This document discusses Children's Medical Center's achievement of HITRUST Common Security Framework (CSF) certification. It provides background on Children's Medical Center, which serves as the top children's hospital in the Dallas/Fort Worth area. It then outlines the HITRUST CSF and certification process, which involves a third-party audit of 260 security checks across 19 areas. The certification demonstrates Children's Medical Center's commitment to information security best practices. The document also discusses the benefits of the HITRUST framework and CSF in providing a comprehensive approach to managing healthcare cybersecurity and regulatory compliance.
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
Similar to CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Security Strategies into Action" - Hitchhikers Guide to IT Security (20)
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Security Strategies into Action" - Hitchhikers Guide to IT Security
1. A CHIME Leadership Education and Development Forum in collaboration with iHT2
Creating an Effective Cyber Security Strategy ____________________________ The Hitchhiker’s Guide to IT Security
• Dan Nutkis, CEO HITRUST
•Pamela Arora, Senior Vice President & CIO
•Aaron Miri, Chief Technology Officer
#LEAD14
3. Mission: To make life better for children
Vision: Children’s will be among the very best medical centers in the nation
Background:
•Serves fourth largest metro area in U.S.
•Highest projected growth of pediatric population over next 20 years
•Three campuses: Dallas, Plano and Southlake with 591 licensed beds
•$1B in assets, $2B in gross revenue, AA3 bond rating
•Over 5,000 employees and 1,000 physicians
•Over 100K inpatient days, 300K outpatient visits, 100K emergency visits
•Academic affiliation with University of Texas Southwestern Medical School
•Only Level I pediatric trauma center in North Texas (1 of 22 in U.S.)
•Only U.S. pediatric hospital with six Joint Commission disease-specific certifications
•Nursing Magnet status; <10% of hospitals in nation have achieved
•Top 10 children’s hospital in nation (U.S. News & World Report 2009)
IT Recognition:
•2013 HIMSS Enterprise Davies Award of Excellence Winner
•HIMSS EMR Adoption Stage 7; first hospital in Texas to achieve this level
•Top 200 U.S. companies by InformationWeek 500 for IT
•HITRUST Common Security Framework Certification
•Most Wired by Hospitals & Health Networks eight times
Dallas, Texas
Plano, Texas
Southlake, Texas
Children’s Medical Center Dallas
3
4. •Why HITRUST certification
•Certification Process
•Engagement Matrix
•Risks to Manage
•Children’s HealthSM Layers of Defense
•HITRUST Service Offerings
•Lessons Learned
Overview
4
5. The Path to HITRUST CSF Certification
What is HITRUST CSF?
•HITRUST Common Security Framework (CSF)—a comprehensive set of healthcare industry best practices and compliance requirements designed to addresses HIPAA, HITECH, NIST, ISO and more.
•HITRUST Validated—Organizations may self-evaluate compliance standing using HITRUST CSF framework
•HITRUST CSF Certified—CSF Certified status represents that the organization has met HITRUST requirements and has been verified by an independent third party.
•HITRUST CSF Certification places Children’s in an elite group of organizations worldwide that have earned this certification.
•HITRUST CSF Certification required independent 3rd party auditing of 260 IT security checks and 19 different areas. The process took 12-months of vigorous review and physical audit and validation.
