welcome and opening remarks - hitrust alliance · welcome and opening remarks csf assurance: the...

© 2015 HITRUST Alliance. All Rights Reserved. Health IndustryThird Party Assurance Summit

Health IndustryThird Party Assurance Summit

Welcome and Opening Remarks CSF Assurance: The New Standard for Streamlining the Third Party Assurance Process

November 13, 2015

Daniel Nutkis – CEO, HITRUST Robert Booker – Vice President & CISO, UnitedHealth Group Ray Biondo – Divisional Senior Vice President & CISO, Health Care Service Corporation Roy Mellinger – Vice President & CISO, Anthem Omar Khawaja – Vice President & CISO, Highmark


BACKGROUND AND INDUSTRY PROGRESS TO DATE


How did we get here? Most recently, many of you where notified of updates to your business associate and partner agreements, specifically REQUIREMENT for use of the HITRUST CSF Assurance Program

Ray Biondo Divisional Senior Vice President & Chief Information Security Officer

Robert E. Booker Vice President & Chief Information Security Officer

Omar Khawaja Vice President & Chief Information Security Officer

Roy R. Mellinger Vice President, IT Security & Chief Information Security Officer

Jon Moore Vice President & Chief Information Security Officer


How did we get here?

Or PREFERENCE for leveraging the CSF Assurance Program


How did we get here? • Addressing

inefficiencies and inconsistencies in 3rd Party Assurance has been on going for many years

• Was considered a priority back in 2007


How did we get here? Continual progress since 2007 • Initial 3rd Party Assurance

Summit held in May 2009 • Held subsequent Summits • CSF updates annually • CSF Assurance updates annually • Org/Covered Entity guidance • Partner/Business Associate

guidance


Current State – Reality The reality is that Orgs have many BPs, providing the BPs with increased access to a number of systems and sharing a great deal of sensitive information.

Healthcare Organization

Business Partner

Business Partner

Business Partner

Healthcare Organization Business

Partner

Business Partner

Business Partner

Broad data and access







Current State – Further Complicated The environment is further complicated by the fact that organizations can be both an Org and BP, outsourcing services to BPs and providing services to Orgs.

Organization

Business Partner

Business Partner

Business Partner

Organization Business Partner

Business Partner

Business Partner

Organization


Current State – Web of Compliance

Information Exchange

Provider


Outsourcer

Provider

Payer

Pharmacy

Payer

Pharmacy


EHR Vendor

Payer

Third Party Auditor

Third Party Auditor

Third Party Auditor

Third Party Auditor

Third Party Auditor

Third Party Auditor

Third Party Auditor

Third Party Auditor

Third Party Auditor


Current State – Reporting

Organization Business Partner

(BP)

Business Partner

(BP)

Business Partner

(BP)

Organization

Organization Audit Report 1

Requirements

Audit Report 2

Requirements

Requirements

Requirements

Requirements

Audit Report X

Audit Report Y

Audit Report #


Healthcare Orgs/Covered Entity Challenges • Complex contracting process due to organizational specific security requirements • Low rate, inaccurate and incomplete responses • Inadequate due diligence of questionnaires • Difficulty monitoring the status and effectiveness of corrective action plans • Difficulty tracking down appropriate contacts at business associate • Costly and time-intensive data collection, assessment and reporting processes • Inability to proactively identify and track risk exposures at business associate • Lack of visibility into downstream risks related to business associate (i.e., business

associate’s own business partners) • Lack of consistent reporting to management on business associate risks


Business Partner Challenges • Complex contracting process due to unique security requirements • Broad range and inconsistent expectations for responses to questionnaires—inability to

effectively leverage responses across organizations • Complex processes:

– Maintaining broad range of reporting requirements – Tracking to varied expectations around corrective action plans

– Tracking down appropriate contacts at customers – Expensive and time-intensive audits by customers

– Inability to consistently and effectively report to and communicate with customers

– Risk exposure to inconsistent responses from different business units of the business associate


Universal Agreement that the Current Model is Broken • There are no scenarios where performing 15, 50 or 250 or more unique assessments makes sense for a

business associate to communicate their information privacy and security posture (on same scope)

