The HITRUST CSF as a Business Mentality

July 5, 2017
1139 Views

Written by Glenn D. Stover, CISSP, HCISPP, Beebe Healthcare

I have worked in the IT and healthcare field now for several decades — to which I attribute the ever-growing number of grey hairs that I have as time has moved on. The healthcare industry has similarly aged, from the adoption of the first mainframes and personal computers to the now growing landscape of the Internet of Things (IoT), patient portals, and expectations of instantaneous data anywhere, anytime. Add in the, often, uncertain regulatory future, and that our health industry has similarly aged — although perhaps more gracefully than I.

It’s safe to say that Social Engineering has similarly grown, from the first poorly written and grammar-bereft spam emails to the new and highly aggressive malware and ransomware attacks. Security is a major component for highly reliable healthcare organizations, and I do not believe there is any question of the security risks to administration, operation, administration, finance, and ultimately to patient safety. Rather, the question becomes: How are you maturing and evolving with this threat?

Maturity

The HITRUST CSF approaches control maturity based on NIST’s PRISMA report, which ultimately drives two very simple concepts: controls being intuitive, and controls being measurable. The first three tiers for maturity establish:

  1. Control requirements must be clearly understood at all levels;
  2. Procedures must be in place to support the implementation; and,
  3. Controls must be fully implemented and tested and operating as intended.

At a minimum, this expects that you have policies and procedures implemented that are easily understood, applied, and operational. Like many professionals, I have seen organizations adopt a “check the box” mentality when it came to policy development or procedural documentation. HIPAA was to blame, it was often excused, and that is why these things needed to be written down as policies or procedures. The minimum expectations were met, the ink dried, the paper filed away, and organizations went on with their day with no further concerns because they had their policy, so of course they were compliant …. And yet, a targeted phishing campaign against your organization will not care that you have a very official and clearly implemented policy against opening questionable emails.

Measuring and Managing

Growing beyond an organizational adoption of the bare minimums is where the HITRUST CSF’s fourth maturity level of ‘Measured’ and fifth maturity level of ‘Managed’ become crucial. You can’t effectively manage what you can’t measure. We live in the age of big data where metrics are often very easily and very cost-effectively captured.

With applying these five maturity levels through my social engineering prevention program, there exists an Acceptable Use Policy (AUP) that clearly defines expectations for phishing emails — both real and internal test emails, defined step-by-step procedures, and controls that are implemented and routinely tested. A wealth of data from our social engineering prevention program is measured, including successes, non-successes, frequency of events, as well as individual, departmental, and organizational effectiveness. All of this seamlessly flows into the management of corrective actions which ensure effective handling for any risks or identified weaknesses in the program.

A Framework Mentality

Although this only provides one such example, there is a clear benefit to applying the HITRUST CSF methodology as a business and operational mentality. As a result of tracking the five levels of maturity for our social engineering prevention program, we’ve made strategic decisions that have positively increased staff education, decreased organizational risk, and demonstrated financial ROIs. Despite the number of grey hairs, my adoption of HITRUST across multiple business lines shows sometimes you CAN teach an old dog new tricks.

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

HITRUST Expands Its Focus on International Data Protection Laws
Privacy
shares75 views
Privacy
shares75 views

HITRUST Expands Its Focus on International Data Protection Laws

Lacy Deatrich - Mar 07, 2019

Written by Anne Kimbol, Chief Privacy Officer, HITRUST The rapid speed and increased movement of information illustrates the need for…

The Paubox™ HITRUST Journey
Security
shares54 views
Security
shares54 views

The Paubox™ HITRUST Journey

Lacy Deatrich - Mar 07, 2019

Written by Hoala Greevy, CEO, Paubox Our HITRUST journey began eleven months ago when a Fortune 50 company reached out…

2019: The Year We Can Achieve Meaningful Privacy Reform
Privacy
shares221 views
Privacy
shares221 views

2019: The Year We Can Achieve Meaningful Privacy Reform

Lacy Deatrich - Mar 07, 2019

By Anne Kimbol, Chief Privacy Officer, HITRUST A year ago, it would have been hard to say that 2019 would…