Updates that simplify NIST certifications

Enhancements to support risk management programs

Those companies that understand the value of security frameworks use regulations as a stepping stone to help them build a more comprehensive approach to risk management, particularly across the healthcare ecosystem; however, an effective and relevant risk management program demands resources.

Smaller health care organizations are challenged with improving risk management and their overall cybersecurity posture because many simply don't have the resources to implement the changes necessary to be in compliance with HIPAA and NIST. They need help.

That help is coming in the way of a new initiative set forth by HITRUST. In its 2017 road map for enhancing the HITRUST CSF, one key change makes it so that certified organizations will only have to undergo a CSF assessment in order to provide both HIPPA and NIST Cybersecurity Framework compliance scorecards

Organizations that need to communicate the status of their information protection program from multiple viewpoints and organizations that need to report across multiple industries (such as HIPAA for PII/PHI, PCI DSS for payments, FFIEC for financial services, FedRAMP for federal and cloud) will benefit from these streamlining changes.

There are also those organizations that simply need to address an internal or external stakeholder’s request for reporting against multiple regulations, standards, or best practice frameworks.

"For example, a health insurer would typically want to demonstrate HIPAA compliance based on a HITRUST CSF security assessment but may also need to provide assurances to non-healthcare third-party organizations about how it protects member information through a SOC 2 report or through the lens of the NIST Cybersecurity Framework," said Daniel Nutkis,  founder and CEO at HITRUST.

The HITRUST CSF was designed to address the specific protection and compliance requirements of health information, "By incorporating DHS guidance on cyber resilience and ensuring a targeted security assessment covers each HIPAA standard and implementation specification, AICPA Trust Services criterion (ostensibly in support of a SOC 2), and each NIST subcategory, organizations can address multiple reporting requirements with a single assessment against a single set of information security controls," said Nutkis.

What HITRUST called the "assess once and report many" approach aims to reduce the amount of time and resources required for organizations to attest against multiple frameworks and regulations, including HIPAA, NOST, PCI DSS, FedRAMP, and FFIEC. This new support for FFIEC means that financial services organizations can now leverage HITRUST CSF.

"By implementing a single comprehensive information protection program that integrates requirements from the multiple requirements, an organization can realize significant efficiencies, reduce the number of resources it devotes to demonstrating compliance and providing third party assurance, and lower the overall costs of both," said Nutkis.

Key enhancements in the initiative include:

  • CSFBASICs: Streamlined versions of the HITRUST CSF and supporting HITRUST CSF Assurance Program designed to help small and lower-risk healthcare organizations meet otherwise difficult regulatory and risk management requirements.
  • HITRUST CSF V8.1: Continued enhancements including support for PCI DSS v3.2 and MARS-E v2.
  • HITRUST CSF v9: Continued enhancements including OCR Audit Protocol v2, FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security.
  • CSF Assurance Program v9: Enhanced so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification with auditable documentation in addition to a HIPAA risk assessment.

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline