With a rise in attacks against healthcare infrastructure, it’s important for healthcare organisations to explore security frameworks that can help them effectively build a robust security programme to combat malicious actors. Common frameworks include NIST 800-53 and ISO 27001/2, but another option is the Health Information Trust Alliance (HITRUST), which incorporates NIST and ISO and provides the appropriate amount of security management and technical controls to address the complexities of managing and implementing security. 

Measuring healthcare providers security and compliance

Specifically, HITRUST created a Common Security Framework (CSF) for organisations to consistently measure their security and compliance. It has controls spread over 19 security domains to help manage risk and meet regulatory compliance. CSF covers many standards and regulations, including HIPAA, HITECH Act, PCI-DSS and MARS-E. In addition, CSF provides a risk score that can guide organisations to improve their overall security effectiveness.

How can CSF help your organisation with its cybersecurity? Below are a few of its domain capabilities built to address the three critical elements of cyber protection – access control, communication security and incident response.

Access Control: The primary control in defending against cyber-attacks is preventing access to the organisation's resources.

• Password management addresses the protection, use, complexity of passwords and commonly used passwords
• Access control is covered in great detail, ranging from common access to privileged access. Complying with these controls will drastically reduce the risk of compromise
• Third-party assurance is something that should be of concern to all organisations. CSF covers areas ranging from contracts to auditing your third parties for a sound security programme
• CSF covers sensitive information throughout its domains, although the data protection & privacy domain does a particularly nice job of covering the critical aspects for protecting sensitivity throughout its lifecycle

Communication Security: Enforcing security controls on external and internal communications is critical in preventing attacks. 

• Mobile device security is something organisations must not overlook, and implementing the controls required by CSF will help guide them on the minimal requirements for selecting security technology for mobile devices.
• The network protection domain requires controls and technology to defend and reduce the impact of attacks. While security technology is required, many of these controls are related to appropriate segregation and best practices in configuring technology.
• Transmission protection is a no-brainer for data coming in and out of an organisation. CSF goes a step further by taking a trust-based approach to data transmission, reducing the overall exposure to attacks.

Incident Response: An effective incident response plan will drastically reduce an attack's impact on an organisation.

• The audit logging and monitoring domain is critical in supporting the identification and timely response to an attack. However, we have found that many organisations do a poor job of logging and have not implemented a Security Information and Event Management (SIEM) solution. Complying with this domain is critical in defending against cyberattacks, and CSF does a good job outlining the necessary requirements.
• Incident management covers areas beyond what most people may think by Roles and responsibilities, testing, and lessons learned are components covered in the incident response domain and are necessary for an effective incident response plan.
• Business continuity and disaster recovery are components of an incident response plan that are often overlooked unless there is a breach or security incident. CSF has provided requirements for an organisation to effectively recover from an incident through appropriate backups, resiliency, and testing.

Implementing security in the cloud is essential for healthcare

As more companies move to the cloud, it’s more imperative than ever to become CSF compliant and improve security posture in defending against attacks. For information on Mazars’ HITRUST CSF Compliance Services, click here.

Byline by Philip Jones, Mazars, Director of Security - Acting Information Security Officer (CISO), Data Privacy Officer (DPO)