The team here at RSI Security is elated to have attended the 2022 Healthcare Information and Management Systems Society (HIMSS) conference. HIMSS ‘22 took place in Orlando, Florida, on March 14th-18th. Our team attended eye-opening events daily, sun-up to sun-down, and met with some of the most brilliant Chief Information Security Officers (CISOs) and other security professionals working in and around the healthcare industry. Read on for a recap of the event.
RSI Security’s Presence at HIMSS ‘22
Everyone from RSI Security who made the trip to Orlando valued every opportunity to learn from the healthcare and cybersecurity professionals we were able to meet. But the crowning achievement for us was being able to share our wisdom at the speaking session we led.
RSI Security’s Information Security Practice Lead, Tom Glaser, gave a dynamic presentation on the future of HITRUST CSF Assessments. In The New HITRUST Portfolio – Key Features and Benefits, Tom drew from his years of experience as a Certified HITRUST Advisor to provide insights into how organizations should prepare to achieve and maintain compliance.
Below, we’ll dive into the main points of Tom’s presentation for anyone who wasn’t able to attend. But first, we want to talk about our other favorite part of the HIMSS ‘22 experience…
VIP Networking Event at ICEBAR Orlando
On Wednesday, March 16th, RSI Security held an exclusive, VIP networking event at the one-of-a-kind ICEBAR Orlando. From around 7:30 to 10:00 PM, we hosted a mixer where HIMSS ‘22 presenters and attendees got to know each other, professionally and personally, over complimentary drinks and food. We cherish the connections we were able to make.
We talked with CISOs about cybersecurity issues facing their own organizations and the healthcare industry more broadly. And we discussed the challenges of maintaining compliance with various intersecting regulatory frameworks, like HIPAA, PCI-DSS, HITRUST, and more.
Most of all, it was enlightening to meet the experts behind so many of what would be our favorite presentations and panels at HIMSS ‘22—building connections we hope to maintain.
Tom Glaser’s Presentation on HITRUST
At the conference proper, RSI Security had the honor of hosting a speaking session, The New HITRUST Portfolio – Key Features and Benefits. It took place Thursday, March 17th at 11:35 AM in the Orange County Convention Center, Hall D, Booth 7143 (Lightning Session Theater).
In it, RSI Security’s Information Security Practice Lead and HITRUST Certified Assessor Tom Glaser led a riveting presentation and discussion about how HITRUST assessments work.
The three main sections of his presentation were:
- An overview of the kinds of HITRUST Certifications
- A breakdown of Assessment Scoping strategy
- A comparison to other regulatory frameworks
After a brief introduction to who we are here at RSI Security, the industries we serve, and how we fit into the HITRUST implementation and assessment landscape, Tom dove into HITRUST.
Overview of HITRUST CSF Certifications
First, Tom covered the most fundamental question: what is a HITRUST Certification? It’s an assessment verifying an organization’s implementation of the vast HITRUST CSF framework.
There are three different levels at which Certifications are awarded, which we’ll touch on below.
Unlike some other regulatory compliance frameworks, HITRUST is not necessarily legally required for all entities in and adjacent to healthcare. In many cases, it’s needed because of business agreements with healthcare payors or clientele. In others, organizations choose to become CSF Certified for customer assurance, to mitigate risks, and to minimize audit fatigue.
In particular, approximately 80% of health systems utilize the HITRUST framework, and 85% of health insurers use it. With a foundation in facilitating HIPAA compliance, the HITRUST CSF framework is uniquely apt for mitigating risks in healthcare’s threat landscape, especially data breaches of PHI or PII.
It should also be noted that HITRUST is not specific to healthcare, at present. Although true when it was first developed in 2007, it’s now used by organizations across every industry. This is at least in part because HITRUST streamlines compliance across various other regulations, such as HIPAA, PCI DSS, GDPR, CCPA, DFARS/NIST, and more.
Strategy for Scoping HITRUST Assessments
Next, Tom began to dive deeper into the specific kinds of HITRUST assessments organizations can achieve. HITRUST debuted new assessment models in 2021, updating older terminology and adding a tiered system that allows organizations more possible routes to compliance.
Scoping for a HITRUST Assessment depends entirely on the level of assessment you choose:
- Basic, Current-State (bC) – A verified self-assessment, based on 71 static controls from within the CSF framework. These assessments are the least resource-intensive and best suited for low-risk environments, as the assurance provided is relatively low.
- No certification is granted, but the organization is well-positioned for i1 or r2.
- Implemented, 1-year Validated (i1) – A validated assessment and certification based on 219 static CSF controls. These audits are threat-adaptive, focused on more rigorous and complete implementation, with greater resource burdens and security assurance afforded.
- Certification is granted for a period of 1 year following successful assessment.
- Risk-Based, 2-Year Validated (r2) – Validated assessments of full maturity in a wide range of dynamic controls, sometimes spanning over 2000 (about 360 are scoped on average). These assessments are the most intensive but provide maximum assurance.
- Certification is granted for a period of 2 years following successful assessment.
Across all assessment types, the controls tested represent the same general core of Domains and assurances from within the CSF.
For example, in the area of Maturity Assessment, Domains such as Human Factors or Leadership & Governance are assessed across bC, i1, and r2. Likewise, in the area of External and Internal Vulnerabilities, all assessments touch on Network Vulnerability, Social Engineering, and Web App Security. The difference is how robust security is, at each level.
Tom concluded this section by breaking down a timeline for a successful r2 Assessment:
- Weeks 1-3: Scoping – Produce scoping documents, inventory, and testing RFI
- Weeks 4-7: Advisory – Confirm scope, enroll in portals, and begin documentation
- Weeks 8-10: Assessment – Review documentation and evidence; report findings
- Weeks 11-12: Roadmap – Implement any repairs or remediations that are required
- After Week 12: Managed Services – Continuously test and review security systems
These phases approximate the Maturity Levels outlined in NIST 800-137 (a source text for the HITRUST CSF), charting your growth from retrospective assurance to prospective assurance.
Comparison to Other Regulatory Frameworks
Finally, Tom concluded the presentation portion of the speaking session with a side-by-side comparison of the HITRUST CSF and other widespread cybersecurity frameworks. Across 11 Requirements, only HITRUST had full coverage for all of them. Here’s the full breakdown:
The big takeaway here: HITRUST covers all requirements, where others hit most—or some.
It’s no wonder that the HITRUST CSF is far more comprehensive than many other cybersecurity frameworks. Across its 14 Control Categories, there are 49 Control Objectives and 156 Control References, each of which breaks down into individual Control Specifications, of which there are thousands. These filter into Implementation Levels, based on Maturity and other frameworks.
Looking Forward—See You Next Year!
RSI Security looks forward to attending and presenting at HIMSS again next year. Until then, we’d love to get in touch and talk about how we can help your organization rethink its security and cyberdefense systems. To get started with a consultation, contact RSI Security today!