HITRUST CSF and CSF Assurance Program Requirements for Health Information Exchanges Version 1.1

Transcription

1 HITRUST CSF and CSF Assurance Program Requirements for Health Information Exchanges Version 1.1

2 Table of Contents 1 Introduction Purpose External References Background HITRUST Common Security Framework (CSF) CSF Assurance Program for HIEs Roles and Responsibilities Health Information Exchanges (HIEs) Connecting Organizations CSF Changes for HIEs and Connecting Organizations Organizational Risk Factors for HIEs System Risk Factors for Connecting Organizations HIE Specific Requirements CSF Assurance Program for HIEs Overview Assessment Assessment Schedule Overview Phase 1 Requirements Phase 2 Requirements Phase 3 Requirements Recourse for Non-compliance Appendix A Assurance Program for HIEs Timeline Appendix B Phase 2 Assurance Level Requirements Appendix C Phase 3 Assurance Level Requirements

3 1 Introduction 1.1 Purpose Health Information Exchanges (HIEs) provide the capability to more expansively share information between healthcare organizations. With this increase and ease in exchange of protected health information (PHI) comes the risk of experiencing a breach in security, exposing patients sensitive information to unauthorized and potentially malicious individuals. HITRUST, in conjunction with industry participants, established an HIE Working Group and HIE Task Force (subcommittee) to address the challenges faced by HIEs, which, in turn, recommended changes to the HITRUST Common Security Framework (CSF) and CSF Assurance Program. The objective is to provide leading guidance to the industry on acceptable controls to manage the confidentiality, integrity and availability of PHI with HIEs and connecting organizations, which includes: 1. Changes to the HITRUST CSF To ensure relevancy of the HITRUST CSF to HIEs and connecting organizations, the Task Force identified gaps and proposed areas for improvement to the CSF. These, at a high level, include new risk factors for HIEs, new risk factors for the systems of connecting organizations, and new HIE segment-specific requirements. 2. Third Party Information Security Governance Program To ensure a common approach by HIEs and for connecting organization in satisfying necessary information security governance requirements, the Task Force set forth a CSF Assurance Program for HIEs. This program leverages existing requirements and practices, providing a set of processes, methodologies and tools to mitigate this risk without impeding the growth of the HIE. The purpose of the Task Force, Working Group and this document is to define the requirements for HIEs in managing their internal security programs and the third parties which connect to the HIE. This guidance also establishes a set of requirements for those organizations connecting with the exchanges to ensure they maintain the adequate controls required to protect information across the continuum. 1.2 External References A key tenet in HITRUST s activities is to reduce the complexity in the environment by leveraging existing programs and requirements. In accordance with this objective, HITRUST leverages and references the following for this program: HITRUST Common Security Framework 1 HITRUST CSF Assurance Program Requirements 2 Centers for Medicare & Medicaid Services (CMS) EHR Incentive Program

4 1.3 Background HITRUST The Health Information Trust Alliance (HITRUST) exists to ensure that information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. All organizations within the healthcare industry currently face multiple challenges regarding information security. These challenges include: Public and regulatory concern over the increasing number of breaches in the industry Redundant and inconsistent requirements and standards for healthcare organizations Inconsistent adoption of minimum controls Inability to implement security in medical devices and healthcare applications Rapidly changing business, technology and regulatory environment Ineffective and inefficient internal compliance management processes Inconsistent business partner requirements and compliance expectations Increasing scrutiny from regulators, auditors, underwriters, customers and business partners Growing risk and liability associated with information security Common Security Framework (CSF) HITRUST is collaborating with healthcare, business, technology, and information security leaders to establish the CSF to be used by any and all organizations that create, access, store, or exchange protected health information. The CSF is not a new standard. The HITRUST CSF is a framework that normalizes the security requirements of Healthcare organizations including federal (e.g., HITECH Act and HIPAA), state, 3 rd party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS), so the burden of compliance with the CSF is no more than what already applies to healthcare organizations. HIPAA is not prescriptive, which makes it difficult to apply and open to interpretation. Organizations will need to reference additional standards for specific guidance on requirements specified by HIPAA. It is also not the only set of security requirements healthcare organization will need to address (e.g., PCI, state or business partner requirements). The CSF was built to simplify these issues by providing direction for security tailored for the needs of the organization. The CSF is the only framework that is built to provide scalable security requirements based on the different risks and exposures of organizations in the industry. With the leadership and guidance from the HIE Working Group and Task Force, the CSF continues to be relevant to HIEs and connecting organizations through specific factors that drive risk and specific requirements unique to the operating environment. 4

