Healthcare is a complicated topic. When the term is raised, the altruists among us focus on helping their fellow man. But like any endeavor managed by people, there is a business aspect to it. The business of healthcare faces the same problems as other types of businesses. It must operate efficiently, securely, and offer something that their competitors don’t. Adding to these pressures, governments add regulatory requirements including the security and privacy of patient data.
The HITRUST Alliance has responded to some of these business needs by developing a framework, tools, and a HITRUST certification process that can demonstrate a level of trust and compliance to the secure use of data for patients and business partners. In the paragraphs that follow we will consider one approach to these business pressures and potential roadblocks to success.
What is a HITRUST Report? What are the Different Types of Assessments?
The HITRUST Alliance has recognized the unique needs of the healthcare industry and, with the collaboration of industry leaders, developed a standardized approach to assessing an organization’s risk posture. If the organization meets this standard, a certification can be used to assure business partners that a high level of security and privacy practices are in place.
To meet this standard, organizations must go through an arduous process that ends with a validated assessment performed by an approved third-party assessor, the assessment review performed by HITRUST, and, if successful, certification. Often organizations find gaps that must be addressed before certification can be achieved. Almost always these organizations complete a self-assessment based on their specific HITRUST requirements before attempting the validated assessment.
Pitfall 1 – Improper Scoping – Requirements
What is MyCSF?
The HITRUST CSF (Cyber Security Framework) is the embodiment of this standard. It includes a pool of requirements that have been refined over several years. Just how many HITRUST controls are there? This pool has just under 2,000 requirements, but don’t panic — only a small percentage of these will remain after the scoping step below. This framework is accessed through a web interface called MyCSF. Think of MyCSF as an empty desk that is waiting to have all the documents for a project put into the draws while providing mechanisms to evaluate and grade the documents.
The first step in either a validated or self-assessment is to scope the assessment. You may ask yourself: “what is required for HITRUST certification?” The scoping step identifies which requirements are needed for certification that pertain to your organization. MyCSF provides a series of questions that will, from the responses, develop a pool of requirements. These questions include things like “How big is the organization,” “What type of organization,” “Do you need to include state regulatory requirements,” “Do you use hardware tokens for multi-factor authentication,” and “Where is covered data stored, processed or transmitted.”
While these questions seem simple enough, there are significant implications for your responses. Some questions are very straightforward. For example, your type of organization is probably not going to change based on how you answer other questions. If you are an IT service provider, you are not likely to need to change that to a health information exchange. But other questions might change based on where in the organization you apply them. If you use hardware tokens for authentication in the corporate office only and the office is not in scope for the assessment, answering yes to this question will add several requirements that really don’t pertain to the in-scope environment.
There are a number of questions regarding accessing the environment from the internet, public networks, or kiosks. Again, these responses should include careful consideration of what systems and networks are in-scope. It goes without saying that truthful answers must be given to all questions. But truthful for many of these could be a yes or a no.
Pitfall 2 – Improper Scoping – Where to Apply the Requirements
Pitfall 2 is related to pitfall 1. Once you have answered all the scoping questions correctly, you will generate the set of requirements that really define the assessment. Pitfall 2 occurs when you apply a requirement to a system or network that should be out of scope OR don’t apply it when you should.
One way to answer the question of what systems or networks are in-scope is through a review of an accurate network/flow diagram. Find the heart of the environment – the place where the service that you want to certify is hosted. Look for where the data is stored, processed, or transmitted. Are there dedicated security boundaries between the in-scope systems and the systems under question? If there is no firewall or other security mechanism restricting or controlling data flow or access, then the system under question is likely to be in-scope.
For example, if the service you wish to certify is hosted in your data center and you have an employee-only wireless network in the office, is the wireless network in-scope? The answer depends on several questions. Can a wireless user directly access covered data from his laptop? Are there security controls in place like VDI or terminal server interfaces that must be used to access data? Does the wireless user have to connect through a VPN before he can access covered data? All of these will determine if the wireless network should be considered during the assessment.
Pitfall 3 – Evaluation and Scoring
I am going to state right up front that HITRUST scoring involves high-level mathematics and maybe some good ole Kentucky windage. Each HITRUST requirement is scored from five different perspectives –
Each of these is weighted and the aggregate weight equals 100%. During an assessment, a percentage is assigned to each from a list of 0%, 25%, 50%, 75%, or 100%, and a special N/A (not applicable). There are specific requirements for each of these levels.
One of the approaches I have used in helping organizations prepare to perform their own, unassisted self-assessments is to go through several typical requirements and evaluate and score evidence from their environment. It is very easy for the first-timer to over-rate their position and underestimate the requirement. To remove lots of confusion and increase alignment with what HITRUST expects, I refer to a table published by HITRUST called the scoring rubric.
The scoring rubric is a grid that includes all five aspects to be considered versus the six possible scores. In each corresponding cell is a definition that must be applied for that specific score. Any deviation from this approach during the self-assessment will increase the deviation from the validated assessment.
Pitfall 4 – Misunderstanding HITRUST expectations
The HITRUST CSF includes specific terms, concepts, and expectations that the first-time user may not appreciate. Terms like measured, managed, metric, independent, and operational all have very specific meanings that might change in different contexts. It is important to apply the expected definition to these terms as will the third-party assessor.
For example, one aspect of a requirement is how well the organization “measures” the effectiveness of the control. An organization might do this through review of a report. It is important to know who generated the report, how often the report is reviewed, and what it includes. If the report is generated by the team that manages the control, it is considered operational and is limited to a maximum score. If the report is run every week and a number can be identified to track effectiveness from cycle to cycle, it can be considered a “metric”. Metrics have a higher possible score than a measurement.
HITRUST assessments, both self and validated, are complicated efforts. It is only with experience that accuracy can improve. Each of these pitfalls is typical of what many organizations, big and small, encounter during a self-assessment. One large and well-known Seattle-based organization I have worked with does a self-assessment every year to ensure they are prepared for new changes in HITRUST and their own environment. It has done this since its first foray into HITRUST. It has learned from each self-assessment and has refined its controls and HITRUST evaluation ability. Its self-assessment scores are very close to the third-party assessor scores.
While some organizations have the expertise to perform a HITRUST Self-Assessment without guidance, most organizations are not as lucky. It is important to remember that these are common pitfalls, each of these can seriously jeopardize the accuracy and therefore, effectiveness, of the self-assessment and increase the deviation from the Validated scores.
I think the chief takeaway from this experience is that a self-assessment is a great way to start the HITRUST journey, but it must be done carefully. If you are considering HITRUST and specifically a self-assessment, you might consider the guidance of an experienced third-party to help you avoid these pitfalls.
Terry L.Dalby is an experienced senior assessor and security engineer who has held principal technical roles for healthcare organizations, several large enterprise and service providers. He has consulted for organizations from virtually every sector performing risk assessments, policy reviews, forensics, and security program development. Dalby has earned multiple security-related certifications including HCISSP, CISSP, CISA, CISM, CRISC, CCSK as well as vendor certifications from Microsoft, Cisco, and Checkpoint. He has a BS in Electronics Technology from Northern Michigan University (Summa Cum Laud).