementations, documented policies, and procedures must be in effect for at least 90 days prior to assessment).
• Your selected HITRUST assessor will audit the assessment.
• Once auditing is complete, submit it for HITRUST review.
• HITRUST creates a report and issues a letter of certification if your organization passes the assessment.

 

MyCSF Tool

The MyCSF tool is an essential component of healthcare risk analysis. Organizations looking to obtain HITRUST certification can use MyCSF to conduct customized internal assessments for the certification process.

MyCSF can help healthcare organizations:

• Implement information risk management
• Conduct information risk assessment
• Streamline vulnerability remediation
• Track and report on compliance efforts
• Meet local and international compliance regulations
• Navigate evolving compliance needs in a dynamic regulatory environment

The MyCSF Tool also contains features to help define your organization’s healthcare risk analysis and effectively meet compliance needs. Specific features include:

• HIPAA compliance and reporting assistance – Healthcare organizations can use the evidence collected from HITRUST CSF assessment to demonstrate HIPAA compliance. Specifically, the MyCSF tool helps to:
  • Consolidate evidence of HIPAA compliance into a report
  • Format evidence by HIPAA controls
  • Populate evidence in a format shareable with investigators from the Office of Civil Rights (OCR)
• Centralized action planning – Healthcare organizations can manage corrective action plans (CAPs) for various system components, including those addressing non-HITRUST assessments.
• Custom risk assessment – Your organization can tailor assessments specific to healthcare risk analysis, integrating various regulatory factors and HITRUST CSF control requirements. Risk assessment is essential for healthcare organizations required to comply with widely applicable regulations, such as:
  • HIPAA
  • PCI DSS
  • GDPR
• Assessment tracking – MyCSF allows organizations to:
  • Track assessments submitted for HITRUST CSF reports
  • Compile aggregate scoring for assessment questions
  • Review assessment documentation for errors or inconsistencies before submission for certification
  • Schedule quality assurance (QA) for assessment submissions

While there are multiple steps involved in obtaining HITRUST CSF certification, tools such as MyCSF enable organizations to gauge HITRUST CSF certification readiness and strengthen healthcare risk analysis.

 

Optimize Your Healthcare Risk Analysis

With the help of an experienced HITRUST CSF compliance partner, your organization can conduct optimized healthcare risk analysis and obtain HITRUST CSF certification. HITRUST CSF compliance not only protects sensitive data such as PHI but also helps your organization stay on top of industry standards.

To learn more about HITRUST CSF certification and assessment, contact RSI Security today.