welcome and opening remarks - hitrust alliance · welcome and opening remarks csf assurance: the...
TRANSCRIPT
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Health IndustryThird Party Assurance Summit
Welcome and Opening Remarks CSF Assurance: The New Standard for Streamlining the Third Party Assurance Process
November 13, 2015
Daniel Nutkis – CEO, HITRUST Robert Booker – Vice President & CISO, UnitedHealth Group Ray Biondo – Divisional Senior Vice President & CISO, Health Care Service Corporation Roy Mellinger – Vice President & CISO, Anthem Omar Khawaja – Vice President & CISO, Highmark
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
BACKGROUND AND INDUSTRY PROGRESS TO DATE
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
How did we get here? Most recently, many of you where notified of updates to your business associate and partner agreements, specifically REQUIREMENT for use of the HITRUST CSF Assurance Program
Ray Biondo Divisional Senior Vice President & Chief Information Security Officer
Robert E. Booker Vice President & Chief Information Security Officer
Omar Khawaja Vice President & Chief Information Security Officer
Roy R. Mellinger Vice President, IT Security & Chief Information Security Officer
Jon Moore Vice President & Chief Information Security Officer
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
How did we get here?
Or PREFERENCE for leveraging the CSF Assurance Program
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
How did we get here? • Addressing
inefficiencies and inconsistencies in 3rd Party Assurance has been on going for many years
• Was considered a priority back in 2007
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
How did we get here? Continual progress since 2007 • Initial 3rd Party Assurance
Summit held in May 2009 • Held subsequent Summits • CSF updates annually • CSF Assurance updates annually • Org/Covered Entity guidance • Partner/Business Associate
guidance
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Current State – Reality The reality is that Orgs have many BPs, providing the BPs with increased access to a number of systems and sharing a great deal of sensitive information.
Healthcare Organization
Business Partner
Business Partner
Business Partner
Healthcare Organization Business
Partner
Business Partner
Business Partner
Broad data and access
Broad data and access
Broad data and access
Broad data and access
Broad data and access
Broad data and access
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Current State – Further Complicated The environment is further complicated by the fact that organizations can be both an Org and BP, outsourcing services to BPs and providing services to Orgs.
Organization
Business Partner
Business Partner
Business Partner
Organization Business Partner
Business Partner
Business Partner
Organization
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Current State – Web of Compliance
Information Exchange
Provider
Information Exchange
Outsourcer
Provider
Payer
Pharmacy
Payer
Pharmacy
Information Exchange
EHR Vendor
Payer
Third Party Auditor
Third Party Auditor
Third Party Auditor
Third Party Auditor
Third Party Auditor
Third Party Auditor
Third Party Auditor
Third Party Auditor
Third Party Auditor
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Current State – Reporting
Organization Business Partner
(BP)
Business Partner
(BP)
Business Partner
(BP)
Organization
Organization Audit Report 1
Requirements
Audit Report 2
Requirements
Requirements
Requirements
Requirements
Audit Report X
Audit Report Y
Audit Report #
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Healthcare Orgs/Covered Entity Challenges • Complex contracting process due to organizational specific security requirements • Low rate, inaccurate and incomplete responses • Inadequate due diligence of questionnaires • Difficulty monitoring the status and effectiveness of corrective action plans • Difficulty tracking down appropriate contacts at business associate • Costly and time-intensive data collection, assessment and reporting processes • Inability to proactively identify and track risk exposures at business associate • Lack of visibility into downstream risks related to business associate (i.e., business
associate’s own business partners) • Lack of consistent reporting to management on business associate risks
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Business Partner Challenges • Complex contracting process due to unique security requirements • Broad range and inconsistent expectations for responses to questionnaires—inability to
effectively leverage responses across organizations • Complex processes:
– Maintaining broad range of reporting requirements – Tracking to varied expectations around corrective action plans