• Nor does maintaining and supporting an organizational specific assessment methodology and performing assessments for a healthcare organization

• HITRUST has been working with healthcare organizations and business partners to identify a practical and implementable approach

Common Requirements

Uniform Assessment

Process

Simplified Reporting

More Efficient and Effective Compliance

Process


Today’s Session Hear from Us: • More about the CSF Assurance program • Organizations requiring their partners adopt the CSF Assurance program • Business Partners already adopting the program and how they are leveraging • How to get started and get help Hear from You: • Questions you have • What You Need

– Additional guidance, tools, outreach? – Support in working with other covered entities that don’t accept CSF Assurance reports?


Health IndustryThird PartyAssurance Summit

Partner Requirements, Expectations, Timelines and QA Facilitator: Michael Frederick – Vice President, Operations, HITRUST Bryan Sheehan – Senior Director, Information Risk Management, UnitedHealth Group Chris Burnett – Director, Information Security, Anthem Tim Belardi – Director, Tech Advisory Services, Highmark Darin Clapp – EIP Contracts Manager, Humana Brenda Callaway – Executive Director, Information Security, Health Care Service Corp.


What did we do? Notified industry of updates to their business associate and partner agreements, including use of the HITRUST CSF Assurance Program • HITRUST CSF certification is required • 2-year implementation schedule

Ray Biondo Divisional Senior Vice President & Chief Information Security Officer

Robert E. Booker Vice President & Chief Information Security Officer

Omar Khawaja Vice President & Chief Information Security Officer

Roy R. Mellinger Vice President, IT Security & Chief Information Security Officer

Jon Moore Vice President & Chief Information Security Officer


Why did we do it?


What did they do? • Initiated push by others in healthcare to

require the same of their BAs/partners • Example is from a joint letter by 10

pediatric hospitals to their BAs/partners strongly encouraging adoption of the HITRUST CSF

– Enables use of a single assessment – Ensures the safety and security of patient data – CSF certification is highly attractive to the

signatories


Is this really a good idea? • Standardized requirements aligned with healthcare

compliance requirements

• Industry benchmarks rather than company-specific requirements

• Shared resources for assessment, reporting, and compliance tracking

• Reduced time/expense on client audits, assessments, and onsite reviews

• Reduced time in pre-contract due diligence reviews

• Provides a level of assurance that certain controls are in place

• Timely and coordinated breach response processes

• Proactive alert of increased business partner risk


What exactly do I need to do? HITRUST CSF Self-assessment Report • 90 days after Effective Date HITRUST CSF Validated Report • 18 months after Effective Date HITRUST CSF Certification Report • 24 months after Effective Date


Q&A Q: “Can I submit my existing ISO Certification or SOC 2 in lieu of providing a CSF Assessment report to meet the Third Party Assessment requirements?” A: The program requirements established by each of the organizations requires that a CSF Assessment report be provided, with an initial CSF Self Assessment, followed by CSF Validated Assessment and within 24 months a CSF Certification report.

Although not preferred, each organization does allow exceptions to be considered and will be reviewed on a case by case basis to determine if acceptable. This may include stipulations, such as additional material, documentation or reviews be provided.

It should also be noted that this consideration is on an individual organization basis, so acceptance by one organization does not mean any others will grant an exception. As such we encourage organizations not seek an exception unless a unique circumstance exists.


Leveraging the HITRUST CSF Assurance Program to Manage Third Party Risk


Michael Frederick Vice President, Operations, HITRUST


BENEFITS OF LEVERAGING THE HITRUST CSF ASSURANCE PROGRAM


Single Framework Reduces Complexity


(HO)


(HO)


(HO)

Requirements

Requirements

Requirements

Common Security Framework (CSF)

HIPAA

NIST ISO


HITRUST Model – Reporting Healthcare

Organization (HO)

Business Partner (BP)




(HO)


(HO)

HITRUST Common Business Partner

Compliance Framework

HITRUST Certification





CSF Requirements

CSF Requirements

CSF Requirements


HITRUST Third Party Assurance Program (TPAP) Value of the HITRUST TPAP • Standardized requirements aligned with healthcare compliance requirements • Industry benchmarks rather than company specific requirements • Shared resources for assessment, reporting and compliance tracking • Minimize repetitive processes • Simplified assessment and reporting processes • Enhanced business partner communications • Timely and coordinated breach response processes • Proactive alert of increased business partner risk

Common Requirements

Uniform Shared Assessment

Simplified Processes

Enhanced security &

streamlined compliance

costs


HOW DOES THE HITRUST CSF ASSURANCE PROGRAM WORK FOR THIRD PARTIES?


