The HITRUST CSF as a Business Mentality

July 5, 2017
1033 Views

Written by Glenn D. Stover, CISSP, HCISPP, Beebe Healthcare

I have worked in the IT and healthcare field now for several decades — to which I attribute the ever-growing number of grey hairs that I have as time has moved on. The healthcare industry has similarly aged, from the adoption of the first mainframes and personal computers to the now growing landscape of the Internet of Things (IoT), patient portals, and expectations of instantaneous data anywhere, anytime. Add in the, often, uncertain regulatory future, and that our health industry has similarly aged — although perhaps more gracefully than I.

It’s safe to say that Social Engineering has similarly grown, from the first poorly written and grammar-bereft spam emails to the new and highly aggressive malware and ransomware attacks. Security is a major component for highly reliable healthcare organizations, and I do not believe there is any question of the security risks to administration, operation, administration, finance, and ultimately to patient safety. Rather, the question becomes: How are you maturing and evolving with this threat?

Maturity

The HITRUST CSF approaches control maturity based on NIST’s PRISMA report, which ultimately drives two very simple concepts: controls being intuitive, and controls being measurable. The first three tiers for maturity establish:

  1. Control requirements must be clearly understood at all levels;
  2. Procedures must be in place to support the implementation; and,
  3. Controls must be fully implemented and tested and operating as intended.

At a minimum, this expects that you have policies and procedures implemented that are easily understood, applied, and operational. Like many professionals, I have seen organizations adopt a “check the box” mentality when it came to policy development or procedural documentation. HIPAA was to blame, it was often excused, and that is why these things needed to be written down as policies or procedures. The minimum expectations were met, the ink dried, the paper filed away, and organizations went on with their day with no further concerns because they had their policy, so of course they were compliant …. And yet, a targeted phishing campaign against your organization will not care that you have a very official and clearly implemented policy against opening questionable emails.

Measuring and Managing

Growing beyond an organizational adoption of the bare minimums is where the HITRUST CSF’s fourth maturity level of ‘Measured’ and fifth maturity level of ‘Managed’ become crucial. You can’t effectively manage what you can’t measure. We live in the age of big data where metrics are often very easily and very cost-effectively captured.

With applying these five maturity levels through my social engineering prevention program, there exists an Acceptable Use Policy (AUP) that clearly defines expectations for phishing emails — both real and internal test emails, defined step-by-step procedures, and controls that are implemented and routinely tested. A wealth of data from our social engineering prevention program is measured, including successes, non-successes, frequency of events, as well as individual, departmental, and organizational effectiveness. All of this seamlessly flows into the management of corrective actions which ensure effective handling for any risks or identified weaknesses in the program.

A Framework Mentality

Although this only provides one such example, there is a clear benefit to applying the HITRUST CSF methodology as a business and operational mentality. As a result of tracking the five levels of maturity for our social engineering prevention program, we’ve made strategic decisions that have positively increased staff education, decreased organizational risk, and demonstrated financial ROIs. Despite the number of grey hairs, my adoption of HITRUST across multiple business lines shows sometimes you CAN teach an old dog new tricks.

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

Improving Cloud Security with a Shared Responsibility Model
CISO Corner
shares622 views
CISO Corner
shares622 views

Improving Cloud Security with a Shared Responsibility Model

Sierra Reed - Jan 07, 2019

HITRUST streamlines the process to determine who’s responsible for what security controls among your service providers By Hector Rodriguez, Worldwide…

From Providers to Patients: Time to Protect the Entire Healthcare Supply Chain
Leadership
shares546 views
Leadership
shares546 views

From Providers to Patients: Time to Protect the Entire Healthcare Supply Chain

Lacy Deatrich - Dec 18, 2018

Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…

New National Risk Management Center to Help Combat Cybersecurity
Security
shares2974 views
Security
shares2974 views

New National Risk Management Center to Help Combat Cybersecurity

Lacy Deatrich - Aug 24, 2018

Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…