The ranks of compliance regulations continue to expand, making it confusing and time-consuming for companies to navigate the audit landscape. From PCI DSS to SOC 2 to NYDSF to SOX, companies face a growing list of standards and certifications but no central repository to aggregate, much less organize all these standards. To address this, the healthcare industry established the Health Information Trust Alliance (HITRUST), which designed the Common Security Framework (CSF) assessment to consolidate the compliance process.
Curious as to how often you need a HITRUST CSF assessment report to stay compliant? Read on to find out now!
How Did HITRUST Start?
HITRUST came into existence in 2007. The non-profit entity developed standards for protecting sensitive data, like electronic personal health information (ePHI). The HITRUST Alliance realized that some existing regulations provided recommendations but then failed to implement a realistic plan for enforcing those guidelines. HITRUST also went beyond the boundaries of one industry, seeking to include multiple industries and the third-party supply chain. The HITRUST method takes a holistic approach by incorporating assessments, methodologies, information risk management, and compliance.
Image Source: https://hitrustalliance.net/the-hitrust-approach/
What is the CSF?
The CSF, although developed by HITRUST, is not exclusively for the healthcare industry. It is one of the many methodologies and services offered by the HITRUST Alliance. It serves as a certifiable framework that is customizable based on a company’s size, type, and systems. Since HITRUST is committed to the latest technology and methods, new versions of the CSF are published periodically. The current version is 9.2. The CSF brings together requirements from different sets of standards in an attempt to make compliance more manageable for companies that access, store, or transmit sensitive data.
How Often to Get a CSF Assessment
The process for a CSF certification begins with a HITRUST CSF self-assessment. This pre-assessment gives companies time to identify weaknesses and then fix those issues prior to the validation assessment. Companies can begin the self-assessment process with the MyCSF tool, which helps tailor a risk mitigation plan to each company’s needs. Once the self-assessment is complete, companies should contact a CSF Assessor and complete the MyCSF documents for a validation assessment application. An assessor will then review/audit a company and, depending on the findings, issue a letter of certification.
If a company successfully receives a letter of certification, it is valid for two years. However, every company must also pass an interim review that takes place 12 months after the initial certification. The interim audit checks for any breaches or changes in the control environment. For example, if a company grew significantly over 12 months, it may require more controls than during its initial assessment. If a company fails the initial validation process, the audit report becomes a point-in-time report while the company reassesses and tries again for certification.
What is a Readiness Assessment?
A readiness assessment, also known as the HITRUST CSF self-assessment, gives companies with fewer resources the ability to complete an assessment but not pay for a HITRUST assessor. In short, it’s a pre-audit. While a self-assessment does not result in a letter of certification, the findings can be collated and distributed to third-parties to show what security measures are in place. Using the MyCSF tool, companies can identify the controls they should theoretically have in place. Then, they should test the tools, identify the gaps, and strengthen any weak points. Although it is recommended to pursue the HITRUST certification, the readiness assessment by itself does hold value as it provides a comprehensive report for any business partners or third parties that request one. Thus, if a company does not possess the resources to complete the entire certification, a readiness assessment is a lower-cost option.
HITRUST for Startups
HITRUST isn’t just for well-established companies. HITRUST is committed to encouraging better security from the moment a company begins Thus, HITRUST established the Right Start program. The program begins with the HITRUST Academy, designed to educate business owners on the threats and regulations in the cybersecurity environment. Then, the program introduces how risk management is achieved through the CSF Assurance Methodology. Learning about the methodology introduces start-ups to emerging threats in their industries and how controls work to combat those threats. After understanding the importance of controls, HITRUST introduces the CSF and the CSF assessment platform (a SaaS platform).
The CSF encompasses categories, objectives, and specifications. There are 14 categories, 46 control objectives, and 149 control specifications. For each specification, a company will determine whether it requires a one, two, or three implementation level. As is evident by the list below, the categories go far beyond compliance.
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of Information Security
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems Acquisition, Development, and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Privacy Practices
What’s Included in Each Control
For each of the 149 controls, which are divided among the 14 categories, the CSF includes five sub-categories:
Control specifications – As is to be expected, each control comes with policies, procedures and guidelines for how to manage or implement a control. This information can range from technical to administrative to legal advice. All of the specifications combine to help achieve the objective under which the control falls.
Risk factor – The risk factor identifies the security threats that the control is designed to combat. The risk factor, whether dealing with organizational, system, or regulatory issues, will help determine what level of control is necessary.
Implementation requirement – These requirements guide companies through how to enact each control. Each control can be implemented on one of three levels. Level One, the base requirement, follows general industry standards. Level two and three include the previous level precautions but increase in intensity based on the risk level.
Guidance – The MyCSF tool gives companies guidance and the ability to request assistance with conducting an assessment. The online platform assists with the reviewal of documentation, personnel, and technical implementation. The assessment guidance can be found under the title Illustrative Procedures on the MyCSF platform.
Standard mapping – Standard mapping helps companies relate the CSF controls to other compliance standards.