Program Definition

Third Party Assurance

HITRUST CSF Assurance

Vendor Covered Entity

HITRUST CSF Assurance • Maintain CSF

• Maintain MyCSF

• Provide vendor support during

• Provide covered entity support with communication & monitoring of assessments

Covered Entity • Communicate with vendors

• Accept CSF assessment reports

• Determine level of assurance

• Determine level of risk tolerance

Vendor • Complete required assurance

level assessment

• Ensure you are meeting minimum requirement levels for your CEs


HITRUST CSF Assurance

HITRUSTCSF Assurance

Program

HealthcareOrganization



BusinessAssociate

BusinessAssociate

BusinessAssociate

Analyze Resultsand Mitigate

Assess and Report Status

with Corrective Actions

• Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations

• Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments

• The oversight and governance provided by HITRUST supports a process whereby organizations can trust that their third parties have essential security controls in place


Key Components of the CSF Assurance Program Standardized tools and processes • Questionnaire

– Focus assurance dollars to efficiently assess risk exposure

– Measured approach based on risk and compliance

– Ability to escalate assurance level based on risk

• Report – Output that is consistently interpreted across the industry

Cost effective and rigorous assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST CSF Assessors

• Streamlined and measurable process within MyCSF tool

• End-user support


HOW DO WE GET STARTED?


Getting Started Purchase and Perform a HITRUST CSF Self-Assessment • Access limited to 90 days • Information not retained for further assessments Purchase and Perform a HITRUST CSF Validated Assessment • Access limited to 90 days • Information not retained for further assessments • Requires validation by an independent, certified HITRUST CSF Assessor Organization (Optional) Purchase a subscription to MyCSF • Access is maintained as long as subscription is active • Information is retained as long as subscription is active • Allows for management of compliance and security posture over time • Allows for re-assessment to occur without expense of purchasing a formal report


Ken Vander Wal Chief Compliance Officer, HITRUST [email protected]

HITRUST CSF and SOC 2® Reporting


• Owned by the American Institute of Certified Public Accountants (AICPA)

• Designed to provide information on processes and controls at a service organization, together with an independent service auditor’s opinion

• Processes do not have to be related to financial statement processing—unlike SOC1 (ISAE 3402 / SSAE 16)

• Criteria updated in early 2014 except for privacy, which is currently being updated

• http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

• Owned by HITRUST • Leverages and enhances existing standards and

regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements

• Intended to be used by any and all organizations that create, access, store, or exchange protected health information (PHI)

• Two major components – Information security implementation requirements

– Mapping and regulations

• Updated annually – currently Version 7

• https://hitrustalliance.net/hitrust-csf/

SOC 2® HITRUST CSF


SOC 2® HITRUST CSF • Trust Services Principles

– Security

– Availability

– Confidentiality

– Privacy

– Processing Integrity

• Select principles based on expected user needs

• Must then address ALL criteria for the selected principles

• Type 1 – design

• Type 2 – operating effectiveness

• CSF Framework – 14 Control Categories

– 45 Control Objectives

– 149 Control Specifications

• Risk factors drive control specification implementation requirements – up to 3 levels

• Must meet all requirement specifications based on risk factors

• Assurance program – Self Assessments

– Third-Party Assessments

• Certified

• Validated


What Does SOC 2 / HITRUST Give Users? SOC 2® HITRUST CSF • Management Assertion • Independent service auditor’s report

– Description fairly presents the in-scope services

– Controls suitable designed to meet in-scope criteria

– Controls have operated effectively to deliver criteria (Type 2)

• Description of System

• Description of Controls, Tests, and Results of Tests

• Certified/validated report issued by HITRUST based on work of independent third-party assessors