– Tracking down appropriate contacts at customers – Expensive and time-intensive audits by customers
– Inability to consistently and effectively report to and communicate with customers
– Risk exposure to inconsistent responses from different business units of the business associate
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Universal Agreement that the Current Model is Broken • There are no scenarios where performing 15, 50 or 250 or more unique assessments makes sense for a
business associate to communicate their information privacy and security posture (on same scope)
• Nor does maintaining and supporting an organizational specific assessment methodology and performing assessments for a healthcare organization
• HITRUST has been working with healthcare organizations and business partners to identify a practical and implementable approach
Common Requirements
Uniform Assessment
Process
Simplified Reporting
More Efficient and Effective Compliance
Process
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Today’s Session Hear from Us: • More about the CSF Assurance program • Organizations requiring their partners adopt the CSF Assurance program • Business Partners already adopting the program and how they are leveraging • How to get started and get help Hear from You: • Questions you have • What You Need
– Additional guidance, tools, outreach? – Support in working with other covered entities that don’t accept CSF Assurance reports?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Health IndustryThird PartyAssurance Summit
Partner Requirements, Expectations, Timelines and QA Facilitator: Michael Frederick – Vice President, Operations, HITRUST Bryan Sheehan – Senior Director, Information Risk Management, UnitedHealth Group Chris Burnett – Director, Information Security, Anthem Tim Belardi – Director, Tech Advisory Services, Highmark Darin Clapp – EIP Contracts Manager, Humana Brenda Callaway – Executive Director, Information Security, Health Care Service Corp.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
What did we do? Notified industry of updates to their business associate and partner agreements, including use of the HITRUST CSF Assurance Program • HITRUST CSF certification is required • 2-year implementation schedule
Ray Biondo Divisional Senior Vice President & Chief Information Security Officer
Robert E. Booker Vice President & Chief Information Security Officer
Omar Khawaja Vice President & Chief Information Security Officer
Roy R. Mellinger Vice President, IT Security & Chief Information Security Officer
Jon Moore Vice President & Chief Information Security Officer
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Why did we do it?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
What did they do? • Initiated push by others in healthcare to
require the same of their BAs/partners • Example is from a joint letter by 10
pediatric hospitals to their BAs/partners strongly encouraging adoption of the HITRUST CSF
– Enables use of a single assessment – Ensures the safety and security of patient data – CSF certification is highly attractive to the
signatories
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Is this really a good idea? • Standardized requirements aligned with healthcare
compliance requirements
• Industry benchmarks rather than company-specific requirements
• Shared resources for assessment, reporting, and compliance tracking
• Reduced time/expense on client audits, assessments, and onsite reviews
• Reduced time in pre-contract due diligence reviews
• Provides a level of assurance that certain controls are in place
• Timely and coordinated breach response processes
• Proactive alert of increased business partner risk
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
What exactly do I need to do? HITRUST CSF Self-assessment Report • 90 days after Effective Date HITRUST CSF Validated Report • 18 months after Effective Date HITRUST CSF Certification Report • 24 months after Effective Date
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Q&A Q: “Can I submit my existing ISO Certification or SOC 2 in lieu of providing a CSF Assessment report to meet the Third Party Assessment requirements?” A: The program requirements established by each of the organizations requires that a CSF Assessment report be provided, with an initial CSF Self Assessment, followed by CSF Validated Assessment and within 24 months a CSF Certification report.
Although not preferred, each organization does allow exceptions to be considered and will be reviewed on a case by case basis to determine if acceptable. This may include stipulations, such as additional material, documentation or reviews be provided.