Components of CSF Mapping
As mentioned above, the CSF attempts to consolidate the compliance process, making it easier for companies to fulfill multiple standards in one process. CSF achieves this through its mapping process, which maps CSF controls to each of the regulation sets. This process shows where different business partner compliance requirements overlap. For example, HIPAA and PCI regulations are common standards vendors will have to fulfill. The HITRUST process makes it easier for vendors and covered entities alike to achieve compliance.
Image Source: https://datica.com/academy/what-is-hitrust/
3 Implementation Levels
The CSF implementation levels range from one to three, with one being the absolute minimum. Because the CSF controls are chosen based on risk, a company will typically have controls of various levels. This differs from HIPAA, which uses a one size fits all method for establishing reasonable and appropriate controls. Because HIPAA provides no clarification on what reasonable and appropriate controls are, the enforcement becomes difficult. In contrast, the CSF provides a standardized assessment process that then determines the flexible implementation levels.
Is Certification Worth the Effort?
- Using the comprehensive HITRUST CSF process covers ISO, NIST, PCI, HIPAA, GDPR, and state laws. More importantly, it’s dynamic and as states or countries create new regulations, HITRUST releases a new CSF version.
- The CSF takes into account the size, risk, and type of the company seeking certification.
- Prescribes requirements based on an assessment rather than providing only vague suggestions
- Adapts annually to industry changes that may change the controls necessary or risk affecting a company.
How Long Does Certification Take?
At the outset of the compliance process, the first question one might ask is how long will it take? But with every security process, it takes time and a certain level of patience. The HITRUST certification timeline depends largely on how many security measures are already in place. Furthermore, it depends on the readiness level of a company. Depending on the size of a company, the initial CSF self-assessment may take two to eight weeks. For the official HITRUST validation assessment, the minimum audit period is eight weeks. Overall, the process will take approximately three to four months.
CSF Version 9 Updates
The HITRUST Alliance released the latest CSF version, 9.2, in January 2019. The update addresses new international security regulations and the interest of other industries in a comprehensive, consolidated compliance process. Since the CSF initially began with a focus on the healthcare industry, many of the controls listed originated from healthcare-related regulations (like HIPAA). However, the new version separated the healthcare controls into an industry-specific category, making it easier for non-healthcare companies to identify the controls relevant to their industry. The new version also makes the language used more industry neutral. Instead of using Personal Health Information (PHI) as the main purpose of implementing protection, the new version references “covered information.” While it may seem like a minute change, it expands the applicability of the CSF.
The early version of the CSF centered on healthcare standards, including ISO, NIST, PCI, HIPAA, and COBIT. Some industries have standards, but not all do. The travel industry and entertainment industry have been somewhat overlooked in terms of developing security standards and auditing. Consequently, HITRUST is looking to expand into those industries and provide a security certification that holds weight across industries. Actively seeking certification will give a company an advantage by lending credibility through information protection.
The Importance of Scope
For someone new to the CSF, it may seem overwhelming to achieve CSF certification. However, the key to successfully achieving CSF certification lies in narrowing the scope of an audit. For example, certifying a whole company in one shot would be extremely time-consuming and most likely not efficient. Rather than attempting such a large job, it’s more manageable to certify a department.
How to Narrow the Scope
The first step is to analyze the systems and control boundaries. Where do systems overlap? What systems involve the information you want to protect? Where is data stored? What data is transferred? What systems or platforms give clients access to data? These questions establish where your company’s systems boundaries lie.
The next step is to define the control boundaries. What measures are in place to maintain your systems? Is a monitoring program in place? What threats could affect your systems? Is patch management incorporated into security procedures?
Since protecting data is the primary goal of the CSF, understanding the data flow within your company will assist greatly in narrowing the scope of certification. By using the following documentation to identify the data flow, companies will be one step closer to finding system weaknesses and addressing the risk environment.
- Data flow diagram – The interconnected nature of networks means the threats come largely from the interactions between applications and shared infrastructure platforms. Data flow diagrams initially emerged through engineering but for cybersecurity purposes, using a data process flow diagram will prove more beneficial. Rather than focusing on high-level issues (as with the engineering data flow models) a process flow model looks at use cases through the lens of an attacker.
- Network Diagram – Using a visual representation of a network gives threat assessors a better, more tangible understanding of how items are connected. Any such diagram should identify cloud platforms, work stations, clients, nodes, servers, mainframes, connection devices, and peripheral devices (like printers).
- System Inventory and System Management Procedures – This documentation will analyze what systems are in use and what monitoring tools are used to identify irregular patterns in system activity. There are many free and subscription-based tools available for beginning a system inventory, which helps to relieve the burden of IT departments.
The HITRUST Alliance has done a lot toward changing the way companies approach the compliance process. As it continues to evolve, the CSF will become more applicable to industries outside the healthcare environment, making compliance easier for large and small companies. If you’re interested in learning more about the HITRUST CSF process, contact RSI Security today.