5
6. 1996 HIPAA
2009 HITRUST CSF
2010 OCR Endorses HITRUST
2009 HITECH ACT
2012 Texas HB 300
2013 Omnibus Final Rule
2013 THSA HITRUST
Demonstrate controls for HIPAA Compliance
•Fines for non-compliance can be several million dollars
•Clear framework: Common Security Framework (CSF)
•Ratified by Texas Health Services Authority (THSA)
Why HITRUST Certification
6
7. Self- Assessment against CSF
3rd party assessment
Update and implement needed changes
Results submitted to HITRUST
HITRUST /THSA reviews and grants Certification
Common Security Framework: Security Across an Organization
Secure Texas Heightened Privacy
Certification Process: HITRUST
Certification
7
8. Role
CSF
TX CE
Engagement
Credentialing
X
Demonstration of process
Medical Affairs
X
HIM
X
Legal
X
Investigation and subpoenas
Privacy
X
Breach management process
Security
X
X (~10% CSF)
CSF: Owners of all controls
TX CE: Revisited policy & process
Engagement Matrix
8
15. Perimeter Defense
Internal Network Defense
Host Defense
Application Defense
Data Defense
Firewall Management
Virtual Private Network
Firewall Log Monitoring
Intrusion Prevention (IPS)
Penetration Testing
Secure Web Gateway/Content Filtering
Secure Messaging Gateway/SPAM Filtering
Network Discovery
Network Access Control
Identity and Access Management
User Account Management
Vulnerability Scanning/Assessment
Log Management and Security Information and Event Management
APT Detection
Endpoint Security
Vulnerability Scanning/Assessment
Patch and Security Configuration Management
Host IPS/IDS
Device Control
Host Based IPS
Host based application specific Data Loss Prevention
Mobile Data Protection/Encryption
Data Loss Prevention (DLP)
Enterprise Data Protection/Encryption
APT Detection
Reactive
Proactive
Predictive
Continuous Monitoring/Policies and Procedures
Threat Intelligence/Security Assessments
Children’s Health Layers of Defense
15
16. •HITRUST Board Participation
•Vendor Partnerships
•CHIME
•HIMSS
•Legislative Activity - Calls to Action
•Department of Health and Human Services
•Department of Homeland Security
•Federal Bureau of Investigation
•Federal Drug Administration
Industry Involvement
16
17. HITRUST Snapshot
• Industry Challenges: Catalyst for HITRUST (September 2007)
• Best known for Common Security Framework (CSF)
• Adopted by 76% of hospitals and 78% of health plans2
• Adoption of CSF Assurance--19,000 + assessments in three years
• Runs Cyber Threat Intelligence, Incident Coordination Center, & Cyber
Threat Xchange
• Provides information, protection, and education—12,000+ CCSFP
professionals
– Developing broader healthcare certified information security
professional credential – ISC2 partnership
– Annual conference: In 2012 began holding health information
protection professional annual conference
1 – Based on facilities in the 2011 AHA hospital and health system data as of Dec 2012
2 – Based on health plans with over 500,000 members as of Dec 2012
HITRUST exists to ensure information protection becomes a core pillar of the
broad adoption of HIS and HIEs
17
18. Common Security Framework (CSF)
•Practical and efficient approach to managing risk that is scalable, prescriptive and certifiable
•HITRUST maintains, supports and ensures the relevancy and applicability
•Released v6 in Jan 2014 and will release v7 in Jan 2015 will incorporate privacy
•Now includes more than 17 authoritative sources (federal and state regulations, globally recognized standards, and industry best practices)
NIST
ISO 27001/2
COBIT .
FTC Red Flags
PCI
Meaningful Use
HIPAA Omnibus Final Rule
Texas Health & Safety Code
NIST
ISO 27001/2
COBIT .
FTC Red Flags
PCI
Meaningful Use
HIPAA Omnibus Final Rule
Texas Health & Safety Code
HITRUST CSF
The ambiguity of standards and regulations distract from protecting healthcare organizations…
18
19. The HITRUST Common Security Framework (CSF) provides coverage across multiple healthcare-specific standards and includes significant components from other well-respected IT security standards bodies and governance sources
Common Security Framework (CSF)
Included Standards
HIPAA
HITECH Act
ISO/IEC 27001:2005, 27002:2005, 27799:2008
CFR Part 11
COBIT 4.1
NIST SP 800-53 Revision 4
NIST SP 800-66
PCI DSS version 1.2
FTC Red Flags Rule
JCAHO IM
201 CMR 17.00 (State of Mass.)
NRS 603A (State of Nev.)
