Now that you are acquainted with HITRUST and have chosen to continue your journey, I want to thank you again for being proactive! If this is your first compliance series post, please start below:
- If you are new to HITRUST, start here.
- To get a complete picture of the HITRUST Maturity Model and get some helpful tips from Cloudticity's experience, read this blog post.
- If you need more information on Cloudticity Oxygen, start here.
For everyone else, each month we look into at least one Cloudticity Oxygen service or feature, focusing on how it helps achieve HITRUST controls. This month we are diving into Cloudticity Oxygen alerts. Stay tuned next month for more Cloudticity Oxygen services.
Cloudticity Oxygen Alerts
Cloudticity Oxygen alerts is a service focused on the last two maturity levels, let's recall what HITRUST has to say about Measured and Managed:
- These last two levels of HITRUST’s version of the PRISMA model, which together have the same value as any one of the first three levels when scoring out the control, simply address the concept of continuous monitoring. “One can’t manage what one doesn’t measure.” The idea is to avoid past practices of implementing and forgetting a control, and instead monitor the effectiveness of the control and take action should problems occur. This level of maturity beyond implementation provides additional assurance the control will continue operating as intended.
To manage effectively, we must first identify metrics that align to the risk or control we are attempting to manage. We must then have a continual workflow that allows for management of the operation. Let's jump into a few examples:
- Example 1: We are trying to manage whether an instance is provisioned correctly and able to perform its function. Upon inspection of possible failures, we choose to measure the percentage of CPU used, memory utilization, disk space utilization, and a health check endpoint.
- By measuring CPU, Memory, and Disk Space utilization we can set alert thresholds, both high and low, that open alerts to allow for Cloudticity or customer engineers to quickly take action to remediate the issue. (High utilization may indicate that the instance is out of resources, while low utilization may indicate we are paying too much and can downgrade our instance types or volume sizes). Information on Cloudticity's workflow follows.
- By measuring a health check endpoint ("/index.html" for example), we can manage whether our end-user is experiencing service outages. This service outage, while mitigated mostly by our proactive CPU, Memory, and Disk Space thresholds, would indicate that an end-user is having a negative experience. A ticket would be created for an engineer to handle the incident, ensuring it does not happen again.
- Example 2: We are trying to manage whether AWS is configured in a compliant manner. Upon review of the regulatory bodies that we adhere to, we must configure our AWS account(s) according to the HIPAA guidelines, AWS BAA, HITRUST CSF controls, and NIST SP 800-53. We choose to create a compliance check for each configuration element that must be set explicitly. To start, we choose to check each resource for proper tagging, that each AWS required service is enabled, and that all storage areas are encrypted at rest.
- By measuring each resource, AWS service, and storage resource, we can now receive alerts whenever a rule is out of compliance. Each check that fails creates a ticket that we can quickly take action on.
- Bonus Administrative Example: We are trying to manage whether all HITRUST recurring manual checks have been accomplished for the quarter. We must first have something to measure, so we create around one hundred recurring tasks in a project management tool with complete reporting capabilities, to provide proof that this process is in place for our future HITRUST audit.
- By having our humans create and monitor their tasks, we maintain our assets and processes in the most efficient way. This allows for streamlined business continuity plans, which are another part of the HITRUST framework. For this to work, each member of the team must manage their tasks on a regular basis. Information on Cloudticity's workflow follows.
- Note: We must also manage whether this process is working. To do this, we create a recurring quarterly task for an executive team member to verify that there are no late or unfinished recurring tasks.
What would happen if we had a bunch of tickets sitting in a queue that no one was managing? Some obvious consequences are loss of customers, loss of revenue, and security exploits. These are terrible consequences and would not generate customer satisfaction, so Cloudticity provides a Service Level Agreement (SLA) to our customers with a fully staffed 24/7 help desk sporting better-than-industry response times (so you don't have to).
Each of the alerts mentioned above automatically create a support ticket assigned to an engineer on the Cloudticity team; these alerts generate an email to a customer's provided email address, multiple addresses, or an alias email address (Example: technicalsupport@yourcompany.com). With Cloudticity on your side managing the alerts and issues for you, think about how many personnel and resources you could shift into more fulfilling positions.
Cloudticity Oxygen alerts contain over a thousand checks that help measure and/or manage controls within the following HITRUST domains:
- Endpoint Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Third Party Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
Meet MagicBox:
When it comes to obtaining a HITRUST certification, you wish there was a better way. So we created one. Meet MagicBox, the brainchild of two of the leading innovators in the healthcare information security space: Cloudticity and BEYOND, LLC. MagicBox is the first and only end-to-end HITRUST solution on AWS.
MagicBox reinvents the certification process, using the breakthrough integration of Cloud-driven technology with one-to-one expert guidance, significantly reducing time and creating efficiencies that will allow you to obtain your certification with a 100% success rate. For more information, check out our thoughts on the importance of compliance and visit https://cloudmagicbox.com to contact us.
Stay tuned while Cloudticity continues to innovate on forward thinking ways to approach compliance. In the meantime, visit us on the web, or leverage our free, fully automated HIPAA technical assessment as a great way to chart your path toward HIPAA compliance.