SlideShare a Scribd company logo

CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Security Strategies into Action" - Hitchhikers Guide to IT Security

Health IT Conference – iHT2
Health IT Conference – iHT2

This document discusses Children's Medical Center's achievement of HITRUST Common Security Framework (CSF) certification. It provides background on Children's Medical Center, which serves as the top children's hospital in the Dallas/Fort Worth area. It then outlines the HITRUST CSF and certification process, which involves a third-party audit of 260 security checks across 19 areas. The certification demonstrates Children's Medical Center's commitment to information security best practices. The document also discusses the benefits of the HITRUST framework and CSF in providing a comprehensive approach to managing healthcare cybersecurity and regulatory compliance.

Education
1 of 27
Download to read offline
A CHIME Leadership Education and Development Forum in collaboration with iHT2 Creating an Effective Cyber Security Strategy ____________________________ The Hitchhiker’s Guide to IT Security • Dan Nutkis, CEO HITRUST •Pamela Arora, Senior Vice President & CIO •Aaron Miri, Chief Technology Officer #LEAD14
2 2
Mission: To make life better for children Vision: Children’s will be among the very best medical centers in the nation Background: •Serves fourth largest metro area in U.S. •Highest projected growth of pediatric population over next 20 years •Three campuses: Dallas, Plano and Southlake with 591 licensed beds •$1B in assets, $2B in gross revenue, AA3 bond rating •Over 5,000 employees and 1,000 physicians •Over 100K inpatient days, 300K outpatient visits, 100K emergency visits •Academic affiliation with University of Texas Southwestern Medical School •Only Level I pediatric trauma center in North Texas (1 of 22 in U.S.) •Only U.S. pediatric hospital with six Joint Commission disease-specific certifications •Nursing Magnet status; <10% of hospitals in nation have achieved •Top 10 children’s hospital in nation (U.S. News & World Report 2009) IT Recognition: •2013 HIMSS Enterprise Davies Award of Excellence Winner •HIMSS EMR Adoption Stage 7; first hospital in Texas to achieve this level •Top 200 U.S. companies by InformationWeek 500 for IT •HITRUST Common Security Framework Certification •Most Wired by Hospitals & Health Networks eight times Dallas, Texas Plano, Texas Southlake, Texas Children’s Medical Center Dallas 3
•Why HITRUST certification •Certification Process •Engagement Matrix •Risks to Manage •Children’s HealthSM Layers of Defense •HITRUST Service Offerings •Lessons Learned Overview 4
The Path to HITRUST CSF Certification What is HITRUST CSF? •HITRUST Common Security Framework (CSF)—a comprehensive set of healthcare industry best practices and compliance requirements designed to addresses HIPAA, HITECH, NIST, ISO and more. •HITRUST Validated—Organizations may self-evaluate compliance standing using HITRUST CSF framework •HITRUST CSF Certified—CSF Certified status represents that the organization has met HITRUST requirements and has been verified by an independent third party. •HITRUST CSF Certification places Children’s in an elite group of organizations worldwide that have earned this certification. •HITRUST CSF Certification required independent 3rd party auditing of 260 IT security checks and 19 different areas. The process took 12-months of vigorous review and physical audit and validation. 5
1996 HIPAA 2009 HITRUST CSF 2010 OCR Endorses HITRUST 2009 HITECH ACT 2012 Texas HB 300 2013 Omnibus Final Rule 2013 THSA HITRUST Demonstrate controls for HIPAA Compliance •Fines for non-compliance can be several million dollars •Clear framework: Common Security Framework (CSF) •Ratified by Texas Health Services Authority (THSA) Why HITRUST Certification 6
Self- Assessment against CSF 3rd party assessment Update and implement needed changes Results submitted to HITRUST HITRUST /THSA reviews and grants Certification Common Security Framework: Security Across an Organization Secure Texas Heightened Privacy Certification Process: HITRUST Certification 7
Role CSF TX CE Engagement Credentialing X Demonstration of process Medical Affairs X HIM X Legal X Investigation and subpoenas Privacy X Breach management process Security X X (~10% CSF) CSF: Owners of all controls TX CE: Revisited policy & process Engagement Matrix 8
9 9
Oct. 2014 FDA Cybersecurity Guidance for Industry Copyright © 2014 Symantec Corporation Aligned with NIST Critical Infrastructure Framework Identify and Protect: Limit Access to trusted users •Timed sessions •Layered authorization •Role-based authentication •Strong passwords •Physical access control •Controls for updates Ensure Trusted Content •Authenticate code •Identify versions •Secure data transfer Detect, Respond, Recover: •Detect and log security events •Provide information on response to cybersecurity event •Protect critical functionality •Enable retention and recovery of device configuration Documentation: •Hazard analysis & mitigation -Design considerations -Risks considered -Cybersecurity controls •Traceability matrix •Software updates •Software integrity •Cybersecurity controls Supported by Manufacturer Hazard Analysis & Lifecycle Management Process Input to HDO Security Risk Analysis (HIPAA, IEC 80001) 10
