understanding the hitrust common security framework why what and how l.
Skip this Video
Loading SlideShow in 5 Seconds..
Understanding the HITRUST Common Security Framework: Why, What and How PowerPoint Presentation
Download Presentation
Understanding the HITRUST Common Security Framework: Why, What and How

Loading in 2 Seconds...

play fullscreen
1 / 21

Understanding the HITRUST Common Security Framework: Why, What and How - PowerPoint PPT Presentation

  • Uploaded on

Understanding the HITRUST Common Security Framework: Why, What and How. Educational Webcast - September 16, 2008. Welcome. Welcome. Page 2. Faculty. Moderator Russell Pierce, Chief Information Security Officer CVS Caremark Presenters and panelists

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Understanding the HITRUST Common Security Framework: Why, What and How' - khuong

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
understanding the hitrust common security framework why what and how

Understanding the HITRUST Common Security Framework:Why, What and How

Educational Webcast - September 16, 2008



Page 2

  • Moderator
    • Russell Pierce, Chief Information Security Officer

CVS Caremark

  • Presenters and panelists
    • Cliff Baker, Director – Health Information Technology


    • Brian Fuller, Director – Information Security Practice


    • Michael Cook, Manager – Risk Management


    • Michael Frederick, Director of Information Security and CISO

Baylor Health Care System

Page 3

need for a common security framework
Need for a Common Security Framework
  • CVS Caremark perspective
    • Quick facts
      • 190,000 Employees
      • Approximately $80 billion in annual revenue
      • No. 1 provider of prescriptions in the nation – More than 1 billion prescriptions filled or managed annually
      • No. 1 Specialty Pharmacy
      • 6,300 CVS/pharmacy stores in 40 states
      • 4+ million customers per day shop at a CVS/pharmacy store
      • No. 1 Retail Medical Clinic Operator – 500+ MinuteClinic locations in 25 states
      • More than 1.8 million MinuteClinic patient visits

Page 4

need for a common security framework5
Need for a Common Security Framework
  • CVS Caremark perspective
    • Facing multiple challenges with regards to information security:
      • Costs and complexities of redundant and inconsistent requirements and standards
        • Multiple certifications (internal & external)
        • Business partner review and certification
      • Confusion around implementation and acceptable baseline controls
      • Information security audits subject to different interpretations of control objectives and safeguards
      • Increasing scrutiny from regulators, auditors, underwriters, customers
      • Growing risk and liability associated with information protection

Page 5

industry needs to take action
Industry Needs to Take Action
  • Healthcare organizations need to better address information security
  • Industry needs to identify and adopt a single approach to information security
    • Model that meets the needs of the entire organization
    • Model that scales based on risk and complexity
      • Applicable
      • Practical
    • Model that is certifiable
      • Provides for clarity and understanding (Prescriptive)
    • Addresses the risks and requirements associated with business partners

Page 6


Self Assessment Process

Certification Process

HITRUST Common Security Framework Components

Information Security Implementation Manual

Standards and Materials Leveraged

U.S. Healthcare Industry Implementation Standards

NIST 800 Series

Control Objectives

Primary Ref: ISO/IEC 27002:2005

HITRUST member experience

Health Informatics

ISO 27799

Information Security Management System

Primary Ref: ISO/IEC 27001: 2008


Readiness Assessment Toolkit

Standards and Regulations Cross Reference Matrix

Page 7

hitrust common security framework
HITRUST Common Security Framework

The HITRUST Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access or exchange electronic health and other sensitive information in protecting their information assets and managing related risks, costs and complexities.

