hitrust csf

advertisement
HITRUST, HIPAA, & HITECH
TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE
Mark Fulford, Partner
Thomas Lewis, Partner
LBMC Risk Services
www.lbmc.com
Welcome and Presentation Topics
• Why you should care
• HIPAA & HITECH - update on new regulation
• Insight into the HITRUST Common Security
Framework
• How independent assurance can result in fewer
audits and a competitive advantage for your
organization
• How LBMC can help
www.lbmc.com
90%
Of organizations have experienced a computer security
incident in the last 12 months.
Cybercrime statistics from 12th Annual Computer Crime and Security Survey
www.lbmc.com
71%
Of organizations have no external insurance coverage to
cover computer security incidents losses.
Cybercrime statistics from 12th Annual Computer Crime and Security Survey
www.lbmc.com
$1B
Cybercrime profits – that have surpassed those of drug
smuggling in a year.
Cybercrime statistics from 12th Annual Computer Crime and Security Survey
www.lbmc.com
$234,244
Annual average loss due to security incidents per respondent
Cybercrime statistics from 2009 CSI Computer Crime and Security Survey
www.lbmc.com
What is HIPAA?
www.lbmc.com
What is HITECH?
The HITECH Act is legislation that anticipates a
massive expansion in the exchange of electronic
protected health information (ePHI). As part of the
American Recovery and Reinvestment Act of 2009,
the HITECH Act widens the scope of privacy and
security protections available under HIPAA; increases
potential legal liability for non-compliance; and
provides more enforcement of HIPAA rules.
8
www.lbmc.com
What is HITECH?
• Extends HIPAA directly to Business Associates
• Establishes first national data security breach
notification law (500 or more records is nasty)
• Grants State AGs authority to bring civil actions
9
www.lbmc.com
What is HITECH?
• HITECH authorizes increased civil monetary penalties for
HIPAA violations. The Act establishes tiers of penalties
based upon: whether or not a covered entity (including
physicians) knew of a breach of privacy; whether the
breach was due to reasonable cause and not willful neglect;
or whether the breach was due to willful neglect.
• The tiers of penalties are as follows:
– $100/violation not to exceed $25,000/calendar year.
– $1,000/violation not to exceed $100,000/calendar year.
– $10,000/violation not to exceed $250,000/calendar year.
– $50,000/violation not to exceed $1,500,000/calendar year.
10
www.lbmc.com
What is HITRUST
• The Health Information Trust Alliance (HITRUST) has been
created to establish a common security framework that will
allow for more effective and secure access, storage and
exchange of personal health information. HITRUST is
bringing together a broad array of healthcare
organizations and stakeholders, who are united by the
core belief that standardizing a higher level of security will
build greater trust in the electronic flow of information
through the healthcare system.
www.lbmc.com
Strategic Objectives of HITRUST
Establish a fundamental and holistic change in the way the healthcare
industry manages information security risks:
• Rationalize regulations and standards into a single overarching framework
tailored for the industry
• Deliver a prescriptive, scalable and certifiable process
• Address inconsistent approaches to certification, risk acceptance and adoption
of compensating controls to eliminate ambiguity in the process
• Enable ability to cost-effectively monitor compliance of organizational, business
partner and governmental requirements
• Provide support and facilitate sharing of ideas, feedback and experiences within
the industry
www.lbmc.com
Who is HITRUST?
HITRUST Executive Council
www.lbmc.com
Why the Need?
Healthcare organizations are facing multiple
challenges with regards to information security:
• Costs and complexities of redundant and
inconsistent requirements and standards
• Critical systems not incorporating appropriate
controls or safeguards
• Confusion around implementation and acceptable
baseline controls
• Information security audits subject to different
interpretations of control objectives and
safeguards
• Increasing scrutiny and similar queries from
regulators, auditors,
underwriters, customers
and business partners
• Growing risk and liability
www.lbmc.com
“The List”
www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
1
www.lbmc.com
HITRUST CSF
The HITRUST CSF is a framework that normalizes the security requirements of healthcare
organizations, including federal (e.g., HITECH Act and HIPAA), state (e.g., MA 201 CMR 17.00),
third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS).