– Business/functional/organizational units that meet the associated criteria

• Assessment context and scope of systems included in assessment

• Breakdown of CSF control areas with a comparison to industry

– Includes maturity scores

• Testing summary, corrective action plans, and completed questionnaire


Benefits of Combining SOC 2 & HITRUST CSF Assurance • Leverage the HITRUST CSF controls in SOC 2 engagements • Realize significant time efficiencies and cost savings by synergies between the CSF controls and Trust

Services Principles and Criteria • Reduce the inefficiencies and costs associated with multiple reporting requirements

• Service organizations’ controls can be considered both from the SOC 2 criteria and HITRUST CSF


Types of Reports • HITRUST CSF Certification: organizations can obtain a HITRUST CSF certification report

through an assessment by a HITRUST approved assessor and issuance of the certification report by HITRUST

• SOC 2 only: organizations that may have adopted the HITRUST CSF framework but NOT requested their service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF

• SOC 2 + HITRUST CSF: service auditor’s report expresses an opinion on the fairness of presentation of description and suitability of design and operating effectiveness of controls based on 1) the Trust Services Principles and Criteria relevant to Security, Availability, and Confidentiality, and, 2) the HITRUST CSF

• SOC 2 + HITRUST CSF + CSF Certification: organizations that have engaged a service auditor to express a SOC 2 + HITRUST CSF opinion and have achieved HITRUST CSF certification can obtain one combined report


Third Party Assurance Program Options Report Option Meets Requirements?

HITRUST CSF Certification Yes

SOC 2 Only No

SOC 2 + HITRUST CSF Maybe—Recommend Discussing with Healthcare Organization

SOC 2 + HITRUST CSF + CSF Certification Yes

SOC 2 leveraging the CSF must be performed by an AICPA firm that is also an approved CSF Assessor


HITRUST and AICPA Collaborating to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.

Work products:

• Mapping of CSF to Trust Services Principles and Criteria (security, confidentiality and availability) (Completed)

• Overview document with frequently asked questions (Available shortly)

• HITRUST + SOC 2 Reporting Template (Available shortly)


Excerpt from the CSF: Trust Principles Mapping


Examples of FAQs • Is the supplied mapping mandatory when performing a SOC 2 + HITRUST CSF report?

• Does the mapping mean that if I’ve completed either a SOC 2 or a HITRUST examination that I’ve fulfilled the requirements of both?

• One of the AICPA standards when issuing an opinion-based report is having “suitable criteria” when assessing the subject matter. Does the HITRUST CSF meet the definition of suitable criteria as defined by the AICPA?

• Should the maturity of control attributes be assessed when completing the SOC 2 + HITRUST CSF report?

• In a SOC 2+ HITRUST CSF Report, how does a qualified opinion related to the applicable trust services criteria impact the opinion related to the applicable HITRUST CSF Controls and vice versa?

• How are exceptions addressed in a SOC 2 + HITRUST CSF Report with an opinion on both the Trust Services Principles and Criteria and the HITRUST CSF?

• Can any service auditor that is a member of the AICPA issue a SOC 2 + HITRUST CSF or a SOC 2 + HITRUST CSF + CSF certification report?

• Are there licensing considerations when a CPA uses the HITRUST CSF in an engagement, including a SOC 2 + HITRUST CSF engagement?


HITRUST + SOC 2 Reporting Template Report Sections • Management Assertion • Independent Service Auditor’s Report • Entity’s Description of its System • Trust Services Principles/HITRUST CSF

Controls Tested and Results of Tests • Mapping of Applicable Trust Services

Principles and Criteria to the HITRUST CSF, and HITRUST CSF certification report


Draft of Opinion Wording In our opinion, in all material respects, based on the description criteria and the applicable trust services criteria and HITRUST CSF requirements,

a. the description fairly presents the system that was designed and implemented throughout the period January 1, 20X1, to December 31, 20X1;

b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria and HITRUST CSF requirements would be met if the controls operated effectively throughout the period January 1, 20X1, to December 31, 20X1 and user entities applied the complementary user entity controls contemplated in the design of the Service Organization’s controls throughout the period January 1, 20X1, to December 31, 20X1; and

c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the applicable trust services criteria and HITRUST CSF requirements were met, operated effectively throughout the period January 1, 20X1, to December 31, 20X1


QUESTIONS?