It should also be noted that this consideration is on an individual organization basis, so acceptance by one organization does not mean any others will grant an exception. As such we encourage organizations not seek an exception unless a unique circumstance exists.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Leveraging the HITRUST CSF Assurance Program to Manage Third Party Risk
Health IndustryThird PartyAssurance Summit
Michael Frederick Vice President, Operations, HITRUST
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
BENEFITS OF LEVERAGING THE HITRUST CSF ASSURANCE PROGRAM
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Single Framework Reduces Complexity
Healthcare Organization
(HO)
Healthcare Organization
(HO)
Healthcare Organization
(HO)
Requirements
Requirements
Requirements
Common Security Framework (CSF)
HIPAA
NIST ISO
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HITRUST Model – Reporting Healthcare
Organization (HO)
Business Partner (BP)
Business Partner (BP)
Business Partner (BP)
Healthcare Organization
(HO)
Healthcare Organization
(HO)
HITRUST Common Business Partner
Compliance Framework
HITRUST Certification
HITRUST Certification
HITRUST Certification
HITRUST Certification
HITRUST Certification
CSF Requirements
CSF Requirements
CSF Requirements
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HITRUST Third Party Assurance Program (TPAP) Value of the HITRUST TPAP • Standardized requirements aligned with healthcare compliance requirements • Industry benchmarks rather than company specific requirements • Shared resources for assessment, reporting and compliance tracking • Minimize repetitive processes • Simplified assessment and reporting processes • Enhanced business partner communications • Timely and coordinated breach response processes • Proactive alert of increased business partner risk
Common Requirements
Uniform Shared Assessment
Simplified Processes
Enhanced security &
streamlined compliance
costs
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HOW DOES THE HITRUST CSF ASSURANCE PROGRAM WORK FOR THIRD PARTIES?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Program Definition
Third Party Assurance
HITRUST CSF Assurance
Vendor Covered Entity
HITRUST CSF Assurance • Maintain CSF
• Maintain MyCSF
• Provide vendor support during
• Provide covered entity support with communication & monitoring of assessments
Covered Entity • Communicate with vendors
• Accept CSF assessment reports
• Determine level of assurance
• Determine level of risk tolerance
Vendor • Complete required assurance
level assessment
• Ensure you are meeting minimum requirement levels for your CEs
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HITRUST CSF Assurance
HITRUSTCSF Assurance
Program
HealthcareOrganization
HealthcareOrganization
HealthcareOrganization
BusinessAssociate
BusinessAssociate
BusinessAssociate
Analyze Resultsand Mitigate
Assess and Report Status
with Corrective Actions
• Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations
• Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments
• The oversight and governance provided by HITRUST supports a process whereby organizations can trust that their third parties have essential security controls in place
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Key Components of the CSF Assurance Program Standardized tools and processes • Questionnaire
– Focus assurance dollars to efficiently assess risk exposure
– Measured approach based on risk and compliance
– Ability to escalate assurance level based on risk
• Report – Output that is consistently interpreted across the industry
Cost effective and rigorous assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST CSF Assessors
• Streamlined and measurable process within MyCSF tool
• End-user support
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HOW DO WE GET STARTED?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Getting Started Purchase and Perform a HITRUST CSF Self-Assessment • Access limited to 90 days • Information not retained for further assessments Purchase and Perform a HITRUST CSF Validated Assessment • Access limited to 90 days • Information not retained for further assessments • Requires validation by an independent, certified HITRUST CSF Assessor Organization (Optional) Purchase a subscription to MyCSF • Access is maintained as long as subscription is active • Information is retained as long as subscription is active • Allows for management of compliance and security posture over time • Allows for re-assessment to occur without expense of purchasing a formal report
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Ken Vander Wal Chief Compliance Officer, HITRUST [email protected]
HITRUST CSF and SOC 2® Reporting
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
• Owned by the American Institute of Certified Public Accountants (AICPA)
• Designed to provide information on processes and controls at a service organization, together with an independent service auditor’s opinion
• Processes do not have to be related to financial statement processing—unlike SOC1 (ISAE 3402 / SSAE 16)
• Criteria updated in early 2014 except for privacy, which is currently being updated
• http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx
• Owned by HITRUST • Leverages and enhances existing standards and
regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements
• Intended to be used by any and all organizations that create, access, store, or exchange protected health information (PHI)
• Two major components – Information security implementation requirements
– Mapping and regulations
• Updated annually – currently Version 7
• https://hitrustalliance.net/hitrust-csf/
SOC 2® HITRUST CSF
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
SOC 2® HITRUST CSF • Trust Services Principles
– Security
– Availability
– Confidentiality
– Privacy
– Processing Integrity
• Select principles based on expected user needs
• Must then address ALL criteria for the selected principles
• Type 1 – design
• Type 2 – operating effectiveness
• CSF Framework – 14 Control Categories
– 45 Control Objectives
– 149 Control Specifications
• Risk factors drive control specification implementation requirements – up to 3 levels
• Must meet all requirement specifications based on risk factors
• Assurance program – Self Assessments
– Third-Party Assessments
• Certified
• Validated
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
What Does SOC 2 / HITRUST Give Users? SOC 2® HITRUST CSF • Management Assertion • Independent service auditor’s report
– Description fairly presents the in-scope services
– Controls suitable designed to meet in-scope criteria
– Controls have operated effectively to deliver criteria (Type 2)
• Description of System
• Description of Controls, Tests, and Results of Tests
• Certified/validated report issued by HITRUST based on work of independent third-party assessors
– Business/functional/organizational units that meet the associated criteria
• Assessment context and scope of systems included in assessment
• Breakdown of CSF control areas with a comparison to industry
– Includes maturity scores
• Testing summary, corrective action plans, and completed questionnaire
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Benefits of Combining SOC 2 & HITRUST CSF Assurance • Leverage the HITRUST CSF controls in SOC 2 engagements • Realize significant time efficiencies and cost savings by synergies between the CSF controls and Trust
Services Principles and Criteria • Reduce the inefficiencies and costs associated with multiple reporting requirements
• Service organizations’ controls can be considered both from the SOC 2 criteria and HITRUST CSF
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Types of Reports • HITRUST CSF Certification: organizations can obtain a HITRUST CSF certification report
through an assessment by a HITRUST approved assessor and issuance of the certification report by HITRUST
• SOC 2 only: organizations that may have adopted the HITRUST CSF framework but NOT requested their service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF
• SOC 2 + HITRUST CSF: service auditor’s report expresses an opinion on the fairness of presentation of description and suitability of design and operating effectiveness of controls based on 1) the Trust Services Principles and Criteria relevant to Security, Availability, and Confidentiality, and, 2) the HITRUST CSF
• SOC 2 + HITRUST CSF + CSF Certification: organizations that have engaged a service auditor to express a SOC 2 + HITRUST CSF opinion and have achieved HITRUST CSF certification can obtain one combined report
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Third Party Assurance Program Options Report Option Meets Requirements?
HITRUST CSF Certification Yes
SOC 2 Only No
SOC 2 + HITRUST CSF Maybe—Recommend Discussing with Healthcare Organization
SOC 2 + HITRUST CSF + CSF Certification Yes
SOC 2 leveraging the CSF must be performed by an AICPA firm that is also an approved CSF Assessor
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HITRUST and AICPA Collaborating to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.
Work products:
• Mapping of CSF to Trust Services Principles and Criteria (security, confidentiality and availability) (Completed)
• Overview document with frequently asked questions (Available shortly)
• HITRUST + SOC 2 Reporting Template (Available shortly)
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Excerpt from the CSF: Trust Principles Mapping
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Examples of FAQs • Is the supplied mapping mandatory when performing a SOC 2 + HITRUST CSF report?
• Does the mapping mean that if I’ve completed either a SOC 2 or a HITRUST examination that I’ve fulfilled the requirements of both?
• One of the AICPA standards when issuing an opinion-based report is having “suitable criteria” when assessing the subject matter. Does the HITRUST CSF meet the definition of suitable criteria as defined by the AICPA?
• Should the maturity of control attributes be assessed when completing the SOC 2 + HITRUST CSF report?
• In a SOC 2+ HITRUST CSF Report, how does a qualified opinion related to the applicable trust services criteria impact the opinion related to the applicable HITRUST CSF Controls and vice versa?
• How are exceptions addressed in a SOC 2 + HITRUST CSF Report with an opinion on both the Trust Services Principles and Criteria and the HITRUST CSF?
• Can any service auditor that is a member of the AICPA issue a SOC 2 + HITRUST CSF or a SOC 2 + HITRUST CSF + CSF certification report?
