When the HIPAA regulations were initially enacted in the early 2000’s, there was much fanfare and misunderstanding on how to implement the new regulations. Some practices thought is was as simple getting rid of clear patient folders and having patients sign new consent forms. Looking back now at the initial Privacy, Security and Transaction rules, they were a painful first step on a long journey to better patient information security.
Today, we have regulations with real consequences for breaches and poor security practices. The Health Information Technology for Economic and Clinical Health Act (HITECH) act in 2009 introduced stiffer penalties for breaches, consequences for business associates and meaningful use to encourage information sharing. As a result, Security and Compliance surveys and audits by providers and payors proliferated and consumed a tremendous amount of labor and time. There had not been a standard method to assess the security of business associates until the last few years when the HITRUST Alliance seems to have gained traction with large HIT enterprises.
The HITRUST Alliance has a framework for security called the Common Security Framework (CSF). The current CSF edition is version 9.1 dates February 2018. Companies will need to sign up for and license the framework to get started. It is easy to register and download a 668 page PDF. The framework contains lots of cross references to governance controls like HIPAA, NIST, HHS Cybersecurity Program, FedRAMP etc. Organizations of different sizes have increasingly stringent requirements as the size increases.
The CSF PDF is not very helpful when it comes to defining HOW to implement the Policies and Procedures. Many large organizations are now using the CSF to perform risk management on their IT vendor. The CSF is an improvement because now one certification can meet the verification requirements of multiple customers. Some large organizations have built their own vendor certification portals based on the CSF.
As far as I know there is little in the way of tools to assist a company to implement tools to manage the CSF compliance process. It is currently very labor intensive. The terms and conditions of the HITRUST alliance CSF prohibit specifically the groups below.
- IT security service providers,
- IT security product providers,
- IT security consultants, and/or
- IT security vendors and suppliers.
I am not sure why, but this prohibition seems to prevent tool builders from entering the CSF market to help enterprises manage compliance. There is a new article (Sept 10 2018) on the HITRUST website about TrendMicro and HITRUST alliance forming a new company to provide Cyber Risk Management as a Service.
If you are starting from scratch, you can checkout a very helpful GIT repository that Catalyze.IO/Datica made available to the industry at https://github.com/catalyzeio/policies. These policies are a good start but you will still be adding your own, editing these and implementing controls for your environments. These policies are a good model to start from and you may learn a lot about how another company implemented CSF policies and passed CSF Assessments..
The Datica policies use the Markdown lightweight markup language and Git to manage the actual policies. Markdown is a powerful plain text language that links across documents like HTML but is easy to edit, and using GIT repository allows everyone to see what has changed. Markdown does not like images or screen shots, so I prefer using Confluence a Wiki editor with labels to manage the Policies and Procedures and documenting the implementation evidence. Confluence also supports document workflows to help manage the state of the documents, draft, approved, reviewed etc.
The CSF version 9.1 is composed of 13 control sections.
- 00.0 – Information Security Management Program
- 01.0 – Access Control
- 02.0 – Human Resources Security
- 03.0 – Risk Management
- 04.0 – Security Policy
- 05.0 – Organization of Information Security
- 06.0 – Compliance
- 07.0 – Asset Management
- 08.0 – Physical and Environmental Security
- 09.0 – Communications and Operations Management
- 10.0 – Information Systems Acquisition, Development, and Maintenance
- 11.0 – Information Security Incident Management
- 12.0 – Business Continuity Management
- 13.0 – Privacy Practices
Within each section are numerous control references. For each control reference there are five attributes Policy, Procedure, Implementation, Managed and Monitored. An organization must design its Policies and Procedures around the CSF controls and then cross reference them to the CSF controls The CSF certification process involves contracting with an outside ‘assessor’ to review the policies and procedures and ensure that there is evidence that the Policy exists, the Procedure is in place and there is evidence that the procedure is being followed. The assessment is not a one time event, it will need to be performed on a recurring basis. The hardest assessment will be the first for most organizations. Once the organization passes the third party assessment then will be able to claim they are CSF Certified and advertise this on web pages and marketing materials.