Resources to Help (Role of Assessors) Facilitator: Michael Frederick – Vice President, Operations, HITRUST Paul Johnson – Senior Manager, Wipfli LLP Andrew Hicks – Practice Director, Healthcare & Life Sciences, Coalfire Michael Parisi – Director, PricewaterhouseCoopers LLP Carisa Brockman – Practice Director, Governance, Risk, and Compliance, AT&T Security Consulting


WIPFLI Paul Johnson, Senior Manager


Wipfli Background • Accounting and consulting firm • Established in 1930 • Over 1,500 professionals • 35 offices in the U.S. • 2 International locations • One of the top 20 accounting and consulting firms • Healthcare Risk Advisory Team led by Paul Johnson and Rick Ensenbach


Lessons Learned • HITRUST is an investment for future • Seek assistance when completing the baseline assessment • Focus on Policy, Process, and Implementation • Be prepared for the validated assessment • Process will take time to complete • HITRUST Certification is not a one-time goal to achieve


INTRODUCTION TO COALFIRE AND THE PASS METHODOLOGY

Andrew Hicks, Healthcare & Life Sciences Practice Director


About Coalfire • HIPAA and HITRUST – covered entity and business associate assessment, advisory & testing. • PCI DSS – merchant and service provider assessment, advisory & testing services.

• Federal (FedRAMP and FISMA) – assessment, advisory & testing services for CSPs (3PAO). • ISO – Certifying Body accreditation

• SSAE 16 & SOC 2 – preparatory and assessment services for service organizations. • GLBA/FFIEC – assessment, advisory & testing services for financial services institutions.

• NERC CIP – assessment, advisory & testing services for utilities.

• SOX – Section 404 IT GC advisory and testing services.


The Benefits of a Defined Methodology • Phased approach that reduces cost, time, and complexity • Gated process that:

– Embeds multiple checkpoints for quality assurance – Integrates remediation roadmaps to minimize CAPs

– Provides the best opportunity for certification – Increases the likelihood for on-time completion

– Streamlines the assessment lifecycle

• Accommodates Self and Validated Assessments • Continuous status reporting • Built-in project management • Methodology applies to all organizations, regardless of size, complexity, and objectives


PWC Michael Parisi, Director


Pwc and HITRUST • An original assessor • Perform HITRUST readiness and certification assessments • Payer organizations moderate to large • Provider systems and ACOs moderate to large • Business Associates of all sizes industry agnostic • Other third party assurance and assessment leveraging the CSF • Assisted in the creation of the initial CSF • Participated in various committees with HITRUST including SOC 2

alignment and governance committee


Business Drivers • Regulatory changes (omnibus, SEC disclosure/audit, TX HB300) • Outsourcing non-core business functions, greater integration of disparate technology, increased use of

cloud services – Payers / Providers increasingly use Business Associates to collect, house, process, and transmit ePHI

– Growing risk / liability associated with information protection

– Concern: “How are our BAs protecting our ePHI”

• Unclear/inconsistent definition of sensitive data and risk of data breach

• Significant cost of compliance, programs may be duplicative and inefficient, many struggle to have an integrated approach to compliance

• Need for increased level of transparency outside of financial reporting • Cyber security threats and concerns

• Desire/need for organizations to up their game on control maturity


Benefits to Third Party Assurance: Assess Once, Report Many Customers and Vendors can recognize further efficiencies in external reporting by considering some key points around third party assurance:

Customers: • Imposing customized requirements on vendors • Numerous assessments are difficult to manage

and execute • Pass burden and cost along to vendors • Need for a recognized standard • Obtaining a level of independent third party

assurance adds comfort

Vendors: • Audit fatigue and resource drain due to multiple

assessments • In constant response mode with no time for

remediation • Absorb cost of reporting • Leverage reporting for other purposes • Differentiating factor


Key Questions to Consider What are the boundaries of the system? • The scope of the review that would need to be performed (e.g. what parts of the business would be

covered, what applications would be in-scope, etc.) • What is the description of the service organization’s system? (e.g. the policies and procedures to provide

the services covered by the report)? • The overlap with other internal controls reporting (e.g. SOC 1 or SOC 2) and overlap with existing

assurance functions (e.g. internal audit, risk, compliance, etc.) to understand the cost and opportunities for leverage.