• Are there licensing considerations when a CPA uses the HITRUST CSF in an engagement, including a SOC 2 + HITRUST CSF engagement?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HITRUST + SOC 2 Reporting Template Report Sections • Management Assertion • Independent Service Auditor’s Report • Entity’s Description of its System • Trust Services Principles/HITRUST CSF
Controls Tested and Results of Tests • Mapping of Applicable Trust Services
Principles and Criteria to the HITRUST CSF, and HITRUST CSF certification report
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Draft of Opinion Wording In our opinion, in all material respects, based on the description criteria and the applicable trust services criteria and HITRUST CSF requirements,
a. the description fairly presents the system that was designed and implemented throughout the period January 1, 20X1, to December 31, 20X1;
b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria and HITRUST CSF requirements would be met if the controls operated effectively throughout the period January 1, 20X1, to December 31, 20X1 and user entities applied the complementary user entity controls contemplated in the design of the Service Organization’s controls throughout the period January 1, 20X1, to December 31, 20X1; and
c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the applicable trust services criteria and HITRUST CSF requirements were met, operated effectively throughout the period January 1, 20X1, to December 31, 20X1
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
QUESTIONS?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Health IndustryThird PartyAssurance Summit
Resources to Help (Role of Assessors) Facilitator: Michael Frederick – Vice President, Operations, HITRUST Paul Johnson – Senior Manager, Wipfli LLP Andrew Hicks – Practice Director, Healthcare & Life Sciences, Coalfire Michael Parisi – Director, PricewaterhouseCoopers LLP Carisa Brockman – Practice Director, Governance, Risk, and Compliance, AT&T Security Consulting
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
WIPFLI Paul Johnson, Senior Manager
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Wipfli Background • Accounting and consulting firm • Established in 1930 • Over 1,500 professionals • 35 offices in the U.S. • 2 International locations • One of the top 20 accounting and consulting firms • Healthcare Risk Advisory Team led by Paul Johnson and Rick Ensenbach
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Lessons Learned • HITRUST is an investment for future • Seek assistance when completing the baseline assessment • Focus on Policy, Process, and Implementation • Be prepared for the validated assessment • Process will take time to complete • HITRUST Certification is not a one-time goal to achieve
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
INTRODUCTION TO COALFIRE AND THE PASS METHODOLOGY
Andrew Hicks, Healthcare & Life Sciences Practice Director
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
About Coalfire • HIPAA and HITRUST – covered entity and business associate assessment, advisory & testing. • PCI DSS – merchant and service provider assessment, advisory & testing services.
• Federal (FedRAMP and FISMA) – assessment, advisory & testing services for CSPs (3PAO). • ISO – Certifying Body accreditation
• SSAE 16 & SOC 2 – preparatory and assessment services for service organizations. • GLBA/FFIEC – assessment, advisory & testing services for financial services institutions.
• NERC CIP – assessment, advisory & testing services for utilities.
• SOX – Section 404 IT GC advisory and testing services.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
The Benefits of a Defined Methodology • Phased approach that reduces cost, time, and complexity • Gated process that:
– Embeds multiple checkpoints for quality assurance – Integrates remediation roadmaps to minimize CAPs
– Provides the best opportunity for certification – Increases the likelihood for on-time completion
– Streamlines the assessment lifecycle
• Accommodates Self and Validated Assessments • Continuous status reporting • Built-in project management • Methodology applies to all organizations, regardless of size, complexity, and objectives
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
PWC Michael Parisi, Director
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Pwc and HITRUST • An original assessor • Perform HITRUST readiness and certification assessments • Payer organizations moderate to large • Provider systems and ACOs moderate to large • Business Associates of all sizes industry agnostic • Other third party assurance and assessment leveraging the CSF • Assisted in the creation of the initial CSF • Participated in various committees with HITRUST including SOC 2
alignment and governance committee
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Business Drivers • Regulatory changes (omnibus, SEC disclosure/audit, TX HB300) • Outsourcing non-core business functions, greater integration of disparate technology, increased use of
cloud services – Payers / Providers increasingly use Business Associates to collect, house, process, and transmit ePHI
– Growing risk / liability associated with information protection
– Concern: “How are our BAs protecting our ePHI”
• Unclear/inconsistent definition of sensitive data and risk of data breach
• Significant cost of compliance, programs may be duplicative and inefficient, many struggle to have an integrated approach to compliance
• Need for increased level of transparency outside of financial reporting • Cyber security threats and concerns
• Desire/need for organizations to up their game on control maturity
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Benefits to Third Party Assurance: Assess Once, Report Many Customers and Vendors can recognize further efficiencies in external reporting by considering some key points around third party assurance:
Customers: • Imposing customized requirements on vendors • Numerous assessments are difficult to manage
and execute • Pass burden and cost along to vendors • Need for a recognized standard • Obtaining a level of independent third party
assurance adds comfort
Vendors: • Audit fatigue and resource drain due to multiple
assessments • In constant response mode with no time for
remediation • Absorb cost of reporting • Leverage reporting for other purposes • Differentiating factor
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Key Questions to Consider What are the boundaries of the system? • The scope of the review that would need to be performed (e.g. what parts of the business would be
covered, what applications would be in-scope, etc.) • What is the description of the service organization’s system? (e.g. the policies and procedures to provide
the services covered by the report)? • The overlap with other internal controls reporting (e.g. SOC 1 or SOC 2) and overlap with existing
assurance functions (e.g. internal audit, risk, compliance, etc.) to understand the cost and opportunities for leverage.
