The HITRUST Common Security Framework: Not Just for Healthcare Anymore

Andybarratt 70px jpg

Andrew Barratt

Managing Director, Europe

The HITRUST 2019 conference took place last month in Dallas, Texas, and covered important topics such as risk management, compliance, third-party assurance, cybersecurity, medical devices, and the Internet of Things (IoT). As speakers and sponsors, we saw much enthusiasm about HITRUST Common Security Framework (CSF) validation and certification outside of the healthcare industry.

Although HITRUST has traditionally been focused on healthcare, the framework is now resonating with other industries as an enterprise risk management and/or third-party risk assurance solution. Benefits realized are the framework’s control mapping with other regulations and frameworks (e.g., GDPR, PCI, ISO, SOC), the ability to assess once/report many, and the confirmation that security is taken seriously with validation by a third-party, independent assessor. Many service providers discussed using the framework as a competitive advantage that can help them qualify for RFPs if they’re part of the HITRUST Assurance Program.

The conference opened with a panel discussion on adopting the HITRUST framework as the foundation for a solid information security program. Panelists from Mayo Clinic, Premera Blue Cross, and Shriners Hospitals for Children discussed the lessons they learned during implementation of the framework, as well as the benefits of having the HITRUST CSF in place. A big takeaway from the session was that implementing the HITRUST framework is much easier when you have buy-in from all levels of the organization. Executive leadership is needed to push implementation from the top down, and individuals must own the compliance requirements that fall within their purview. Overall, collaboration is necessary to bring it all together as a cohesive enterprise security program.

Breakout sessions during the conference covered topics of interest for enterprise and SMB organizations in all industries. For start-ups, implementing HITRUST can pose many challenges given their typical lack of resources. One session provided information for these organizations about the HITRUST Right Start Program, which can streamline the process and enable them to focus their limited resources on growth.

Several HITRUST-led sessions focused on the details of performing HITRUST assessments including sampling and scoring, shared responsibility, and general Q&A. Coalfire’s Kurt Hagerman sat on the Shared Responsibilities panel and clarified “shared” versus “joint” control ownership when it comes to customers and their cloud service providers. Understanding the differences is vital in that they provide a common industry-acceptable methodology, which results in clearer implementation and assessor guidance. These models also enable data-driven automation and ensure defensible assertions for market adoption acceptance.

A lively and spirited discussion centered around the recent changes to the Quality Assurance Program (QAP), which went into effect April 1, 2019 through a series of advisories. The changes are far more prescriptive than they have been in the past in order to drive consistency across assessment firms. As a qualified assessor firm since 2011, Coalfire places a heavy focus on the quality assurance phase of the validation process, as it’s crucial for successful certification. QAP advisories are as follows:

  • Advisory 2019-01 – Addresses changes to the HITRUST assurance methodology to ensure consistency and quality of assessments. Requires that assessors provide a more detailed overview of in-scope systems, out-of-scope systems, and those partially in scope. It was agreed that scoping is the most difficult part of performing a HITRUST CSF assessment and a critical component of completing HITRUST QA successfully.
  • Advisory 2019-02 – Requires that 50% of all assessments be performed by a certified CCSFP to help ensure the quality of assessments.
  • Advisory 2019-03 – Provides expanded requirements for Organizational Overview and Scope to ensure the scope, risk, and boundaries are defined before performing the assessment. This advisory is tied closely to the new test plan requirements that describe how an assessor anticipates testing controls. Test plans are required to be tailored to the specific assessment and cannot be generic. It was reiterated that scoping is the most important part of the assessment.
  • Advisory 2019-04 – HITRUST requires two levels of QA: the Engagement Executive and the QA Resource. The QA Resource will be required to have a new HITRUST QA certification, called the Certified HITRUST Quality Professional (CHQP), for all assessments submitted after August 1, 2019.

The QAP discussion focused on the responsibilities for each level of QA, with the QA Resource expected to take on the bulk of the QA responsibilities. A QA checklist must be submitted with every assessment and signed off on by both the Engagement Executive and the QA Resource. HITRUST will review every checklist upon submission.

During the Q&A session, HITRUST confirmed they are focusing resources on enhancing the MyCSF platform to automate as many processes as possible, including uploading evidence, real-time QA, and offline assessments. These steps should help expedite the certification process for everyone.

From the pre-conference workshop that focused on the Provider Third Party Risk Management Council and its efforts to use the HITRUST CSF to manage vendor risk, to the exciting casino night and welcome reception for spending time with our clients . . . fun and education were combined for another successful HITRUST annual conference. We look forward to helping our clients prepare for certification with a readiness program and optimize the HITRUST CSF post-certification for all the benefits of a solid risk management solution.