5 1.3.3 CSF Assurance Program for HIEs The HITRUST CSF Assurance Program for HIEs utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by HIEs and connecting organizations. Through the Assurance Program for HIEs, HIEs and connecting organizations can manage risk of a breach of PHI through an efficient, cost effective process. The Assurance Program for HIEs provides a practical mechanism for validating an organization s compliance with the CSF. The standard requirements, methodology and tools developed and maintained by HITRUST, in collaboration with healthcare and information security professionals, enables both relying and assessed entities to implement a consistent approach to information security. The Assurance Program for HIEs allows HIEs and connecting organizations to receive immediate and incremental value by defining a logical approach to information security over time. 1.4 Roles and Responsibilities The following organizations and their respective responsibilities are defined below. This is in addition to those organizations named in the CSF Assurance Program Requirements document Health Information Exchanges (HIEs) HIEs within the scope of this program are the organizations responsible for managing the security over their own environment and the protections in place with third parties connecting and sharing information Connecting Organizations Connecting organizations within the scope of this program typically are those organizations joining the exchange to send and receive PHI generated or needed to provide healthcare services. Examples of connecting organizations include hospitals, physician practices, labs, pharmacies, health insurance providers, and other HIEs. 2 CSF Changes for HIEs and Connecting Organizations 2.1 Organizational Risk Factors for HIEs The CSF evaluates certain risk factors about an organization type to determine the relative risk of the organization and required level of controls. For HIEs, the following organizational risk factors are proposed to be added to the CSF: Small organization (Level 1): <1M transactions per year Medium organization (Level 2): 1-6M transactions per year Large organization (Level 3): >6M transactions per year Under HIPAA, a transaction is the exchange of information between two parties to carry out financial or administrative activities related to health care. HHS further defines the process of health information exchange as the electronic movement of health-related information among organizations according to nationally recognized standards. 5

6 In general, there are two basic types of HIE transactions: 1. Push one-directional push or send of the information directly between two known entities e.g., from a specialist to a primary care provider, or through the use of an intermediary such as a Health Information Organization (HIO). (Note the term HIE is often used to refer to the HIO.) 2. Pull a bi-directional pull of the information that involves: 1) a query for information about a patient, and 2) a response with information on the location and/or the content of a patient s records, which generally requires access to record locator services (RLS) and can usually only be done through an HIO. Either type will constitute a transaction for the purposes of calculating the appropriate risk factor for an HIO as long as the information transits the HIO. (Note there would be two messages in a pull transaction as opposed to one message in a push transaction for the purpose of calculating the risk factor.) And in both cases, the exchange must generally contain ephi to qualify. To help understand what constitutes an electronic transaction (i.e., an exchange of ephi for our purposes), we refer to the discipline of computer programming in which a transaction usually means a sequence of information exchange and related work (such as database updating) that is treated as a unit for the purposes of satisfying a request. For a transaction to be completed, a transaction has to be completed in its entirety (and includes one or more data elements). For example, a catalog merchandise order may involve checking an inventory database, confirming that the item is available, placing the order, and confirming that the order has been placed and the expected time of shipment. An example of a healthcare transaction could be a clinician s query for and receipt of a patient s electronic medical record or part of a medical record, e.g., a list of known allergies. Another could be the entry of one or more prescriptions into an e-prescription system during a patient visit, in which the receiving retail pharmacy is a member (connecting organization) of the HIE. As stated previously, an HIE transaction must conform to one of several nationally recognized message standards or formats. Two of the most predominate formats in the U.S. are X12 EDI and HL7. 1. X12 EDI is an ANSI standard XML schema based for the transfer of structured data, by agreed message standards, from one computer system to another without human intervention. X12 EDI electronic data exchange consists of multiple formats supporting multiple industries. Insurance/Health is one of sixteen functional or industry-specific series of standards documents and includes Patient Information, Health Care Claim Status Request and Notification, and Medical Event Reporting, among others HL7 is a syntax standard specifically designed by the healthcare industry to facilitate patient data exchange between computer applications and systems typically systems within or connected to one healthcare enterprise. HL7 is the de facto standard for patient data exchange, specifying the format, structure, and sequence of that data, and provides a common language

7 among computer applications regardless of platform, architecture, or programming language. Although the actual syntaxes are different, HL7 is similar in concept to the X12 EDI standard used for HIPAA-compliant data transfer. Other standards such as generic XML schemas could conceivably provide a reasonable format for HIE transactions, but again the messages must be related to healthcare, including administrative or financial activities, and subsequently contain one or more elements of ephi. Once again, the messages (transactions) must transit an HIO s boundary, either to or from an external organization, to be used in the calculation of an HIO s risk factors. These factors shall be aligned with those controls of the CSF with existing organizational risk factors in accordance with the existing thresholds. 2.2 System Risk Factors for Connecting Organizations The systems of organizations that connect to and exchange data with an HIE are seen to be more risky than systems that do not connect to or exchange data with an HIE and so require a greater level of control in certain instances. As such, the following system risk factor will be added to the CSF: System Connects with or Exchanges Data with an HIE: YES This factor shall be aligned with the following controls of the CSF: 01.k Equipment Identification in Networks 01.u Limitation of Connection Time 01.p Secure Log-on Procedures 01.r Password Management System 01.s Use of System Utilities 10.d Message Integrity It is important to note that these are not the only requirements a connecting organization or its system would be required to meet. This simply is a list of specific controls whereby a higher level of control should be required because the connecting organization s system connects to or exchanges data with an HIE. Basic controls such as access control, logging and monitoring will still be required in accordance with existing system or organization risk factors. 7

8 2.3 HIE Specific Requirements The HITRUST CSF allows segment-specific requirements as part of the controls. These are requirements unique to a particular industry segment, such as HIEs, that do not apply to other segments of the industry. The following segment-specific requirements were added to the CSF: Access Controls 01.c Privilege Management HIEs shall, for all employees and for all employees of connecting organizations, define and assign roles to each individual with access to the HIE. The roles shall be based on the individual's job function and responsibilities. The roles shall specify the type of access and level of access. 01.e Review of User Access Rights HIEs shall, for all employees and for all employees of connecting organizations, review users with access and the appropriateness of each user's role every 90 days. Any discrepancies shall be remediated immediately following the review. Third Party Agreements/Contracts 05.e Confidentiality Agreements As part of the agreement with the connecting organizations, the HIE shall specify which organization owns the data and any restrictions as part of that ownership such as retention, integrity, and accuracy of data. If the HIE is the owner of the data, all federal and state requirements associated with the patients' information shall be met. 05.k Addressing Security in Third Party Agreements As part of the agreement with the connecting organizations, the HIE shall specify the requirements of the connecting organizations to define and communicate to the HIE access roles for the connecting organization's employees. The agreement shall specify that it is the sole responsibility of the connecting organizations to appropriately restrict access in accordance with federal and state requirements (e.g., mental health information). 05.k Addressing Security in Third Party Agreements As part of the agreement with the connecting organizations, the HIE shall specify the requirements of connecting organizations to request and receive detailed access logs (see 09.aa) related to the connecting organization s records. These requirements shall be applicable to all HIEs irrespective of the previously mentioned organization risk factors. These requirements are in addition to the existing set of controls listed in the CSF. 3 CSF Assurance Program for HIEs 3.1 Overview The CSF Assurance Program for HIEs enables trust in health information protection through an efficient and manageable approach by identifying incremental steps for an HIE to implement and demonstrate acceptable information security controls. 8