• The boundaries of the system need to be clearly understood, defined, and communicated. In HITRUST certifications the boundaries of the system may be less apparent than in SOC reports (i.e., not limited to financial systems)
• If addressing the privacy principle, at minimum all of the system components as they relate to the personal information life cycle should be covered (i.e. the collection, use, retention, disclosure, and disposal of personal information)
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Drivers to Level of Effort and Timeline 1. Scoping Considerations
– Number of Applications
– Nature of Risk and Regulatory factors
– Baseline requirements
– Outsourced Services
2. Initial Year vs. Go-forward – Upfront investment for initial year
– Readiness typically only first year and highly recommended
– Leveraging cumulative knowledge and documentation
3. Timeline for Certification (moderate to large organization) – Readiness 2 to 3 months
– Remediation 2 to 4 months
– Testing 2 to 3 months
– Reporting 1 month
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
AT&T SECURITY CONSULTING
Carisa Brockman, Practice Director, Governance, Risk and Compliance
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
AT&T Security Consulting HITRUST Experience and Background • Approved CSF Assessor since 2010 (been involved as VeriSign
Global Security Consulting since HITRUST inception) • Successful certification / expertise across healthcare and service
provider/BA verticals – Providers – Business Process Outsourcers – Managed Hosting and Co-location Services – Storage and Cloud Solutions – Healthcare Applications / Portals
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Lessons Learned
Readiness Planning Communication
• Readiness assessment • Evidentiary
documentation
• Understanding of MyCSF • Know where your data is
• Metrics and scoring methodology
• Client • HITRUST
• Scoping • Roles and responsibilities
and time commitment
• Sampling strategy • Timing and key dates
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
QUESTIONS?
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Health IndustryThird PartyAssurance Summit
Leveraging Reports with other Partners Program Facilitator: Michael Frederick – Vice President, Operations, HITRUST Deborah Hutchinson – Audit Program Manager, Legal Affairs and Compliance, Availity Daryl Hykel – InfoSec Analyst II, HMS Travis Good – Co-founder and CEO, Catalyze, Inc. Kurt Hagerman – Chief Information Security Officer, Armor
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
AVAILITY Debbie Hutchinson, Audit Program Manager
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Who is Availity? As an industry-leading health care information technology company, Availity serves an extensive network of health plans, providers, and technology partners nationwide through a suite of dynamic products built on a powerful, intelligent platform.
Availity integrates and manages the clinical, administrative, and financial data needed to fuel real-time coordination between providers, health plans, and patients in a growing value-based care environment.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Why HITRUST Certification? • Highly regulated industry resulting in multiple compliance
programs and assessing against multiple standards • Customers submit extensive security questionnaires • Redundant assessments distract security resources that
should be monitoring security • Need a broader framework that can customize your
organizations specific requirements and is constantly updated
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
What is the value of certification? • Demonstrates focus on being a leader in the marketplace and a trusted
partner demonstrating our commitment to security • Provides the healthcare industry with a certifiable framework scalable
security requirements • Provides an Audit and Security-friendly framework for ongoing compliance
to help perform continuous auditing and monitoring • Reduces time and customer security questionnaire requests and internal
assessment time • Crosswalks to complete a joint assessment for our HITRUST and SSAE-16
SOC reporting
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
HEALTH MANAGEMENT SYSTEMS Daryl Hykel, InfoSec Analyst II
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
About Health Management Systems (HMS) • Based in Irving, TX, with more that 25 offices nationwide. • Providing healthcare cost containment solutions for 40 years in the
following areas: – Coordination of benefits (COB) – Fraud, waste, and abuse (FWA) – Eligibility and recovery solutions
• Clients include state, Federal, and commercial health plans, employers, and providers.