The CSF is compromised of three components:

  • The Information Security Implementation Manual: A certifiable, best-practice based specification that includes required sound security governance practices (e.g., organization, policies, etc.) and sound security control practices (e.g., people, process, technology) that scales according to the type, size and complexity of each organization to provide prescriptive implementation guidance
  • The Standards and Regulations Cross-Reference Matrix: A tool to help reconcile the framework to common and different aspects of generally adopted standards
  • The Readiness Assessment Toolkit: A toolkit that enables assessment (self or third party) and scoring of an organization’s information security environment against the Information Security Implementation Manual

Page 8


HITRUST CSF Info. Sec. Implementation Manual Example

  • Design
    • Prescriptive to ensure clarity
    • Certifiable to enable common understanding and acceptance
    • Scales according to type, size, and complexity of an organization
    • Designed to address business requirements specific to each segment of the industry. These segments include:
      • Health plan/PBM, Provider
      • Pharmacy, Pharmaceutical manufacturer
      • Data network/clearing houses
    • Risk-based approach to allow organizations to identify the appropriate level of controls. This includes:
      • Risk contributing factors – elements that drive risk in an organization
      • Multiple levels of implementation requirements determined by risks and thresholds
    • Leverages existing globally recognized standards and avoids introducing additional redundancy and ambiguity into the industry

Page 9

  • Standardizing on a higher level of security will build greater trust in the electronic flow of information through the healthcare system.
  • The common security framework also will provide greater risk protection by:
    • Reducing risk: Reducing risk, cost and confusion by incorporating best practices and loss experiences
    • Increasing confidence:Increase confidence in the industry’s ability to address information security, and streamline interactions with consumers, regulators and legislators
    • Measuring costs:Establish a single benchmark for organizations to facilitate internal and external measurement
    • Reducing complexity:Reduce the number, complexity, and degree of variation in security audits or reviews that organizations impose upon their trading partners; in effect establishing trust through certification

Being Trusted and being able to Trust business partners relating to information security

Page 15

regulatory conformity
Regulatory Conformity
  • Health Insurance Portability and Accountability Act (HIPAA)
    • Privacy Rule
      • Provides a means for covered entities to implement reasonable and appropriate safeguards for the protection of Protected Health Information (PHI)
    • Security Rule
      • Address requirements
        • Demonstrates prudent and comprehensive approach towards compliance
        • Certifiable standards that map to all elements of security rule
        • Provides a framework that matches "process" elements of security rule with measurable and effective security standards
      • Industry and regulator benefits
        • Provides a standardized approach for business associates to meet contractual obligations
        • Permits covered entities to meet due diligence standards for business associates
        • Provides a framework for health information exchange networks to use as a model
        • Provides regulators with an easy means of reviewing compliance approach, by standardizing the approach to security documentation
  • Also provides a means to meet the requirements of other regulations such as Sarbanes-Oxley

Page 16

standards based
Standards Based
    • The HITRUST CSF adds measurable value by integrating and enhancing (adding context and/or clarifying) specific components of U.S. and international standards:
      • ISO’s control framework (27001/27002)
      • NIST’s control implementation and audit procedures (800-66, 800-53)
      • PCI’s prescriptive security controls (PCI DSS)
      • CobIT’s business process focus (CobIT 4.0)
      • ITIL’s definitions
      • HIPAA’s regulatory requirements
  • Broad and diverse membership allows the HITRUST CSF to accommodate the best industry practices and standards
    • Providers, health plans, pharmacies, PBM’s and manufacturers
    • Professional services firms
    • Information security and technology vendors
  • Final result is a tailored, comprehensive, and scalable security certifiable framework for organizations that handle personal health information

Page 17

why hitrust csf over existing information security options
Why HITRUST CSF over existing Information Security options?
  • Provides a benchmark for the healthcare industry’s adoption of information security
    • Provides a healthcare-specific industry implementation standard established through a comprehensive process, including best practices, regulations, and existing standards
    • Evolves based on industry practices, standards and experiences
    • Incorporates business requirements specific to each segment of the healthcare industry
  • Certifiable to ensure compliance, common understanding and acceptance
    • Prescriptive to ensure clarity and measurement
    • Provides accreditation and certification process to drive transparency and adoption of baseline information security controls
  • Follows a risk-based approach to allow security controls to be prioritized based on risk
  • Extensible to allow compliance in other areas, such as Sarbanes-Oxley, PCI

Page 18

questions and answers20

Questions and Answers and a replay of today's session will be available within the next 3 days at


Questions and Answers

Page 20

thank you and additional information

Thank you for taking the time to attend today’s webinar. Additional material on the HITRUST CSF is available at



Information on the educational webcast series is available at


Thank you and Additional Information

Page 21