Mega Breaches •Healthcare accounted for 44% of all data breaches •Healthcare accounted for 1% of all the identities exposed in 2013. Copyright © 2014 Symantec Corporation 11
Top Causes of Breaches 2013 34% 29% 27% Hackers Accidental Made Public Lost/Stolen Device Insiders Fraud Unknown 6% 2% 2% Healthcare 2013 12% 29% 49% 6% 1% 2% 12 Copyright © 2014 Symantec Corporation
Price on Underground Economy •Credit Card = $1-$2 •Medical Record = $20 PII Lost •Retail = 165,154,040 •Healthcare = 6,279,270 The Cost of Avoidance 13 Copyright © 2014 Symantec Corporation
Cloud Hackers Authentication & Encryption Virtualization Cyber Threats Compliance Remote Clinics, Practitioners/Employees Mobile Devices Insider Threat Social Media Patient Engagement Advanced Persistent Attacks Mail & Web Security Risk & Compliance Infrastructure Protection Endpoint Management Identity Protection Information Intelligence & Encryption Incident Response Enterprise Mobility Addressing the Threat 14 Copyright © 2014 Symantec Corporation
Perimeter Defense Internal Network Defense Host Defense Application Defense Data Defense Firewall Management Virtual Private Network Firewall Log Monitoring Intrusion Prevention (IPS) Penetration Testing Secure Web Gateway/Content Filtering Secure Messaging Gateway/SPAM Filtering Network Discovery Network Access Control Identity and Access Management User Account Management Vulnerability Scanning/Assessment Log Management and Security Information and Event Management APT Detection Endpoint Security Vulnerability Scanning/Assessment Patch and Security Configuration Management Host IPS/IDS Device Control Host Based IPS Host based application specific Data Loss Prevention Mobile Data Protection/Encryption Data Loss Prevention (DLP) Enterprise Data Protection/Encryption APT Detection Reactive Proactive Predictive Continuous Monitoring/Policies and Procedures Threat Intelligence/Security Assessments Children’s Health Layers of Defense 15
•HITRUST Board Participation •Vendor Partnerships •CHIME •HIMSS •Legislative Activity - Calls to Action •Department of Health and Human Services •Department of Homeland Security •Federal Bureau of Investigation •Federal Drug Administration Industry Involvement 16
HITRUST Snapshot • Industry Challenges: Catalyst for HITRUST (September 2007) • Best known for Common Security Framework (CSF) • Adopted by 76% of hospitals and 78% of health plans2 • Adoption of CSF Assurance--19,000 + assessments in three years • Runs Cyber Threat Intelligence, Incident Coordination Center, & Cyber Threat Xchange • Provides information, protection, and education—12,000+ CCSFP professionals – Developing broader healthcare certified information security professional credential – ISC2 partnership – Annual conference: In 2012 began holding health information protection professional annual conference 1 – Based on facilities in the 2011 AHA hospital and health system data as of Dec 2012 2 – Based on health plans with over 500,000 members as of Dec 2012 HITRUST exists to ensure information protection becomes a core pillar of the broad adoption of HIS and HIEs 17
Common Security Framework (CSF) •Practical and efficient approach to managing risk that is scalable, prescriptive and certifiable •HITRUST maintains, supports and ensures the relevancy and applicability •Released v6 in Jan 2014 and will release v7 in Jan 2015 will incorporate privacy •Now includes more than 17 authoritative sources (federal and state regulations, globally recognized standards, and industry best practices) NIST ISO 27001/2 COBIT . FTC Red Flags PCI Meaningful Use HIPAA Omnibus Final Rule Texas Health & Safety Code NIST ISO 27001/2 COBIT . FTC Red Flags PCI Meaningful Use HIPAA Omnibus Final Rule Texas Health & Safety Code HITRUST CSF The ambiguity of standards and regulations distract from protecting healthcare organizations… 18