• Solutions save clients billions of dollars every year.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Why HITRUST? • Client requirements were the primary driver in becoming HITRUST certified. By 2014, it
was determined that obtaining certification was required to continue doing business with notable clients.
• Post-assessment, HMS adopted the CSF baseline requirements as the HMS control framework to monitor risk and compliance on an ongoing basis.
• Integrated CSF baseline requirements into Archer eGRC Policy and Compliance Management programs to drive control gap remediation.
• Current use case: Mapping other control frameworks to CSF to satisfy client compliance requirements, such as CMS-ARS.
• HITRUST certification is helping to lessen the duration of third-party assessments, reducing regulatory and compliance burdens.
• Certification also being leveraged as a competitive advantage during RFPs
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Observations About the Assessment Process • Comprehensive assessment process that reviewed 299 controls across 19
assessment domains. Highly rigorous yet approachable. • Assessing controls in five key areas (Policy, Process, Implemented,
Measured, & Managed) resulted in less ambiguity during the assessment and helped to reduce subjective interpretation, which can be an issue during third-party assessments.
• Timeline was two weeks of self-assessment, one week onsite with the HITRUST assessor, and three weeks to formulate corrective action plans (CAPs).
• Positive experience with MyCSF, especially with the reporting features and CAP Management functionality. Good platform stability.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
CATALYZE, INC. Travis Good, Co-Founder & CEO
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
About Catalyze • Catalyze provides compliant, HITRUST-Certified tools to
accelerate digital health adoption and scaling • Catalyze products solve the two common challenges for
digital health technologies – compliance and data integration
• Catalyze supports a wide range of customers from providers (the VA), to payers (Blue Shield of California), to digital health vendors (Healthloop, Propeller Health)
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Why HITRUST? 3 Reasons… • Internal Rigor: we wanted to force a level of information
security and organizational structure into everything we do. • External Validation: we wanted to confidently say more than
“we’re HIPAA-compliant”, we wanted to signal that we take information security management seriously and raise the standard in the industry
• Marketing: we wanted to leverage HITRUST, and our experience using it, to generate content for, and add value to, our content marketing strategy
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
How have we leveraged HITRUST? • Internally: We use the HITRUST CSF for ongoing
management and oversight of our ISMP • Marketing and Sales: We leverage our HITRUST
Certification in sales, as well as our digital health vendor customers, sales
• Exploration of New Certifications Based on CSF: We are now exploring using the CSF to achieve SOC 2 certification
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
ARMOR Kurt Hagerman, CISO
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Who is Armor? • Armor delivers your organization security controls, management and threat intelligence
unmatched by standard tool vendors. This methodology is central to the opportunity to provide more as your complete cybersecurity partner.
• With Armor, you are enlisting expertly trained cybersecurity professionals who are armed with battle-tested processes. It’s this unique balance that helps Armor keep your organization proactive against today’s elite threat actors.
• Armor Complete, which includes our proven secure managed Virtual Private Cloud (VPC) or the converged Private Cloud infrastructure, is the ideal solution for organizations that store, access or manage critical or sensitive data that requires the best in trust, performance and security.
• Armor Anywhere bolsters security postures within third party cloud environments or your own IT infrastructure. It’s an entirely new managed approach to protecting your data.
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
Why Armor pursued HITRUST Certification • Security and Compliance are core values • Third-party attestation against a recognized controls framework focused on HIPAA
security rule • Added credibility to our security program • Mapping of our controls to show how we help our customers achieve their own compliance
with HIPAA • Marketing and Sales
– Too many CSPs tout being HIPAA compliant with no proof – Allows us to avoid the “trust us we’re compliant” messaging – we have a recognized certification
– Differentiation from competitors that has helped us win business
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
The HITRUST Certification Process • Worked with an assessor who is also a QSA to consolidate effort • Assessment process similar enough to PCI to allow us to combine the two into a single
assessment. CSF further facilitates this. • Determining scope for HITRUST assessment is key – no specific requirements in the CSF,
so can be somewhat difficult. Make sure you clearly document your scope. • Assessment requires you to provide lots of detailed evidence for your controls • Evaluation of maturity level was new to us and not as easy as it appeared to be
© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit
QUESTIONS?