I want to thank you for being proactive by beginning or continuing your HITRUST journey!
For everyone else, each month I will introduce you to at least one Cloudticity Oxygen service or feature, focusing on how it helps achieve HITRUST controls. This month we need to dive into HITRUST's expectations (5 Areas of the HITRUST Maturity Model) and focus on the big picture (Cloudticity's Experience: Setting the Stage). Next month we will dive into Cloudticity Oxygen alerts and our workflow.
5 areas of the hitrust maturity model
When choosing to audit against the HITRUST Common Security Framework (CSF), HITRUST calculates your risk per control based on five distinct maturity levels: Policy, Procedure, Implemented, Measured, and Managed. In version 9.2 of the framework, there are up to 1,619 total control statements contained within 19 domains. The number of controls that your company must attest to is based on a scoped assessment of your operating environment and regulatory needs. This assessment is done by HITRUST using a third party auditor.
Each maturity level builds on the previous, so at a minimum each required control must have a policy, procedure, and be implemented to minimally pass the audit. Cloudticity is interested in meeting each requirement to the maximum extent possible, so we will be discussing how our services help meet each of the maturity levels and what else is needed from each customer to meet the spirit of the control.
HITRUST has the following to say about the maturity levels:
- Policy: Requirements stated in a policy or standard are understood by the organization. If not stated, there is little guarantee that it will be implemented or continue to be implemented.
- Procedure: Processes are necessary to ensure the control can be implemented in a repeatable and consistent way. They may be ad hoc, documented, or automated.
- Implemented: Evaluation of the control’s implementation across the breadth and depth of the organization is the most common way of assessing a control’s effectiveness.
- Measured and Managed: These last two levels of HITRUST’s version of the PRISMA model, which together have the same value as any one of the first three levels when scoring out the control, simply address the concept of continuous monitoring. “One can’t manage what one doesn’t measure.” The idea is to avoid past practices of implementing and forgetting a control, and instead monitor the effectiveness of the control and take action should problems occur. This level of maturity beyond implementation provides additional assurance the control will continue operating as intended.
cloudticity's experience: setting the stage
Cloudticity implemented the HITRUST CSF two years ago for increased organizational maturity, to improve our sales cycle, and to prove our dedication to security. Since our implementation, we have experienced a greater level of trust with our customers, a faster communication cycle when asked for proof of our security posture (hours versus weeks), and a maturity level rarely obtained at any organization. I also feel more technologically secure and have a greater sense of job security knowing that Cloudticity is proactively preventing security vulnerabilities, utilizing complete business continuity plans, and being well-managed end-to-end.
Have we learned any lessons? Do we have advice? Can we provide examples?
- Policy: Regardless of where you are in your HITRUST journey, one of the first steps is policy creation and the communication of those policies to internal staff. It is imperative that each required control be explicitly stated in your policies, even if it is not applicable to your system. If your company does not have a set of policies or needs ideas for improving your existing ones, check out our open source policies and feel free to use them as a guide. These are our real company policies and they are updated regularly. Using Github for policy management is an amazing solution, providing complete change management including a simple user interface, controlled changes, and communication of each published change to all Cloudticity employees (using a Slack webhook).
- Procedure: Synonymous with process, these need to be implemented in an automated manner whenever possible. Our automation uses a combination of third party software and custom built workflows. For policies that cannot be implemented automatically, we utilize Teamwork.com task list templates. For example, when we off-board a Cloudticity employee (ad-hoc event), we create a new task list using our template containing 24 tasks covering every possible location and change necessary to remove a user (many employees do not require 24 tasks, but we prefer a single list covering all employee types).
- Implemented: A control is only considered implemented when ALL of the organizational units and systems within scope have the policy and procedure applied. Each control has a requirement statement that contains one or more elements that must be in place. If an element or control is not applicable, then it must be explicitly documented within your policies. For example, Cloudticity Oxygen services are implemented across all resources within your AWS account. In the case of encryption-at-rest, AWS services are one of many systems that must have encryption enabled (employee workstations are often overlooked).
- Measured: Each control must have a quantitative way to measure it (metrics), whether that be a report showing statistics of realtime events, a complete history of policy changes, or a report showing all recurring tasks completed. I think of measured as logging; your company needs to have mechanisms to document all changes and subsequently report on them. For example, an organization may use a management console to track antivirus software implementation status in near real-time and produce metrics of the percentage of end-user devices that have the latest software and signature updates.
- Managed: Cloudticity utilizes two solutions for ongoing management: realtime alerts and recurring tasks.
- Realtime alerts, provided by Cloudticity Oxygen, provide warnings whenever an issue arises from misconfigured resources, security events, potential performance problems, and thousands of additional checks. Whenever possible, Cloudticity opts for automated realtime alerts for just-in-time adjustments. For example, if any AWS services are misconfigured in an insecure way, then an alert will be generated that will kickoff our change management workflow to make the necessary change as soon as possible.
- All recurring tasks are managed through our project management system, Teamwork.com, which provides the ability to check off a task and automatically create the next task in the series, whether it be quarterly or annually. For example, each Cloudticity team member has an annual task list to "Complete HITRUST requirements" that contains five tasks that each individual must do each year.
Unless you love tough journeys and spending money, we suggest you do some upfront work prior to initiating conversations with third party auditors. Start by getting acquainted with the latest version of the HITRUST framework by downloading the list of requirements. Read through your policies end-to-end if you have them. Read through the HITRUST requirements and make a checklist as you go of your major gaps and simple improvements. Update your policies and implement changes as much as possible (Policy updates and implementation should be done at the same time). Bonus Tip: Take screenshots of your implementation as you go and name them well.
When it comes to obtaining a HITRUST certification, you wish there was a better way. So we created one. Meet MagicBox, the brainchild of two of the leading innovators in the healthcare information security space: Cloudticity and BEYOND, LLC. MagicBox is the first and only end-to-end HITRUST solution on AWS.
MagicBox reinvents the certification process, using the breakthrough integration of Cloud-driven technology with one-to-one expert guidance, significantly reducing time and creating efficiencies that will allow you to obtain your certification with a 100% success rate. For more information, check out our thoughts on the importance of compliance and visit https://cloudmagicbox.com to contact us.
Stay tuned while Cloudticity continues to innovate on forward thinking ways to approach compliance. In the meantime, visit us on the web, or leverage our free, fully automated HIPAA technical assessment as a great way to chart your path toward HIPAA compliance.