The HITRUST Common Security Framework (CSF) provides coverage across multiple healthcare-specific standards and includes significant components from other well-respected IT security standards bodies and governance sources Common Security Framework (CSF) Included Standards HIPAA HITECH Act ISO/IEC 27001:2005, 27002:2005, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP 800-53 Revision 4 NIST SP 800-66 PCI DSS version 1.2 FTC Red Flags Rule JCAHO IM 201 CMR 17.00 (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix v1 CMS IS ARS Texas Health and Safety Code (THSC) 181 Title 1 Texas Administrative Code (TAC) 390.2 Control Categories 0. Information Security Management Program 1. Access Control 2. Human Resources Security 3. Risk Management 4. Security Policy 5. Organization of Information Security 6. Compliance 7. Asset Management 8. Physical and Environmental Security 9. Communications and Operations Management 10. Information Systems Acquisition, Development & Maintenance 11. Information Security Incident Management 12. Business Continuity Management Scoping Factors Regulatory •Federal, state and domain specific compliance requirements Organization •Geographic factors •Number of covered lives System •Data stores •External connections •Number of users/transactions Analyzed, Rationalized & Consolidated Control Specifications Control Objectives Control Categories Common Security Framework (CSF) 19
Security & Privacy Common Control Framework •Single compliance program to manage versus managing compliance against a myriad of requirements •Incorporates existing security regulations, standards, and frameworks •Rationalizes duplications and inconsistent requirements •Common definition of controls and detailed implementation requirements •Focuses security efforts on actual risk identification and remediation •Instills confidence through public pronouncement of compliance •Vendors demonstrate security compliance to healthcare covered entities •Future enhancements provide guidance for securing specific vendor products Security controls •13 control categories, 42 control objectives, and 135 control specifications •Three levels of requirements based on organization’s scale & operations •Implementation & inspect guidance •Maps controls to authoritative sources •Process for accepting alternate controls (compensating and mitigating) for systems that are not in compliance •Security Configuration Packs will recommend configuration and maintenance of security in critical applications (e.g., electronic health medical record systems and medical devices) •Products and Services Guide link to solutions based on security framework ISO 27000 series NIST 800 series PCI DSS COBIT HIPAA 21 CFR Part 11 Framework Components The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once and satisfy many regulatory, legal and leading practice requirements. Benefits of Adopting CSF Common Security Framework (CSF) 20
Key Elements of HITRUST’s Cyber Strategy •Provide a managed framework with healthcare-specific guidance that addresses cyber risks in a comprehensive and timely manner •Ensure healthcare organizations have comprehensive, timely, and consumable threat intelligence •Enable the timely exchange of relevant, timely and actionable cyber threat indicators (IOC, TTPs, malware signatures) •Support collaboration on cyber incidents among industry and government resources –US Cert, HHS, FBI, DHS, USSS •Facilitate testing and evaluating of cyber threat preparedness and response and intelligence sharing activities •Educating legislators on the issues, progress and areas support is needed Protect industry from cyber threats and aid in response while supporting organizational maturity 21
CSF Assurance • Methodology and compliance program to effectively and consistently measure CSF compliance • Risk-based methodology • Simplified information collection and reporting • Consistent testing procedures and scoring • Creates efficiencies and contains costs • Assessments performed by leading professional services firms 22
Programs – Third Party Assurance •Streamlines the business associate assurance process •Utilizes the tools and methodologies of the CSF Assurance Program •Allows healthcare organizations to efficiently and effectively assess their business partners and manage risk •Allows assessed organizations to undergo one assessment and report to multiple entities 23
Programs – Secure Texas •Texas Health Services Authority awarded HITRUST to provide the Texas Covered Entity Privacy/Security Certification (Secure Texas) •Allows for THSA to provide certification under Texas House Bill 300 •Certification offers penalty reduction and risk mitigation 24
•Managing risk vs. compliance •Implications of cyber •Distinction between best practice, regulations, standards, and implementation •A framework helps to strengthen your security programs Lessons Learned 25
Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight State of Texas Privacy and Security Certification (http://hitrustalliance.net/texas/) Monthly industry cyber threat briefings with HHS (http://hitrustalliance.net/cyber-threat- briefings/) Industry cyber threat preparedness exercises – CyberRX (http://hitrustalliance.net/cyberrx/) 26
Q & A Pamela.Arora@childrens.com Aaron.Miri@childrens.com Daniel.Nutkis@hitrustalliance.net A CHIME Leadership Education and Development Forum in collaboration with iHT2

