This article is the second in a series. For the first installment, visit “Cybersecurity Frameworks in Healthcare.”
Welcome to part 2 of a 3-part series about cybersecurity frameworks in healthcare. Part 1 took a glance at what a solid cybersecurity framework looks like via the National Institute of Standards and Technology’s (NIST) response to President Obama’s Executive Order 13636. The order, titled “Improving Critical Infrastructure Cybersecurity” and released in February 2013, called for a voluntary cybersecurity framework demonstrating a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for the management of cybersecurity risk. The NIST framework in turn provided a template for organizations to evaluate their own cybersecurity posture and prioritize improvements.
Here in part 2, we’ll dive into a healthcare IT version of the NIST framework from an organization called the Health Information Trust Alliance (HITRUST). In part 3, we’ll see how healthcare organizations can meet the framework and how the HITRUST process can be used to keep pace with evolving or new cybercrime exploits.
The High View
[reference float=”right”]HITRUST CSF Control Categories
0. Information Security Management Program
1. Access Control
2. Human Resources Security
3. Risk Management
4. Security Policy
5. Organization of Information Security
7. Asset Management
8. Physical and Environmental Security
9. Communications and Operations Management
10. Information Systems Acquisition, Development, and Maintenance
11. Information Security Incident Management
12. Business Continuity Management
13. Privacy Practices[/reference]
Like the NIST document we covered in the last section, the HITRUST schema is not a standard but a framework normalizing security requirements. It incorporates federal and state legislation and federal agency rules and guidance, as well as other industry frameworks. Therefore, using the HITRUST processes does not add to any regulation or increase the burden of compliance. However, by meeting the HITRUST cybersecurity framework, you can better assess your facility’s compliance coverage.
The entire HITRUST framework is comprised of several documents that completely integrate the NIST cybersecurity framework. The main HITRUST documents are the common security framework (CSF) and the risk management framework (RMF). (We’ll get into the latter in part 3.) Be sure to visit hitrustalliance.net to see the entire structure.
The organization of the HITRUST CSF is similar to the NIST version, save with a healthcare IT focus. The CSF identifies 14 Control categories that contain all of the standards and regulation in healthcare as authoritative sources (see the sidebar). HITRUST is careful to note that the categories are not listed in order of importance.
HIPAA compliance is among the many reasons to adopt a common security framework. HIPAA is not prescriptive, which makes it open to interpretation. By using a certified template to generate your own cybersecurity framework, you can be assured that you can meet the HIPAA Omnibus Rule from 2013 as well as the myriad other regulations, standards, and guidelines regarding cybersecurity.
Within the HITRUST CSF, each of the 14 control categories are broken down into detailed control objectives that state the outcome or reasoning behind what is to be attained. There are 45 total control objectives among the 14 categories. Diving into the detail, each control objective is then further defined by specific control specifications (a total of 149 specifications are included). Here is where the CSF maps to all the various regulations and guidelines for cybersecurity, indicating exactly what needs to be accomplished to meet the objective. It’s a pretty impressive document that clearly defines all the details for a robust and compliant healthcare cybersecurity framework.
The control specifications under each objective’s umbrella contain detailed information regarding associated risk factors that drive the level of control necessary. In addition, there are also implementation requirements that stipulate other control level requirements needed. Up to three levels can be defined, starting with Level 1, which defines the minimum baseline control requirement. Each additional level includes the lower level requirements, then adds additional requirements proportionate with increasing levels of risk.
To see how these tiered requirements cascade down through a given control category, let’s walk through an example. Take control category 01.0, access control. Under this category fall seven objectives, including objective 01.02, authorized access to information systems. This objective is then broken down into four control references, including user registration, privilege management, user password management, and review of user access rights. The third item, control reference 01.d, user password management, delineates all the grim details regarding password management. Potential risk factors and associated topics are also called out here, as well as the implementation requirements for the different levels of control.
For our sample control requirement, the document defines two levels, which each cover organizational factors, system factors, regulatory factors, and implementation steps. The last category typically offers the most information. For control reference 01.d, user password management, level 1’s implementation steps list the controls needed for password security and password allocation management. Level 2 describes additional steps such as password security, electronic signatures, and identification codes. Even more controls, such as those required by the Centers for Medicare and Medicaid Services or for federal tax information, will also be listed when applicable. Be sure to check the CSF main document for a complete list of all the standards, regulations, and guidelines included.
Finally, a standards map is provided to show which specifications and guidelines a particular control aligns to.
Keep in mind that cybersecurity is a component of overall information security specifically addressing malicious attacks via cyberspace. Data breaches can occur with a stolen laptop or hard drive as well. Therefore, it’s also important to maintain physical security. While cyber crimes may have a lower risk of occurrence, they can have a higher degree of impact in terms of harm done—especially if they go undetected for any length of time.
However, with more healthcare organizations moving from paper records to online, the risk of cyber crimes has risen. According to the Identity Theft Resource Center, 3 years ago the rate of cyber attacks in healthcare—in terms of the percentage of total data records breached—was at 9.6%, two and a half times higher than in the credit and finance industry and more than 10 times than in banking. As stated in the CSF, there’s still more work to be done, but the healthcare industry may be finally taking the lead with this cybersecurity framework.
Part 3 will explore the HITRUST risk management framework, which can help healthcare organizations mature from a compliance attitude toward cybersecurity to actively using threat intelligence.
Jeff Kabachinski is a healthcare IT pundit and technical strategist in Davidson, NC. For more information, contact chief editor Jenny Lower at [email protected].
- HITRUST Alliance. (2015, September 14). Healthcare’s Model Approach to Critical Infrastructure Cybersecurity. www.HITRUSTalliance.net.
- HITRUST Alliance. (2015). HITRUST Common Security Framework 2015 version 7. www.HITRUSTalliance.net.
- HITRUST Alliance. (2015). Introduction to the HITRUST CSF. www.itrustalliance.net.
- (2013). ITRC 2013 Breach List Tops 600 in 2013. Retrieved from Identity Theft Resource Center: www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html
- HITRUST Alliance. (2015, September 14). Healthcare’s Model Approach to Critical Infrastructure Cybersecurity: How the Industry is Leading the Way with its Information Security Risk Management Framework. www.HITRUSTalliance.net.
Photo credit: © Binu Omanakkuttan | Dreamstime.com