As more healthcare information is stored and transmitted digitally, ensuring that your organization complies with the myriad of federal and state regulations is becoming increasingly difficult. As part of this digital transformation, healthcare organizations are partnering with cloud companies, data processors, and other organizations that must also comply with HIPAA business associate requirements. This has resulted in an increase in the scope of security challenges for healthcare providers and their business associates.
Since the Office for Civil Rights (OCR) is increasing its focus on auditing business partners as well, this adds another layer of complexity to ensuring your HIPAA compliance. While most healthcare organizations are familiar with the basic HIPAA requirements, turning those requirements into an actionable technology implementation roadmap can be an overwhelming task.
What is HITRUST?
The Health Information Trust Alliance (HITRUST) was developed by healthcare experts and IT professionals to provide a Common Security Framework (CSF). It offers a prescriptive group of controls, based in part on ISO structures, to help organizations simplify the process of managing HIPAA compliance. CSF provides healthcare organizations with an up-to-date framework of implementation guidelines that includes both US and international requirements. The HITRUST CSF is based on multiple risk factors, and designed to simplify compliance planning, especially for smaller organizations or those with limited resources.
Why Should Your Healthcare Organization Consider the HITRUST CSF?
HIPAA guidelines are somewhat elastic to account for organizational differences in size, capabilities, complexity, technology infrastructure, the probability of potential incursions and more. The same elasticity that helps make these guidelines more manageable for organizations of all sizes, can also make it harder for an organization to determine what are the “reasonable and appropriate” protections for the specific environment. It can leave staff wondering if the controls in place are sufficient to protect PHI data and satisfy an OCR audit.
Combining the ambiguity of the many implementation guidelines, and OCR’s increased focus on auditing covered entities and their business associates, many organizations require expert guidance on how to implement a safe, compliant framework of policies and controls. The HITRUST CSF is designed by industry experts, and updated as requirements evolve, to provide organizations with an actionable roadmap, along with information and guidance resources, for structuring a compliant environment.
The HITRUST Framework
The HITRUST CSF is built around ISO/IEC 27001:2005 control clauses. It also incorporates several other ISO development and support processes, as well as additional domains for information security risk management and privacy requirements, into this framework. It provides 14 security control categories or domains, 45 control objectives and 149 controls.
HITRUST CSF control domains have one or more objectives that are organized around a common purpose. Similar to ISO, these controls are a set of specifications and implementation requirements designed to address the organization’s policies, procedures, guidelines, practices and structures at all levels – administrative, managerial, technical and operational.
A control can have as many as three different levels of implementation requirements, derived from multiple applicable legislative and regulatory sources, such as HIPAA, TX Health Safety Code, PCI-DSS & NIST. The industry experts at HITRUST also incorporate best practices into the framework, and your organization can select the implementation level that meets your organization’s specific system and regulatory risk factors.
One of the CSF domains, CSF domain 01 – Access Control, covers the business policies and security framework needs to control access to information. In this case, CSF domain 01, control objective 01.01 and 01.a, instructs organization to establish and document an access control policy based upon business requirements.
The best way to satisfy CSF 01 is to install a comprehensive Security Automation & Orchestration solution like Network Sentry that provides dynamic access control to sensitive data. In today’s world of BYOD and IoT, healthcare organizations need to ensure that every device that accesses their network is secure so ePHI data is not compromised. Network Sentry provides complete end-to-end visibility of every endpoint device connected to the network, and automatically quarantines any unauthorized or compromised devices that no longer meet the security requirements. For example, if a doctor signs into the hospital network with out-of-date anti-virus (AV) software, Network Sentry can send the user to a self-remediation page to update the software before the device is allowed access.
Network Sentry also enables creation and enforcement of role-based policies that define the level of access for each device or individual connecting to the network. With Network Sentry, each person’s access to ePHI can be limited to ensure that they only see the specific information needed for their functional role.
In addition, Network Sentry continuously keeps an eye on each device and endpoint on the network, checking for suspicious behavior and monitoring for any devices that goes out of compliance with your security protocols (i.e. the user downloads unsafe software or uninstalls AV). It then provides automated containment of vulnerable or compromised endpoints. Network Sentry profiles each device and keeps a detailed log of every action taken, then delivers the contextual information to the security analysts to expedite containment. Network Sentry’s rich repository of device, user, application and network connections data can be leveraged through its built-in analytics to generate reports that can be crucial for HIPAA audits.
Your healthcare organization can incorporate the CSF frameworks into your business practices, or take it a step further, and become HITRUST CSF Certified. The consolidated controls view of the HITRUST CSF provides visibility into the controls for several regulatory requirements and the HITRUST audit can also help you solve any potential issues prior to an official audit, avoiding costly HIPAA fines.
Network Sentry has a strong history of providing companies with the visibility, control and threat response that’s necessary to successfully implement the HITRUST CSF 01 and meet HIPAA requirements for access control. For more information on how Network Sentry can help your healthcare organization read our whitepaper, the Top 4 Network Security Challenges for Healthcare, or contact us at [email protected].
*We value your privacy and use a variety of security measures to protect your personal information.
Our email is permission-based and we will only send you relevant information.