Recommended

UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 

Recommended

UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
Charles McNeil
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
shailu devi
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
PYA, P.C.
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
CompTIA
 
MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15
MassEHealth
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
CPaschal
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
BHUOnlineDepartment
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
mihinpr
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
HIMSS GSA e-Authentication whitepaper June 2007
HIMSS GSA e-Authentication whitepaper June 2007HIMSS GSA e-Authentication whitepaper June 2007
HIMSS GSA e-Authentication whitepaper June 2007
Richard Moore
 

More Related Content

What's hot

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
CPaschal
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 

What's hot (19)

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
 
MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
 

Similar to CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Security Strategies into Action" - Hitchhikers Guide to IT Security

Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
mihinpr
 
HIMSS GSA e-Authentication whitepaper June 2007
HIMSS GSA e-Authentication whitepaper June 2007HIMSS GSA e-Authentication whitepaper June 2007
HIMSS GSA e-Authentication whitepaper June 2007
Richard Moore
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Trend Micro
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 

Similar to CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Security Strategies into Action" - Hitchhikers Guide to IT Security (20)

Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
HIMSS GSA e-Authentication whitepaper June 2007
HIMSS GSA e-Authentication whitepaper June 2007HIMSS GSA e-Authentication whitepaper June 2007
HIMSS GSA e-Authentication whitepaper June 2007
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Regulatory Intelligence
Regulatory IntelligenceRegulatory Intelligence
Regulatory Intelligence
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
Sustainability of HIEs under CyberSecurity
Sustainability of HIEs under CyberSecuritySustainability of HIEs under CyberSecurity
Sustainability of HIEs under CyberSecurity
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Privacy, Confidentiality, and Security Lecture 4_slides
Privacy, Confidentiality, and Security Lecture 4_slidesPrivacy, Confidentiality, and Security Lecture 4_slides
Privacy, Confidentiality, and Security Lecture 4_slides
 
Privacy, Confidentiality, and Security Lecture 3_slides
Privacy, Confidentiality, and Security Lecture 3_slidesPrivacy, Confidentiality, and Security Lecture 3_slides
Privacy, Confidentiality, and Security Lecture 3_slides
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Is it time for an IT Assessment?
Is it time for an IT Assessment?Is it time for an IT Assessment?
Is it time for an IT Assessment?
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 

More from Health IT Conference – iHT2

More from Health IT Conference – iHT2 (20)

2016 iHT2 Miami Health IT Summit
2016 iHT2 Miami Health IT Summit2016 iHT2 Miami Health IT Summit
2016 iHT2 Miami Health IT Summit
 
2016 iHT2 Miami Health IT Summit
2016 iHT2 Miami Health IT Summit2016 iHT2 Miami Health IT Summit
2016 iHT2 Miami Health IT Summit
 
2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit
 
2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit
 
2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit
 
2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit
 
2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit
 
2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit2016 iHT2 San Diego Health IT Summit
2016 iHT2 San Diego Health IT Summit
 
2015 Houston CHIME Lead Forum
2015 Houston CHIME Lead Forum2015 Houston CHIME Lead Forum
2015 Houston CHIME Lead Forum
 
2015 Houston CHIME Lead Forum
2015 Houston CHIME Lead Forum2015 Houston CHIME Lead Forum
2015 Houston CHIME Lead Forum
 
2015 Houston CHIME Lead Forum
2015 Houston CHIME Lead Forum2015 Houston CHIME Lead Forum
2015 Houston CHIME Lead Forum
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit
 
2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit
 
2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit
 
2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit
 
2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit 2015 iHT2 Health IT Beverly Hills Summit
2015 iHT2 Health IT Beverly Hills Summit
 
iHT2 Health IT Beverly Hills Summit - 2015
iHT2 Health IT Beverly Hills Summit - 2015iHT2 Health IT Beverly Hills Summit - 2015
iHT2 Health IT Beverly Hills Summit - 2015
 

Recently uploaded

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Recently uploaded (20)

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 

CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Security Strategies into Action" - Hitchhikers Guide to IT Security

