Transcript:
Hello everyone, and welcome to today’s episode of cyBARR Chats. I’m Kyle Cohlmia, associate content writer at BARR Advisory, and today we’re joined by Steve Ryan, manager of attest services. Today we’re talking about a new resource from HITRUST. The HITRUST Risk Management Handbook. This is gathered from various resources like white papers, articles, blogs, and HITRUST has put this together as a discussion of all the major elements of their risk management framework into a single document.
So as BARR’s HITRUST expert, Steve is here to give us the details about the new handbook and an overview of its content. So let’s begin.
Alright, Steve, so my first question in this newly released manual or this handbook they first discussed the concept of a risk management framework based on a four step process. And they’re using the National Institute of Standard and Technology Risk Management Framework for illustration, otherwise known as NIST. Can you briefly go through each of those four steps to risk management according to NIST?
Yeah, absolutely Kyle. Always a pleasure to be back hanging out with you here.
So the first step to NIST risk management framework is to identify risks and define protection requirements. This process includes, but is not necessarily limited to, identifying key risk management roles in your organization, establishing a strategy for managing risks, determining your organization’s risk tolerances, and conducting an organization wide risk analysis.
The second step is to specify controls. When selecting security controls for your information system, it’s first important to choose an initial set of baseline security controls based on the impact level of the information system as determined by the security categorization perform in step one. After selecting the initial set of baseline security controls, your organization can start the tailoring process to appropriately modify and more closely align the controls with specific conditions within your organization.
The third step is implementing and managing controls. While there’s not a ton of specific guidance or tool support on how organizations can implement the NIST control framework in an organization, NIST does provide guidance on various information security controls within their resources.
And finally, the fourth and final step recommended to create a risk management program is assessing and reporting. NIST provides guidance for this step in several of their catalogs and guides.
This is just a short overview of the steps. All this information is discussed in greater detail within the handbook.
Great. Thank you so much, Steve. That’s super informative. Alright, so in the handbook, after HITRUST goes through that four step process that you just explained, they also discuss several major elements of the HITRUST risk management framework based on that same four step process.
I thought it might be helpful to highlight a few of these elements.
That sounds great to me.
Awesome. So first I had a question about the control framework- based risk analysis and what that means exactly. Can you describe that a little bit for us?
Yeah, absolutely. The primary goal of a control framework based risk analysis is a specification of controls to address threats to sensitive or critical information rather than categorize their information systems based on more limited analysis – like identifying one of the three levels of potential impact. The benefit of leveraging a recognized control framework, such as the one provided by NIST, is that it allows organizations to generate a reasonable and appropriate set of controls that help define an acceptable level of protection for sensitive or critical information much easier than if they were to conduct their own comprehensive risk analysis from scratch.
What’s also great is that organizations can tailor the HITRUST CSF based on relevant inherent risk factors which include, but are not limited to, the type and amount of information processed, how the information is processed, and by whom. And, when risk factors are applied to tailor HITRUST CSS control requirements based on inherent risk relevant to a scope of application, the resulting control specification helps establish an organization’s target profile and subsequently its risk target.
Great. That sounds like it’s a super efficient and effective approach to risk management. Thanks for explaining. alright, next I was hoping you could touch on the HITRUST CSF control overlay and that control specification based on inherent risk that’s outlined in the handbook. Thank you.
Definitely.
HITRUST integrated and harmonized multiple information security and privacy regulations, standards, and best practice frameworks to create the CSS, CSF, as an industry level enhanced overlay of a NIST moderate level initial security control baseline. Each HITRUST CSF control contains a core implementation level consisting of good security hygiene and industry best practice requirements.
Due to the flexibility of the HITRUST CSF, HITRUST strongly recommends applying the framework across your entire organization to really help avoid any inefficiencies associated with multiple, contrasting, and oftentimes hierarchical information protection programs.
Great. That makes sense. Thank you. Alright, for the next major element that they discuss, can you talk about these three dimensions of what HITRUST calls a “rely-ability” assurance?
Yes, through a significant level of confidence and trustworthiness that allows an organization to rely upon the evidence provided by an assessment or an audit and how it’s reported, HITRUST uses the term “rely-ability” to describe one’s ability to rely upon or trust information provided by another.
The three dimensions of reliability are suitability, rigor, and impartiality. Suitability is intended to address the security features, practices, procedures, and architecture that are the subject of the intended assurances. Rigor provides the grounds for confidence that the set of intended security controls in an information system are effective in their application. Impartiality is intended to address the measure or grounds for confidence needed by a relying party in an assessment.
Amazing. Yeah, that reliability concept seems like it provides a very important level of trust for organizations.
For our final highlight of one of the major elements discussed in the handbook, could you touch on HITRUST’s approach to control implementation, maturity evaluation, and scoring?
Yeah, absolutely. So there are many features of the HITRUST assessment and reporting approach.
This can include extensive assessment guidance, training vetting of qualified assessors, implementation maturity model used to evaluate every HITRUST CSF control requirement, and the centralized quality assurance review of every assessment for which HITRUST issues a report.
Great. Thank you so much, Steve. I know what you’ve been discussing and more is included in the handbook in greater detail, but is there anything else that you’d like to add about the content in this handbook?
Sure. I think it’s important to mention that special topics related to the HITRUST risk management framework are presented in an appendix at the end and range from a relatively narrow discussion around how controls function to much broader topics, such as third party risk management and evaluating insurance requirements based on the inherent risk of a specific business relationship.
Great. This sounds like such a helpful resource for organizations looking to mature their security posture. Can you tell us where individuals can find this handbook?
Absolutely. The handbook is very easily accessible from the HITRUST resource section on their website in the Downloads Center, or you can check out the link below.
https://hitrustalliance.net/manual-risk-management/
It’s completely free and easy to navigate.
Great, Steve. Thank you so, so much for sharing your insight on the new HITRUST Risk Management Handbook. I know many organizations will find this resource helpful as they navigate their own risk management programs and healthcare compliance goals. As always, we appreciate you joining us on cyBARR Chats and keeping us up to date on all things HITRUST.
Thank you, everyone, for tuning in today. We look forward to seeing you next time.
Always a pleasure, Kyle.