530 likes | 1.46k Views
Understanding the HITRUST Common Security Framework: Why, What and How. Educational Webcast - September 16, 2008. Welcome. Welcome. Page 2. Faculty. Moderator Russell Pierce, Chief Information Security Officer CVS Caremark Presenters and panelists
E N D
Understanding the HITRUST Common Security Framework:Why, What and How Educational Webcast - September 16, 2008
Welcome Welcome Page 2
Faculty • Moderator • Russell Pierce, Chief Information Security Officer CVS Caremark • Presenters and panelists • Cliff Baker, Director – Health Information Technology PricewaterhouseCoopers • Brian Fuller, Director – Information Security Practice BearingPoint • Michael Cook, Manager – Risk Management Humana • Michael Frederick, Director of Information Security and CISO Baylor Health Care System Page 3
Need for a Common Security Framework • CVS Caremark perspective • Quick facts • 190,000 Employees • Approximately $80 billion in annual revenue • No. 1 provider of prescriptions in the nation – More than 1 billion prescriptions filled or managed annually • No. 1 Specialty Pharmacy • 6,300 CVS/pharmacy stores in 40 states • 4+ million customers per day shop at a CVS/pharmacy store • No. 1 Retail Medical Clinic Operator – 500+ MinuteClinic locations in 25 states • More than 1.8 million MinuteClinic patient visits Page 4
Need for a Common Security Framework • CVS Caremark perspective • Facing multiple challenges with regards to information security: • Costs and complexities of redundant and inconsistent requirements and standards • Multiple certifications (internal & external) • Business partner review and certification • Confusion around implementation and acceptable baseline controls • Information security audits subject to different interpretations of control objectives and safeguards • Increasing scrutiny from regulators, auditors, underwriters, customers • Growing risk and liability associated with information protection Page 5
Industry Needs to Take Action • Healthcare organizations need to better address information security • Industry needs to identify and adopt a single approach to information security • Model that meets the needs of the entire organization • Model that scales based on risk and complexity • Applicable • Practical • Model that is certifiable • Provides for clarity and understanding (Prescriptive) • Addresses the risks and requirements associated with business partners Page 6
Self Assessment Process Certification Process HITRUST Common Security Framework Components Information Security Implementation Manual Standards and Materials Leveraged U.S. Healthcare Industry Implementation Standards NIST 800 Series Control Objectives Primary Ref: ISO/IEC 27002:2005 HITRUST member experience Health Informatics ISO 27799 Information Security Management System Primary Ref: ISO/IEC 27001: 2008 Others Readiness Assessment Toolkit Standards and Regulations Cross Reference Matrix Page 7
HITRUST Common Security Framework The HITRUST Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access or exchange electronic health and other sensitive information in protecting their information assets and managing related risks, costs and complexities. The CSF is compromised of three components: • The Information Security Implementation Manual: A certifiable, best-practice based specification that includes required sound security governance practices (e.g., organization, policies, etc.) and sound security control practices (e.g., people, process, technology) that scales according to the type, size and complexity of each organization to provide prescriptive implementation guidance • The Standards and Regulations Cross-Reference Matrix: A tool to help reconcile the framework to common and different aspects of generally adopted standards • The Readiness Assessment Toolkit: A toolkit that enables assessment (self or third party) and scoring of an organization’s information security environment against the Information Security Implementation Manual Page 8
HITRUST CSF Info. Sec. Implementation Manual Example • Design • Prescriptive to ensure clarity • Certifiable to enable common understanding and acceptance • Scales according to type, size, and complexity of an organization • Designed to address business requirements specific to each segment of the industry. These segments include: • Health plan/PBM, Provider • Pharmacy, Pharmaceutical manufacturer • Data network/clearing houses • Risk-based approach to allow organizations to identify the appropriate level of controls. This includes: • Risk contributing factors – elements that drive risk in an organization • Multiple levels of implementation requirements determined by risks and thresholds • Leverages existing globally recognized standards and avoids introducing additional redundancy and ambiguity into the industry Page 9
HITRUST CSF Info. Sec. Implementation Manual Example Page 10
HITRUST CSF Info. Sec. Implementation Manual Example Page 11
HITRUST CSF Info. Sec. Implementation Manual Example Page 12
HITRUST CSF Info. Sec. Implementation Manual Example Page 13
HITRUST CSF Info. Sec. Implementation Manual Example Page 14
Benefits • Standardizing on a higher level of security will build greater trust in the electronic flow of information through the healthcare system. • The common security framework also will provide greater risk protection by: • Reducing risk: Reducing risk, cost and confusion by incorporating best practices and loss experiences • Increasing confidence:Increase confidence in the industry’s ability to address information security, and streamline interactions with consumers, regulators and legislators • Measuring costs:Establish a single benchmark for organizations to facilitate internal and external measurement • Reducing complexity:Reduce the number, complexity, and degree of variation in security audits or reviews that organizations impose upon their trading partners; in effect establishing trust through certification Being Trusted and being able to Trust business partners relating to information security Page 15
Regulatory Conformity • Health Insurance Portability and Accountability Act (HIPAA) • Privacy Rule • Provides a means for covered entities to implement reasonable and appropriate safeguards for the protection of Protected Health Information (PHI) • Security Rule • Address requirements • Demonstrates prudent and comprehensive approach towards compliance • Certifiable standards that map to all elements of security rule • Provides a framework that matches "process" elements of security rule with measurable and effective security standards • Industry and regulator benefits • Provides a standardized approach for business associates to meet contractual obligations • Permits covered entities to meet due diligence standards for business associates • Provides a framework for health information exchange networks to use as a model • Provides regulators with an easy means of reviewing compliance approach, by standardizing the approach to security documentation • Also provides a means to meet the requirements of other regulations such as Sarbanes-Oxley Page 16
Standards Based • The HITRUST CSF adds measurable value by integrating and enhancing (adding context and/or clarifying) specific components of U.S. and international standards: • ISO’s control framework (27001/27002) • NIST’s control implementation and audit procedures (800-66, 800-53) • PCI’s prescriptive security controls (PCI DSS) • CobIT’s business process focus (CobIT 4.0) • ITIL’s definitions • HIPAA’s regulatory requirements • Broad and diverse membership allows the HITRUST CSF to accommodate the best industry practices and standards • Providers, health plans, pharmacies, PBM’s and manufacturers • Professional services firms • Information security and technology vendors • Final result is a tailored, comprehensive, and scalable security certifiable framework for organizations that handle personal health information Page 17
Why HITRUST CSF over existing Information Security options? • Provides a benchmark for the healthcare industry’s adoption of information security • Provides a healthcare-specific industry implementation standard established through a comprehensive process, including best practices, regulations, and existing standards • Evolves based on industry practices, standards and experiences • Incorporates business requirements specific to each segment of the healthcare industry • Certifiable to ensure compliance, common understanding and acceptance • Prescriptive to ensure clarity and measurement • Provides accreditation and certification process to drive transparency and adoption of baseline information security controls • Follows a risk-based approach to allow security controls to be prioritized based on risk • Extensible to allow compliance in other areas, such as Sarbanes-Oxley, PCI Page 18
Questions and Answers Session Questions and Answers Page 19
Questions and Answers and a replay of today's session will be available within the next 3 days at www.HITRUSTalliance.org/webinars/2008-09-16-Understanding_CSF.php Questions and Answers Page 20
Thank you for taking the time to attend today’s webinar. Additional material on the HITRUST CSF is available at www.HITRUSTalliance.org/csf or Information on the educational webcast series is available at www.HITRUSTalliance.org/webinars Thank you and Additional Information Page 21