The HITRUST Approach covers four key strategies to achieve your information security risk management and compliance goals: “Identify & Define,” “Specify,” “Implement & Manage,” and “Assess & Report.” Corrective action plans (CAPs) are categorized under Assess and Report. CAP management allows you to synthesize your collection of self-assessments, gaps in compliance, and other CAP data into a reliable, manageable, and distributable format that’s flexible for your organization’s security needs.
Choosing the Right HITRUST Corrective Action Plan Strategy
HITRUST provides the framework and assessment tools to maintain HITRUST CSF certification and compliance with globally recognized regulations and standards. The HITRUST Common Security Framework (CSF) comprises mapping to various regulations overseeing industries and operational activities to streamline organizational adherence.
CAP management strategies demonstrate to auditors your ongoing compliance gap remediation efforts. Consider these areas when developing a corrective action plan management strategy:
- What elements of a corrective action plan are necessary for your needs?
- Which additional benefits of CAP management are most valuable for you?
Which Corrective Action Plan Strategy Elements Are Most Critical?
A corrective action plan (CAP) is a multi-step process designed to systematically address operational errors or deficiencies that create unsuccessful outcomes for normal business activities. When developing your CAP management strategy, ensure the following are addressed:
- Optimizing measures to remove insufficient legal and compliance requirement implementations
- Evaluating processes to identify and eliminate any unnecessary or inefficient actions
- Remediating discovered issues
- Measuring improvement for any defined high-priority processes
The Benefits of Third-Party CAP Management Assistance
Working with an external service provider can tailor these processes to your organization’s specific needs and based on your clients and risk environment. However, for this partnership to be successful, you’ll need:
- A dedicated team for CAP development—whether fully outsourced or a hybrid consisting of some in-house personnel—integrated with overall security and compliance efforts
- Thorough root cause analysis (RCA) for all identified threats, risks, or vulnerabilities
- Clear deadlines and milestones, updated in real-time and throughout the process
- Corrective action review and modification, including external verification if necessary
If your organization is subject to strict compliance frameworks (e.g., HIPAA, CMMC, PCI DSS), you need the means to show regulatory agencies, clients, and other stakeholders that you take risk management and compliance seriously. Partnering with a HITRUST-approved third-party assessor will help your organization achieve a CSF Validated or Certified Report—the two levels of certified HITRUST accreditation available.
For non-certified self-assessments, the HITRUST MyCSF tool optimizes all data collection and reporting infrastructure to streamline evaluations and initial gap remediation planning.
Optimizing Critical CAP Management Components with HITRUST MyCSF
The MyCSF is an extension of the HITRUST CSF, which exists to streamline all elements of cybersecurity and compliance. As such, it facilitates CAP generation and implementation for compliance and general security needs. HITRUST MyCSF is the ideal CAP management tool.
A key component of MyCSF is the CAP Management module, including the following functions:
- Implement and manage one or more CAP policies
- Perform compliance assessments at different stages
- Streamline corrective action activities across policies
- Track and report on compliance to multiple stakeholders
Organizations beginning to implement the HITRUST framework should work with a dedicated HITRUST CSF compliance partner to get the most out of the “assess once, report many” approach.
The CSF framework provides comprehensive guidance and structure for compliance with authoritative sources governing information security across industries. Initially optimized for HIPAA, the current version of the CSF (version 9.5) covers compliance for processing credit card payments (i.e., PCI DSS) and various industry-specific regulations (e.g., NIST and CMMC for DoD contracts). Accordingly, MyCSF’s updates now facilitate increased mapping and assessment capabilities.
Which Other Elements of CAP Management are Most Beneficial?
In a MyCSF assessment, CAPs are generated based on all the areas deemed insufficient for HITRUST certification, which does not necessarily indicate noncompliance with HIPAA or other regulatory frameworks. HITRUST certification is not a legal requirement, but it may be an explicit requirement via contract with a given client or a de-facto requirement based on industry or location.
In any case, a MyCSF assessment can generate insights into all legally binding compliance requirements and potential threats of noncompliance before they occur.
Especially in the case of a regulation like HIPAA, knowing how and when a breach of the Privacy or Security Rule could happen is critical to preventing it or preparing for necessary communications, per the Breach Notification Rule. The Security Rule explicitly requires organizations to perform periodic risk assessments to prepare for these potential breaches (i.e., improper use or disclosure of protected health information).