The CSF is built to provide scalable security requirements based on the different risks and
exposures of organizations in the industry.
The CSF also makes security manageable and practical by prioritizing one-third of the controls
in the CSF as a starting point for organizations. These priorities are based on industry input
and analysis of breach information in the industry.
www.lbmc.com
Standards and Regulations Overlap
COBIT
ISO 27001/2
HITECH
Act
PCI
HIPAA
Security
Mngfl.
Use
States
NIST
www.lbmc.com
CSF Standards and Regs Coverage
COBIT
ISO 27001/2
HITECH HITRUST CSF
Act
HIPAA
Security
Mngfl.
Use
PCI
States
NIST
www.lbmc.com
CSF Compared with Other Standards
Requirement
CSF
COBIT
PCI
ISO
NIST
HIPAA
Comprehensive – general security
Yes
Yes
Yes
Yes
Yes
Partial
Comprehensive – regulatory, statutory, and business
security requirements
Yes
No
No
No
No
No
Prescriptive
Yes
No
Yes
Partial
Yes
No
Practical and scalable
Yes
Yes
No
No
No
Yes
Audit or assessment guidelines
Yes
Yes
Yes
Yes
Yes
No
Certifiable
Yes
Yes
Yes
Yes
No*
No
Support for third-party assurance
Yes
Yes
Yes
Yes
No
No
Open and transparent update process
Yes
No
Yes
Yes
Yes
Yes
Cost
Free
Subsc.
Free
Subsc.
Free
Free
*Certifiable only for government agencies and organizations
doing business with the government
www.lbmc.com
CSF Sample
Structured in accordance with
ISO 27001 / 27002 standard
Multiple levels of
implementation requirements
Risk factors tailored for
healthcare organizations
Cross-references to industry
standards and regulations
20
www.lbmc.com
Introduction to CSF Assurance
Program
www.lbmc.com
Overview of CSF Assurance Program
• Utilizes a common set of information security requirements with standardized assessment
and reporting processes accepted and adopted by healthcare organizations.
• Through the program, healthcare organizations and their business associates can improve
efficiencies and reduce the number and costs of security assessments.
• The oversight and governance provided by HITRUST support a process whereby
organizations can trust that their third parties have essential security controls in place.
www.lbmc.com
Strategic Objectives of CSF Assurance Program
Provide assurance that controls to limit the exposure of a breach are in place and
operating effectively. Recipients of this assurance include:
•
•
•
•
Executive management
Auditors
Federal and state regulators
Customers of business associates
Simplify compliance efforts for organizations
• Assess once and report to many constituents:
-
Federal (e.g., HIPAA/HITECH or meaningful use information) and state regulators
Credit card companies (i.e., PCI requirements)
CMS (i.e., Core Security Requirements)
Internal or external auditors
• Comprehensively leverage assessments (i.e., leverage internal audit or other certifications
such as PCI to streamline audits and testing)
Provide this assurance in a more cost-effective manner with additional rigor than
existing processes
www.lbmc.com
Resources
www.lbmc.com
HITRUST Central (HITRUSTcentral.net)
Access to the CSF online.
A professional network for:
• Understanding industry issues and
events
• Sharing knowledge
• Exchanging ideas and best practices
• Discovering new ways to solve business
problems
• Downloading documentation and
training materials
Providing support:
• What does this control mean?
• How do I implement these
requirements?
• What do I do if I cannot meet a
requirement?
www.lbmc.com
Additional Resources
Visit HITRUSTalliance.net for
information and materials on:
• Common Security Framework www.hitrustalliance.net/csf/
• CSF Assurance Program www.hitrustalliance.net/assurance/
www.lbmc.com
For More Information
For more information on HITRUST and the CSF visit:
www.HITRUSTalliance.net/csf/
To access the CSF and HITRUST Central visit:
www.HITRUSTCentral.net
For a list of HITRUST CSF Assessors visit:
www.hitrustalliance.net/Assessors_List.pdf
For assistance, contact:
Thomas Lewis – tlewis@lbmc.com
Mark Fulford – mfulford@lbmc.com
www.lbmc.com
Download