  • 1. A CHIME Leadership Education and Development Forum in collaboration with iHT2 Creating an Effective Cyber Security Strategy ____________________________ The Hitchhiker’s Guide to IT Security • Dan Nutkis, CEO HITRUST •Pamela Arora, Senior Vice President & CIO •Aaron Miri, Chief Technology Officer #LEAD14
  • 2. 2 2
  • 3. Mission: To make life better for children Vision: Children’s will be among the very best medical centers in the nation Background: •Serves fourth largest metro area in U.S. •Highest projected growth of pediatric population over next 20 years •Three campuses: Dallas, Plano and Southlake with 591 licensed beds •$1B in assets, $2B in gross revenue, AA3 bond rating •Over 5,000 employees and 1,000 physicians •Over 100K inpatient days, 300K outpatient visits, 100K emergency visits •Academic affiliation with University of Texas Southwestern Medical School •Only Level I pediatric trauma center in North Texas (1 of 22 in U.S.) •Only U.S. pediatric hospital with six Joint Commission disease-specific certifications •Nursing Magnet status; <10% of hospitals in nation have achieved •Top 10 children’s hospital in nation (U.S. News & World Report 2009) IT Recognition: •2013 HIMSS Enterprise Davies Award of Excellence Winner •HIMSS EMR Adoption Stage 7; first hospital in Texas to achieve this level •Top 200 U.S. companies by InformationWeek 500 for IT •HITRUST Common Security Framework Certification •Most Wired by Hospitals & Health Networks eight times Dallas, Texas Plano, Texas Southlake, Texas Children’s Medical Center Dallas 3
  • 4. •Why HITRUST certification •Certification Process •Engagement Matrix •Risks to Manage •Children’s HealthSM Layers of Defense •HITRUST Service Offerings •Lessons Learned Overview 4
  • 5. The Path to HITRUST CSF Certification What is HITRUST CSF? •HITRUST Common Security Framework (CSF)—a comprehensive set of healthcare industry best practices and compliance requirements designed to addresses HIPAA, HITECH, NIST, ISO and more. •HITRUST Validated—Organizations may self-evaluate compliance standing using HITRUST CSF framework •HITRUST CSF Certified—CSF Certified status represents that the organization has met HITRUST requirements and has been verified by an independent third party. •HITRUST CSF Certification places Children’s in an elite group of organizations worldwide that have earned this certification. •HITRUST CSF Certification required independent 3rd party auditing of 260 IT security checks and 19 different areas. The process took 12-months of vigorous review and physical audit and validation. 5
  • 6. 1996 HIPAA 2009 HITRUST CSF 2010 OCR Endorses HITRUST 2009 HITECH ACT 2012 Texas HB 300 2013 Omnibus Final Rule 2013 THSA HITRUST Demonstrate controls for HIPAA Compliance •Fines for non-compliance can be several million dollars •Clear framework: Common Security Framework (CSF) •Ratified by Texas Health Services Authority (THSA) Why HITRUST Certification 6
  • 7. Self- Assessment against CSF 3rd party assessment Update and implement needed changes Results submitted to HITRUST HITRUST /THSA reviews and grants Certification Common Security Framework: Security Across an Organization Secure Texas Heightened Privacy Certification Process: HITRUST Certification 7
  • 8. Role CSF TX CE Engagement Credentialing X Demonstration of process Medical Affairs X HIM X Legal X Investigation and subpoenas Privacy X Breach management process Security X X (~10% CSF) CSF: Owners of all controls TX CE: Revisited policy & process Engagement Matrix 8
  • 9. 9 9
  • 10. Oct. 2014 FDA Cybersecurity Guidance for Industry Copyright © 2014 Symantec Corporation Aligned with NIST Critical Infrastructure Framework Identify and Protect: Limit Access to trusted users •Timed sessions •Layered authorization •Role-based authentication •Strong passwords •Physical access control •Controls for updates Ensure Trusted Content •Authenticate code •Identify versions •Secure data transfer Detect, Respond, Recover: •Detect and log security events •Provide information on response to cybersecurity event •Protect critical functionality •Enable retention and recovery of device configuration Documentation: •Hazard analysis & mitigation -Design considerations -Risks considered -Cybersecurity controls •Traceability matrix •Software updates •Software integrity •Cybersecurity controls Supported by Manufacturer Hazard Analysis & Lifecycle Management Process Input to HDO Security Risk Analysis (HIPAA, IEC 80001) 10
  • 11. Mega Breaches •Healthcare accounted for 44% of all data breaches •Healthcare accounted for 1% of all the identities exposed in 2013. Copyright © 2014 Symantec Corporation 11
  • 12. Top Causes of Breaches 2013 34% 29% 27% Hackers Accidental Made Public Lost/Stolen Device Insiders Fraud Unknown 6% 2% 2% Healthcare 2013 12% 29% 49% 6% 1% 2% 12 Copyright © 2014 Symantec Corporation
  • 13. Price on Underground Economy •Credit Card = $1-$2 •Medical Record = $20 PII Lost •Retail = 165,154,040 •Healthcare = 6,279,270 The Cost of Avoidance 13 Copyright © 2014 Symantec Corporation
  • 14. Cloud Hackers Authentication & Encryption Virtualization Cyber Threats Compliance Remote Clinics, Practitioners/Employees Mobile Devices Insider Threat Social Media Patient Engagement Advanced Persistent Attacks Mail & Web Security Risk & Compliance Infrastructure Protection Endpoint Management Identity Protection Information Intelligence & Encryption Incident Response Enterprise Mobility Addressing the Threat 14 Copyright © 2014 Symantec Corporation
  • 15. Perimeter Defense Internal Network Defense Host Defense Application Defense Data Defense Firewall Management Virtual Private Network Firewall Log Monitoring Intrusion Prevention (IPS) Penetration Testing Secure Web Gateway/Content Filtering Secure Messaging Gateway/SPAM Filtering Network Discovery Network Access Control Identity and Access Management User Account Management Vulnerability Scanning/Assessment Log Management and Security Information and Event Management APT Detection Endpoint Security Vulnerability Scanning/Assessment Patch and Security Configuration Management Host IPS/IDS Device Control Host Based IPS Host based application specific Data Loss Prevention Mobile Data Protection/Encryption Data Loss Prevention (DLP) Enterprise Data Protection/Encryption APT Detection Reactive Proactive Predictive Continuous Monitoring/Policies and Procedures Threat Intelligence/Security Assessments Children’s Health Layers of Defense 15
  • 16. •HITRUST Board Participation •Vendor Partnerships •CHIME •HIMSS •Legislative Activity - Calls to Action •Department of Health and Human Services •Department of Homeland Security •Federal Bureau of Investigation •Federal Drug Administration Industry Involvement 16
  • 17. HITRUST Snapshot • Industry Challenges: Catalyst for HITRUST (September 2007) • Best known for Common Security Framework (CSF) • Adopted by 76% of hospitals and 78% of health plans2 • Adoption of CSF Assurance--19,000 + assessments in three years • Runs Cyber Threat Intelligence, Incident Coordination Center, & Cyber Threat Xchange • Provides information, protection, and education—12,000+ CCSFP professionals – Developing broader healthcare certified information security professional credential – ISC2 partnership – Annual conference: In 2012 began holding health information protection professional annual conference 1 – Based on facilities in the 2011 AHA hospital and health system data as of Dec 2012 2 – Based on health plans with over 500,000 members as of Dec 2012 HITRUST exists to ensure information protection becomes a core pillar of the broad adoption of HIS and HIEs 17
  • 18. Common Security Framework (CSF) •Practical and efficient approach to managing risk that is scalable, prescriptive and certifiable •HITRUST maintains, supports and ensures the relevancy and applicability •Released v6 in Jan 2014 and will release v7 in Jan 2015 will incorporate privacy •Now includes more than 17 authoritative sources (federal and state regulations, globally recognized standards, and industry best practices) NIST ISO 27001/2 COBIT . FTC Red Flags PCI Meaningful Use HIPAA Omnibus Final Rule Texas Health & Safety Code NIST ISO 27001/2 COBIT . FTC Red Flags PCI Meaningful Use HIPAA Omnibus Final Rule Texas Health & Safety Code HITRUST CSF The ambiguity of standards and regulations distract from protecting healthcare organizations… 18
  • 19. The HITRUST Common Security Framework (CSF) provides coverage across multiple healthcare-specific standards and includes significant components from other well-respected IT security standards bodies and governance sources Common Security Framework (CSF) Included Standards HIPAA HITECH Act ISO/IEC 27001:2005, 27002:2005, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP 800-53 Revision 4 NIST SP 800-66 PCI DSS version 1.2 FTC Red Flags Rule JCAHO IM 201 CMR 17.00 (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix v1 CMS IS ARS Texas Health and Safety Code (THSC) 181 Title 1 Texas Administrative Code (TAC) 390.2 Control Categories 0. Information Security Management Program 1. Access Control 2. Human Resources Security 3. Risk Management 4. Security Policy 5. Organization of Information Security 6. Compliance 7. Asset Management 8. Physical and Environmental Security 9. Communications and Operations Management 10. Information Systems Acquisition, Development & Maintenance 11. Information Security Incident Management 12. Business Continuity Management Scoping Factors Regulatory •Federal, state and domain specific compliance requirements Organization •Geographic factors •Number of covered lives System •Data stores •External connections •Number of users/transactions Analyzed, Rationalized & Consolidated Control Specifications Control Objectives Control Categories Common Security Framework (CSF) 19