• The boundaries of the system need to be clearly understood, defined, and communicated. In HITRUST certifications the boundaries of the system may be less apparent than in SOC reports (i.e., not limited to financial systems)

• If addressing the privacy principle, at minimum all of the system components as they relate to the personal information life cycle should be covered (i.e. the collection, use, retention, disclosure, and disposal of personal information)


Drivers to Level of Effort and Timeline 1. Scoping Considerations

– Number of Applications

– Nature of Risk and Regulatory factors

– Baseline requirements

– Outsourced Services

2. Initial Year vs. Go-forward – Upfront investment for initial year

– Readiness typically only first year and highly recommended

– Leveraging cumulative knowledge and documentation

3. Timeline for Certification (moderate to large organization) – Readiness 2 to 3 months

– Remediation 2 to 4 months

– Testing 2 to 3 months

– Reporting 1 month


AT&T SECURITY CONSULTING

Carisa Brockman, Practice Director, Governance, Risk and Compliance


AT&T Security Consulting HITRUST Experience and Background • Approved CSF Assessor since 2010 (been involved as VeriSign

Global Security Consulting since HITRUST inception) • Successful certification / expertise across healthcare and service

provider/BA verticals – Providers – Business Process Outsourcers – Managed Hosting and Co-location Services – Storage and Cloud Solutions – Healthcare Applications / Portals


Lessons Learned

Readiness Planning Communication

• Readiness assessment • Evidentiary

documentation

• Understanding of MyCSF • Know where your data is

• Metrics and scoring methodology

• Client • HITRUST

• Scoping • Roles and responsibilities

and time commitment

• Sampling strategy • Timing and key dates


QUESTIONS?



Leveraging Reports with other Partners Program Facilitator: Michael Frederick – Vice President, Operations, HITRUST Deborah Hutchinson – Audit Program Manager, Legal Affairs and Compliance, Availity Daryl Hykel – InfoSec Analyst II, HMS Travis Good – Co-founder and CEO, Catalyze, Inc. Kurt Hagerman – Chief Information Security Officer, Armor


AVAILITY Debbie Hutchinson, Audit Program Manager


Who is Availity? As an industry-leading health care information technology company, Availity serves an extensive network of health plans, providers, and technology partners nationwide through a suite of dynamic products built on a powerful, intelligent platform.

Availity integrates and manages the clinical, administrative, and financial data needed to fuel real-time coordination between providers, health plans, and patients in a growing value-based care environment.


Why HITRUST Certification? • Highly regulated industry resulting in multiple compliance

programs and assessing against multiple standards • Customers submit extensive security questionnaires • Redundant assessments distract security resources that

should be monitoring security • Need a broader framework that can customize your

organizations specific requirements and is constantly updated


What is the value of certification? • Demonstrates focus on being a leader in the marketplace and a trusted

partner demonstrating our commitment to security • Provides the healthcare industry with a certifiable framework scalable

security requirements • Provides an Audit and Security-friendly framework for ongoing compliance

to help perform continuous auditing and monitoring • Reduces time and customer security questionnaire requests and internal

assessment time • Crosswalks to complete a joint assessment for our HITRUST and SSAE-16

SOC reporting


HEALTH MANAGEMENT SYSTEMS Daryl Hykel, InfoSec Analyst II


About Health Management Systems (HMS) • Based in Irving, TX, with more that 25 offices nationwide. • Providing healthcare cost containment solutions for 40 years in the

following areas: – Coordination of benefits (COB) – Fraud, waste, and abuse (FWA) – Eligibility and recovery solutions

• Clients include state, Federal, and commercial health plans, employers, and providers.

• Solutions save clients billions of dollars every year.


