HITRUST: the Path to Cyber Resilience

Image

There has been a lot of talk recently about cyber resilience. There is no doubt that the ability to bounce back from a security event is important, however, all of the resiliency banter seems to be happening at the peril of sound risk management processes.  It is safe to say that the path to resilience is paved with risk management.

Risk management can be a tricky endeavor. Too many security professionals have been ambushed in meetings with a risk manager who drifts into wild flights of fancy. These types of unbridled catastrophic imaginings miss the point of solid risk management. One way to reign in these “journeys of the unlikely” is with the use of a solid assurance framework. One of the most notable assurance frameworks for risk management is offered by HITRUST.

What is HITRUST?

Many people in the healthcare industry are familiar with HITRUST, but the approach is not specific, or limited to health care. In fact, it is industry agnostic. The different assurance approach offered is useful for all industries that need to address compliance and risk management. What makes it superior to the other available models? The answer lies in the way that it engages an organization’s risk profile.

Building upon the Capability Maturity Model (CMM), and NIST’s PRISMA, the HITRUST approach leverages best in class components for a comprehensive information risk management and compliance program that integrates and aligns the following:

• HITRUST CSF – a robust privacy and security controls framework which harmonizes dozens of authoritative sources such as HIPAA, ISO 27001, and NIST 800-171.

• HITRUST Assurance Program — a scalable and transparent means to provide reliable assurances to internal and external stakeholders.

• HITRUST MyCSF — a HITRUST CSF compliance operations and audit management platform used by organizations adopting the HITRUST CSF, their external assessors, and HITRUST.

• HITRUST Shared Responsibility Program — a suite of matrices and inheritance workflows clarifying service provider and customer responsibilities and enabling the sharing of assessment results between service providers and their customers.

• HITRUST Assessment XChange — a third-party risk management solution.

• HITRUST Third Party Assurance Program — a third-party risk management process.

Today, many compliance gap assessments (including HITRUST, ISO 27001, etc.) represent a “point-in-time” evaluation to determine whether a particular benchmark of control implementation and operation is achieved. The assessment activities are then reviewed and re-performed periodically (e.g., annually). Unfortunately, this method requires assessors and certification bodies to extrapolate across a future time period based on current-state assessment results.

HITRUST is working to incorporate concepts of Information Security Continuous Monitoring into their assurance program’s methodology and offerings. The end goal of HITRUST’s efforts is to change the “point-in-time” nature of traditional security assessments to one of an ongoing, prospective nature by providing assessed entities, HITRUST assessors, and HITRUST itself a view into the status of controls with a frequency sufficient to make ongoing, risk-based decisions. The end result is even greater rely-ability of HITRUST as well as the possibility of ongoing HITRUST certifications valid for much longer today’s HITRUST certification offerings.

The only thing worse than discovering gaps in a security program is finding controls that have gone neglected to the point that an old gap is re-opened. An ISCM approach prevents this by creating less degradation over time than the traditional periodic review. Other tangible benefits include:

• Longer periods between comprehensive control gap assessments.
• Reduced time and effort needed to maintain certification.
• Reduced lifecycle costs for maintaining certification.
• Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers.

Certification is important, as it offers objective verification that a security program is operating within the parameters of its intended design. This has implications beyond the comfort of a successful audit cycle. Through ISCM, the HITRUST CSF Assurance Program will allow the findings in the CSF Assessment Report to be truly prospective.

Many security initiatives are viewed as “cost centers,” not adding value to an organization. From a monetary perspective, a HITRUST certification adds value by not only helping a company to meet cybersecurity insurability standards, but it can also lower those insurance premiums. This is because the HITRUST standard holds high confidence in the industry. This is also recognized by entities such as the US Government Accountability Office (GAO), which is tasked with saving taxpayer money.

HITRUST & Tripwire

Continuous monitoring is not an entirely new concept, however, the challenge of achieving it requires tools that can facilitate this ideal. The HITRUST ISCM methodology integrates perfectly with Tripwire to move an organization towards this state of constant compliance and security.  Whether it is monitoring, or configuration management, these all add to a near real-time awareness of an organization’s risk profile.

With HITRUST ISCM, coupled with Tripwire, an organization can move away from the annual “heavy assessment”, to a baseline of understanding and continual compliance throughout the period of time to understand if a control stops functioning. Tripwire can help an organization change the way assurance is obtained, maintained, and communicated.

Security assurance and compliance can be achieved and maintained with the HITRUST ISCM approach, coupled with Tripwire. This also transforms security into a measurable, metric-based discipline, which is a vital stepping-stone towards security resiliency.

To learn more, download this solution brief to learn how Tripwire Enterprise users can automate HITRUST compliance with advanced reporting, broad platform support, and remediation guidance.