CSA Cloud Controls Matrix v1
CMS IS ARS
Texas Health and Safety Code (THSC) 181
Title 1 Texas Administrative Code (TAC) 390.2
Control Categories
0. Information Security Management Program
1. Access Control
2. Human Resources Security
3. Risk Management
4. Security Policy
5. Organization of Information Security
6. Compliance
7. Asset Management
8. Physical and Environmental Security
9. Communications and Operations Management
10. Information Systems Acquisition, Development & Maintenance
11. Information Security Incident Management
12. Business Continuity Management
Scoping Factors
Regulatory
•Federal, state and domain specific compliance requirements Organization
•Geographic factors
•Number of covered lives System
•Data stores
•External connections
•Number of users/transactions
Analyzed, Rationalized & Consolidated
Control Specifications
Control Objectives
Control Categories
Common Security Framework (CSF)
19
20. Security & Privacy Common Control Framework
•Single compliance program to manage versus managing compliance against a myriad of requirements
•Incorporates existing security regulations, standards, and frameworks
•Rationalizes duplications and inconsistent requirements
•Common definition of controls and detailed implementation requirements
•Focuses security efforts on actual risk identification and remediation
•Instills confidence through public pronouncement of compliance
•Vendors demonstrate security compliance to healthcare covered entities
•Future enhancements provide guidance for securing specific vendor products
Security controls
•13 control categories, 42 control objectives, and 135 control specifications
•Three levels of requirements based on organization’s scale & operations
•Implementation & inspect guidance
•Maps controls to authoritative sources
•Process for accepting alternate controls (compensating and mitigating) for systems that are not in compliance
•Security Configuration Packs will recommend configuration and maintenance of security in critical applications (e.g., electronic health medical record systems and medical devices)
•Products and Services Guide link to solutions based on security framework
ISO 27000 series
NIST 800 series
PCI DSS
COBIT
HIPAA
21 CFR Part 11
Framework Components
The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once and satisfy many regulatory, legal and leading practice requirements.
Benefits of Adopting CSF
Common Security Framework (CSF)
20
21. Key Elements of HITRUST’s Cyber Strategy
•Provide a managed framework with healthcare-specific guidance that addresses cyber risks in a comprehensive and timely manner
•Ensure healthcare organizations have comprehensive, timely, and consumable threat intelligence
•Enable the timely exchange of relevant, timely and actionable cyber threat indicators (IOC, TTPs, malware signatures)
•Support collaboration on cyber incidents among industry and government resources
–US Cert, HHS, FBI, DHS, USSS
•Facilitate testing and evaluating of cyber threat preparedness and response and intelligence sharing activities
•Educating legislators on the issues, progress and areas support is needed
Protect industry from cyber threats and aid in response while supporting organizational maturity
21
22. CSF Assurance
• Methodology and compliance program to effectively and consistently measure CSF
compliance
• Risk-based methodology
• Simplified information collection and reporting
• Consistent testing procedures and scoring
• Creates efficiencies and contains costs
• Assessments performed by leading professional services firms
22
23. Programs – Third Party Assurance
•Streamlines the business associate assurance process
•Utilizes the tools and methodologies of the CSF Assurance Program
•Allows healthcare organizations to efficiently and effectively assess their business partners and manage risk
•Allows assessed organizations to undergo one assessment and report to multiple entities
23
24. Programs – Secure Texas
•Texas Health Services Authority awarded HITRUST to provide the Texas Covered Entity Privacy/Security Certification (Secure Texas)
•Allows for THSA to provide certification under Texas House Bill 300
•Certification offers penalty reduction and risk mitigation
24
25. •Managing risk vs. compliance
•Implications of cyber
•Distinction between best practice, regulations, standards, and implementation
•A framework helps to strengthen your security programs
Lessons Learned
25
26. Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight
State of Texas Privacy and Security Certification (http://hitrustalliance.net/texas/)
Monthly industry cyber threat briefings with HHS (http://hitrustalliance.net/cyber-threat-
briefings/)
Industry cyber threat preparedness exercises – CyberRX
(http://hitrustalliance.net/cyberrx/)
26
27. Q & A
Pamela.Arora@childrens.com
Aaron.Miri@childrens.com
Daniel.Nutkis@hitrustalliance.net
A CHIME Leadership Education and Development Forum in collaboration with iHT2