This level of preparation is also critical to successful and impactful CAP implementation. The sooner a flaw is recognized, the more quickly and comprehensively it can be remediated. Hence the importance of HITRUST MyCSF-enabled self-assessments.
Other Benefits of HITRUST MyCSF for Effective CAP Management
The CAP management module in MyCSF assigns scores and ratings immediately upon your request for a CAP. This guidance informs remediation efforts and their prioritization.
There are four primary factors HITRUST MyCSF uses to achieve process improvement:
- Point of Contact – Delineating who is responsible for policy oversight
- Required Resources – Including both personnel and financial resources
- CAP steps and Milestones – Defined clearly and adjusted over time, as needed
- Expected and Actual Completion – Adjusted in real-time during implementation
The HITRUST CSF receives frequent updates, and the same is true for the MyCSF tool. There are currently 22 active features, with a new dashboard in beta testing. Some of the benefits you can take advantage of, especially if working with a security program advisor, are the following:
- Results Distribution System (RDS) – Once your assessment is complete, share it securely through a portal where other stakeholders can review your compliance status.
- MyCSF Compliance and Reporting Pack for HIPAA – An automatic compilation of evidence that indicates compliance with HIPAA, optimized to HHS reporting standards.
Just as HITRUST CSF is not only for healthcare organizations, HITRUST CAP management is also widely applicable to organizations across all industries and operational activities.
Case Study: New Haven Health Department’s CAP Management
To understand how impactful a MyCSF-assisted CAP management strategy can be, let’s look into a case of alleged noncompliance with HIPAA regulations for the City of New Haven Health Department (NHHD), as reported by the Office for Civil Rights (OCR) within the HHS. The OCR enforces HIPAA penalties—alongside the Department of Justice (DOJ) in extreme cases.
In 2016, The NHHD experienced a data breach impacting protected health information (PHI) and notified the HHS, as is required. Per the OCR investigation, the breach was caused by a terminated employee removing both digital and hard copies of PHI. The credentials used to access PHI should have been deactivated upon termination.
As a result, the OCR ultimately assessed a fine of $202,400 for the following HIPAA Violations and covered conduct, measured from December 2014 and December 2018:
- Unauthorized PHI disclosure of at least 498 individuals
- Failure to implement privacy policies to prevent exposure
- Failure to assess risks and vulnerabilities to PHI under control
- Failure to secure personnel user accounts post-termination
- Failure to implement user tracking and accountability measures
A critical component of the fine assessed by the OCR was that NHHD agreed to implement a comprehensive corrective action plan that included the following five items, at a minimum:
- Risk analysis (threats and vulnerabilities)
- Development of policies and procedures
- Distribution of policies and procedures
- Cybersecurity awareness training
- Reportable event monitoring
Additionally, the CAP included designated points of contact within NHHD and various timelines to address the items listed above. Whether NHHD pursued a HITRUST CSF-informed CAP to meet these requirements is not known. However, the MyCSF tool would have greatly assisted NHHD’s efforts.
In particular, HITRUST MyCSF enables integration of risk analysis protocols, which could in turn facilitate risk-informed policies and procedures. These could then be disseminated through a central training and communication hub, optimizing visibility over potentially reportable events.
The situation that happened to NHHD could happen to any organization—beyond HIPAA compliance, data breaches remain a general security concern. Working with a trusted cyberdefense and compliance partner minimizes the likelihood and potential impact of all such incidents.
RSI Security: Professional HITRUST Advisory and Certification
HITRUST corrective action plans are immensely beneficial for resolving compliance gaps or other cybersecurity vulnerabilities, especially when using the MyCSF tool. Working with a dedicated HITRUST advisory partner can help align your organizational strategies and leverage MyCSF to assess and report on CAP progress.
A purely self-assessed CAP management strategy can be effective, but you’re likely to see optimal ROI by partnering with HITRUST CSF experts. Additionally, achieving a CSF Validated or Certified Report requires a third-party assessment from a HITRUST-authorized organization such as RSI Security.
To get started developing and implementing a CAP strategy tailored to your specific needs, contact RSI Security today!