Why HITRUST? • Client requirements were the primary driver in becoming HITRUST certified. By 2014, it

was determined that obtaining certification was required to continue doing business with notable clients.

• Post-assessment, HMS adopted the CSF baseline requirements as the HMS control framework to monitor risk and compliance on an ongoing basis.

• Integrated CSF baseline requirements into Archer eGRC Policy and Compliance Management programs to drive control gap remediation.

• Current use case: Mapping other control frameworks to CSF to satisfy client compliance requirements, such as CMS-ARS.

• HITRUST certification is helping to lessen the duration of third-party assessments, reducing regulatory and compliance burdens.

• Certification also being leveraged as a competitive advantage during RFPs


Observations About the Assessment Process • Comprehensive assessment process that reviewed 299 controls across 19

assessment domains. Highly rigorous yet approachable. • Assessing controls in five key areas (Policy, Process, Implemented,

Measured, & Managed) resulted in less ambiguity during the assessment and helped to reduce subjective interpretation, which can be an issue during third-party assessments.

• Timeline was two weeks of self-assessment, one week onsite with the HITRUST assessor, and three weeks to formulate corrective action plans (CAPs).

• Positive experience with MyCSF, especially with the reporting features and CAP Management functionality. Good platform stability.


CATALYZE, INC. Travis Good, Co-Founder & CEO


About Catalyze • Catalyze provides compliant, HITRUST-Certified tools to

accelerate digital health adoption and scaling • Catalyze products solve the two common challenges for

digital health technologies – compliance and data integration

• Catalyze supports a wide range of customers from providers (the VA), to payers (Blue Shield of California), to digital health vendors (Healthloop, Propeller Health)


Why HITRUST? 3 Reasons… • Internal Rigor: we wanted to force a level of information

security and organizational structure into everything we do. • External Validation: we wanted to confidently say more than

“we’re HIPAA-compliant”, we wanted to signal that we take information security management seriously and raise the standard in the industry

• Marketing: we wanted to leverage HITRUST, and our experience using it, to generate content for, and add value to, our content marketing strategy


How have we leveraged HITRUST? • Internally: We use the HITRUST CSF for ongoing

management and oversight of our ISMP • Marketing and Sales: We leverage our HITRUST

Certification in sales, as well as our digital health vendor customers, sales

• Exploration of New Certifications Based on CSF: We are now exploring using the CSF to achieve SOC 2 certification


ARMOR Kurt Hagerman, CISO


Who is Armor? • Armor delivers your organization security controls, management and threat intelligence

unmatched by standard tool vendors. This methodology is central to the opportunity to provide more as your complete cybersecurity partner.

• With Armor, you are enlisting expertly trained cybersecurity professionals who are armed with battle-tested processes. It’s this unique balance that helps Armor keep your organization proactive against today’s elite threat actors.

• Armor Complete, which includes our proven secure managed Virtual Private Cloud (VPC) or the converged Private Cloud infrastructure, is the ideal solution for organizations that store, access or manage critical or sensitive data that requires the best in trust, performance and security.

• Armor Anywhere bolsters security postures within third party cloud environments or your own IT infrastructure. It’s an entirely new managed approach to protecting your data.


Why Armor pursued HITRUST Certification • Security and Compliance are core values • Third-party attestation against a recognized controls framework focused on HIPAA

security rule • Added credibility to our security program • Mapping of our controls to show how we help our customers achieve their own compliance

with HIPAA • Marketing and Sales

– Too many CSPs tout being HIPAA compliant with no proof – Allows us to avoid the “trust us we’re compliant” messaging – we have a recognized certification

– Differentiation from competitors that has helped us win business


The HITRUST Certification Process • Worked with an assessor who is also a QSA to consolidate effort • Assessment process similar enough to PCI to allow us to combine the two into a single

assessment. CSF further facilitates this. • Determining scope for HITRUST assessment is key – no specific requirements in the CSF,

so can be somewhat difficult. Make sure you clearly document your scope. • Assessment requires you to provide lots of detailed evidence for your controls • Evaluation of maturity level was new to us and not as easy as it appeared to be


QUESTIONS?

welcome and opening remarks - hitrust alliance · welcome and opening remarks csf assurance: the...

Documents