- The HITRUST Common Security Framework (CSF) is an important tool that healthcare organizations of all sizes can use in their approach to regulatory compliance and risk management. But what exactly are the basics of the CSF program, and what can facilities to do ensure that they are using CSF to the fullest?
Last week, Michael Frederick, Vice President of Assurance Services & Product Development at HITRUST, provided an overview of the HITRUST framework in a webinar with HealthITSecurity.com.
HITRUST CSF has become the most widely-adopted security framework in the nation’s healthcare sector. We’ll review the basics provided by Frederick, along with his responses to questions that numerous healthcare facilities have likely encountered as they work to implement HITRUST CSF.
What is CSF?
CSF is a single security framework that healthcare organizations use to address security challenges in the industry. The framework includes federal and state regulations, standards, and frameworks. Moreover, CSF assists healthcare organizations with a framework of prescriptive and scalable security controls.
HITRUST CSF helps facilities cross-reference existing, globally recognized standards, regulations and business requirements. This includes HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT and state laws. The controls can also be adjusted depending on the size, complexity and type of organization.
HITRUST also offers MyCSF, which is a web program where healthcare organizations can use performing assessments, manage remediation activities, and report and track compliance.
Learning from CSF
While the early adopters of CSF tended to be larger, more sophisticated healthcare organizations, Frederick explained that the trend has started to go downward. Essentially, more small-to-medium-sized facilities are looking to adopt the framework – which is a good thing.
“That’s what it was designed to do,” Frederick said. “The real barriers to adopting the framework initially tend to be time. The questionnaire is pretty in depth.”
Specifically, the minimum number of questions a healthcare organization will need to answer is approximately 135. However, if the facility assesses against everything, they’re probably going to have closer to 400 questions to answer. Many are shocked, but it just requires organizations to plan accordingly, Frederick said.
“Keep in mind it is designed to be that all-encompassing risk assessment that HIPAA talks about and has talked about for years,” he said. “It’s hard to have something that’s all encompassing and concise, so we’ve done a pretty good job minimizing the complexity and volume to the minimal necessary.”
Frederick also highlighted the difference between a compliance-based framework and a risk based framework. A compliance based framework is basically looking at how well an organization hits the mark against a type of regulatory requirement, he said.
“A risk-based framework looks at an organization from a risk standpoint and what residual risk is the organization is carrying so it can make decisions that go beyond the simple ‘Are we meeting a regulation?’ to ‘Are we truly managing all of the risk that we need to manage?’”
An important thing for healthcare organizations to take away from evaluating cybersecurity risk is that they can apply a risk management strategy. According to Frederick, it should be engrained into the very fabric of your IT operations when it comes to cyber risk. Typically, the risks that facilities have are not the “cutting edge exploits,” he said, but are instead things that have been around for years and organizations have failed to patch or upgrade. The basic “hygiene stuff” could take care of approximately 75 to 80 percent of the threat that’s out there, Frederick said.
“You do need the ability to identify and consume intelligence,” Frederick explained. “It’s one thing for a researcher to be able to demonstrate that it can exploit a medical device or platform. That shows that something is possible. At that point it should be on your radar.”
From there, when a healthcare facility receives information from organizations like the Department of Homeland Security, it will know if it is seeing or hearing indicators that an exploit is making its way into cybercriminal enterprises and it should be aware of the danger. Essentially, it’s crucial for a healthcare organization to filter the intelligence back into their risk assessment process.
All employees play a role
Another discussion brought up during the webinar was how CSF will adapt over time to suit the needs of healthcare organizations and keep pace with evolving regulatory changes. According to Frederick, HITRUST aims to put out a major release of the framework every year, along with an interim release toward the middle of the year.
HITRUST monitors the regulatory landscape and ensures that it has the latest version of its mapped regulations, the framework is updated and supports the latest regulations.
“It’s an ongoing process,” Frederick said. “Our adopters and people that participate in the CSF program have a huge voice in prioritizing what’s important to get updated and what’s not. Feedback is key.”
Additionally, all levels of healthcare professionals play a key role in implementing CSF and creating a strong risk management plan. As with any strategic initiative, senior support is key, Frederick said. However, everybody has a role to play.
“Most security people will readily admit that issues with securing information are not technical,” Frederick said. “The weakest link tends to be people.”
Getting all C-level executives on board is key to drive CSF through to fruition, he said. Moreover, the IT workers are going to have to be prepared as that department is where the majority of “heavy lifting” is going to occur. However, all employees need to be alert and diligent in order for the organization to successfully implement a strong risk management strategy and ensure that data remains secure.