HITRUST has been creating quite a buzz recently within the healthcare compliance space, and a hefty amount of confusion and frustration besides. In a recent open letter to the HITRUST Alliance, seasoned Information Security, Privacy and Regulatory Compliance expert Kamal Govindaswamy CISSP CIPP/US CCSP addressed some common concerns. His letter was informative and well-crafted, so we share it here for our readers.
I spend a predominant part of my professional time in healthcare infosec and privacy – performing risk assessments, developing and implementing various infosec program strategies, risk mitigation efforts, and so on. Considering my years of experience and work equally with executives as well as “in the trenches”, I might venture to say that I have a fair sense of what works and what probably doesn’t have a good chance of working in infosec programs at Healthcare Covered Entities and Business Associates (BAs) alike.
So, when I recently saw this press release put out by you in June, I couldn’t help think about whether and how mandating that BAs undergo a HITRUST CSF certification will lead to “more effective third-party risk management in the healthcare industry”. I came away with several questions and I thought the best way to ask or discuss them is through this open letter. I am hoping this letter leads to a constructive debate on the HITRUST CSF from interested parties everywhere.
To be rather forthright, I don’t see how the HITRUST CSF/RMF can be a good risk management framework in today’s healthcare environments for the following reasons that I can readily think of :
- Cumbersome and Expensive – HITRUST CSF may be useful for organizations looking to build a rationalized compliance program and perhaps a reasonable basis for a security program. However, it is just too cumbersome to be used as the basis for infosec risk management at most healthcare organizations. Such cumbersome nature often means that HITRUST CSF efforts can be too expensive for the risk management outcomes they might be expected to help deliver.
- Arbitrary – The controls you have in HITRUST CSF under Levels 2 and 3 as opposed to Level 1 appear to be arbitrary in many cases, especially when one looks at them in relation to current threat environment or risk management realities.
- Unnecessarily Complex – The HITRUST RMF is easily one of the more complicated texts in infosec risk management that I have read. I think it is unnecessarily complex for what it is trying to accomplish. It is common knowledge in the infosec profession that complexity is not infosec’s best friend.
- Questionable Approach – The RMF also takes a somewhat questionable approach to risk assessment. I agree with the author in this blog post that associating impact with an asset makes for much better practical sense as opposed to associating it with a control. It is also one of the reasons why the HITRUST RMF is unnecessarily complicated, in my opinion.
- Outdated Data – The data you are recommending for use in RMF may not be current which could lead to considerably inaccurate risk assessments. For example, your latest impact rating document uses non-contextual impact ratings based on “a 2009 document detailing mappings from DoD controls to the NIST framework” (quoted from your document). As we know, the infosec threat environment has evolved considerably since 2009. Back then, we had the most emphasis on prevention with detection and response not getting anywhere near the same level of thought or attention. In today’s threat environment, I think it is fair to say that there is only so much of prevention we can do, which means that detection and response are very important, certainly a lot more important than they were considered six years ago. As a case in point, you have an impact rating of 3 (out of a scale of 1 to 5) for these controls which are widely considered to be some of the most critical controls today : 01.m – Segregation in Networks, 09.aa – Audit Logging, 09.ab – Monitoring System Use, 09.ad – Administrator and Operator Logs, 10.f – Policy on the Use of Cryptographic Controls, 10.g – Key Management, 10.m – Control of Technical Vulnerabilities
- Risk Relevant? – HITRUST CSF has mappings against several security controls frameworks and regulations but I am surprised to see the CIS Critical Controls conspicuously absent. The absence of perhaps the only set of controls that are “informed by current and evolving threats” and have a “bias for risk mitigation action” might lead many to question whether the HITRUST CSF can or should be used for risk management.
In the light of my above observations, it is not clear to me whether HITRUST CSF can really be effective in providing assurance around third party risk management.
Now, I want to get back to your press release that prompted me to write this letter and ask three logistics questions related to 7500 BAs undergoing certification over the next two years:
- Certification Vs Self-Assessment – I am curious about the reason behind the “certification” mandate because I am not sure many BAs out there have the financial wherewithal to undergo a certification. I am wondering whether a self-assessment might be an option at all and if not, why not? Do you have something like the SAQ option that PCI DSS has for smaller merchants and service providers? By forcing everyone to go for certification, many BAs might be forced to spend the already limited infosec budgets on the HITRUST certification efforts when those resources could be better used in accomplishing priority mitigation of known risks. Self-assessment might also be the better option if you are unable to provide a high level of Quality Assurance in the certification efforts (my point below).
- Quality Assurance – What is your plan for Quality Assurance of what appears to be a large number of certifications over the next two years? YourCSF Assessor Requirements stipulate a minimum of only two years of experience in healthcare and two years of experience in infosec. Further, you only need a third of a CSF engagement’s hours to be performed by certified CSF practitioners. In my view, we need some of the most skilled and experienced people performing risk assessments in today’s healthcare environments. Ideally, these folks should not only have a very good understanding of all current and relevant threats and vulnerabilities in a given context but also have the practical experience across several security areas to recommend meaningful risk mitigation options. The CSF Assessor Requirements seem to set a rather low bar for HITRUST Assessors performing these certifications. Unless you are able to assure a consistent level of quality in these engagements, I don’t see how the BAs’ customers could use the HITRUST CSF certifications as a good assurance mechanism for third party risk management. For the BAs that are paying for these certifications, it might mean precious money wasted without any meaningful results in risk mitigation.
- Continuous Monitoring – I also don’t see how a certification performed on a one or two year cycle can truly provide the ongoing assurance in third party risk management during these times. What aspects of the HITRUST CSF certification will help address this potential gap?
If the last seven years have been fast changing times in healthcare, the next five look to be even more so with the focus shifting from compliance to one of agility in areas such as interoperability, mHealth, patient engagement and so on. In my view, healthcare infosec programs have to be “enabling” these new opportunities and initiatives. The right infosec risk framework for these times is one that is simpler, leaner and remains continually informed of current and evolving threats. It must also have a predominant bias for meaningful and timely action in risk mitigation. I just don’t see how HITRUST CSF/RMF fits this criteria. On the other hand, I think options such as the CIS Critical Controls or CSA’s upcomingCSA STAR Continuous Monitoring (for cloud based BAs) might be better candidates for providing assurance in third party infosec risk management.
Finally, I want to be sure that this letter is not perceived as an effort to discredit the HITRUST Alliance in any form or fashion. I actually think some of your other efforts such as CyberRx, CyberThreat Briefings and Cyber Threat Exchange are very relevant and useful. I also think HITRUST CSF could be a useful framework for a compliance program. I just don’t think it is a good choice for infosec risk management through the current and evolving times in healthcare.
You can read the original letter, and join in the conversation in the comments here on LinkedIn.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.