  • 20. Security & Privacy Common Control Framework •Single compliance program to manage versus managing compliance against a myriad of requirements •Incorporates existing security regulations, standards, and frameworks •Rationalizes duplications and inconsistent requirements •Common definition of controls and detailed implementation requirements •Focuses security efforts on actual risk identification and remediation •Instills confidence through public pronouncement of compliance •Vendors demonstrate security compliance to healthcare covered entities •Future enhancements provide guidance for securing specific vendor products Security controls •13 control categories, 42 control objectives, and 135 control specifications •Three levels of requirements based on organization’s scale & operations •Implementation & inspect guidance •Maps controls to authoritative sources •Process for accepting alternate controls (compensating and mitigating) for systems that are not in compliance •Security Configuration Packs will recommend configuration and maintenance of security in critical applications (e.g., electronic health medical record systems and medical devices) •Products and Services Guide link to solutions based on security framework ISO 27000 series NIST 800 series PCI DSS COBIT HIPAA 21 CFR Part 11 Framework Components The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once and satisfy many regulatory, legal and leading practice requirements. Benefits of Adopting CSF Common Security Framework (CSF) 20
  • 21. Key Elements of HITRUST’s Cyber Strategy •Provide a managed framework with healthcare-specific guidance that addresses cyber risks in a comprehensive and timely manner •Ensure healthcare organizations have comprehensive, timely, and consumable threat intelligence •Enable the timely exchange of relevant, timely and actionable cyber threat indicators (IOC, TTPs, malware signatures) •Support collaboration on cyber incidents among industry and government resources –US Cert, HHS, FBI, DHS, USSS •Facilitate testing and evaluating of cyber threat preparedness and response and intelligence sharing activities •Educating legislators on the issues, progress and areas support is needed Protect industry from cyber threats and aid in response while supporting organizational maturity 21
  • 22. CSF Assurance • Methodology and compliance program to effectively and consistently measure CSF compliance • Risk-based methodology • Simplified information collection and reporting • Consistent testing procedures and scoring • Creates efficiencies and contains costs • Assessments performed by leading professional services firms 22
  • 23. Programs – Third Party Assurance •Streamlines the business associate assurance process •Utilizes the tools and methodologies of the CSF Assurance Program •Allows healthcare organizations to efficiently and effectively assess their business partners and manage risk •Allows assessed organizations to undergo one assessment and report to multiple entities 23
  • 24. Programs – Secure Texas •Texas Health Services Authority awarded HITRUST to provide the Texas Covered Entity Privacy/Security Certification (Secure Texas) •Allows for THSA to provide certification under Texas House Bill 300 •Certification offers penalty reduction and risk mitigation 24
  • 25. •Managing risk vs. compliance •Implications of cyber •Distinction between best practice, regulations, standards, and implementation •A framework helps to strengthen your security programs Lessons Learned 25
  • 26. Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight State of Texas Privacy and Security Certification (http://hitrustalliance.net/texas/) Monthly industry cyber threat briefings with HHS (http://hitrustalliance.net/cyber-threat- briefings/) Industry cyber threat preparedness exercises – CyberRX (http://hitrustalliance.net/cyberrx/) 26
  • 27. Q & A Pamela.Arora@childrens.com Aaron.Miri@childrens.com Daniel.Nutkis@hitrustalliance.net A CHIME Leadership Education and Development Forum in collaboration with iHT2