9 The security requirements for the Assurance Program for HIEs are based on the CSF and the multiple levels within the CSF as determined by defined risk factors. The objective is to provide requirements to an organization that are reasonable and appropriate based on the organization s risk. Security is evaluated and assurance is provided through initial and subsequent information security risk assessments of an organization. 3.2 Assessment The assessment allows the assessed entity to determine and communicate to relying entities its security maturity and risk relative to the industry and expectations as defined by the CSF. HITRUST allows for multiple assessment options including self and third-party assessments. Organizations may also be CSF Validated or CSF Certified depending on the type of assessment and results of the assessment. For the Assurance Program for HIEs, these options can be implemented in stages to increase the assessment s level of rigor (e.g., self-assessment versus on-site) and requirements (e.g., Validated versus Certified) over time Assessment Schedule Overview Phase 1 Conduct assessment and provide CSF Validated Report Phase 2 Remediate policy, mobile computing and removable media gaps Phase 3 Conduct assessment and provide CSF Validated Report Continuous Monitoring Conduct assessment and provide CSF Validated Report Repeat Phase 3 every 2 years Provide CAP Provide Cap Provide Cap Within 12 months of the start of the phase. Within 18 months of the start of the phase. Within 24 months of the start of the phase. 9

10 The following sections describe each phase in detail including what it required. A full timeline is included in Appendix A Phase 1 Requirements HIEs and connecting organizations are required in Phase 1 of the Assurance Program for HIEs to conduct, at a minimum, a self assessment in accordance with the process and requirements of the broader HITRUST CSF Assurance Program. These requirements are designed to focus on the high risk areas to the industry based on feedback from member organizations and breach data from sources including the Department of Health and Human Services (HHS) and DataLossDB.org. A full list of the required areas to be assessed is included as an addendum to this document. HIEs and connecting organizations may receive a CSF Self-Assessment or Validated Report from HITRUST including maturity for each domain, recommendations for improvement and the beginnings of a CAP. The assessment must be conducted within the first 12 months of connecting to an HIE. Connecting organizations are required to provide a copy of the report to the HIEs to which they are connecting. HIEs shall include the requirements for conducting an assessment and receiving a report as part of the contract with the connecting organization in lieu of alternative security mechanisms. HIEs and connecting organizations shall maintain the reports as evidence of their assessment for a period of six (6) years in accordance with the HIPAA requirements. Following the assessment and within an 18 month period from joining the HIE the assessed entity will document and provide a complete CAP including milestones, responsibility, deadlines and risk/priority Phase 2 Requirements HIEs and connecting organizations are required in Phase 2 of the Assurance Program for HIEs to conduct an assessment in accordance with the process and requirements of the broader HITRUST CSF Assurance Program for the year in which the assessment is conducted. The assessment must meet the assurance level as described in Appendix B. Part of the assessment must evaluate the organization s prior CAP and the progress towards the items contained therein at the time of the assessment. The organization must demonstrate reasonable progress towards all items. Any corrective actions related to policies, mobile device security (e.g., laptops), and removable media security (e.g., CDs, DVDs, USB drives, backup tapes) must be addressed (i.e., fully remediated). HIEs and connecting organizations are expected to receive a CSF Validated Report from HITRUST including maturity for each domain, recommendations for improvement and an updated CAP. 10

11 The assessment must be conducted within 12 months following the end of Phase 1 for the assessed entity. Connecting organizations are required to provide a copy of the report and updated CAP to the HIEs to which they are connecting. HIEs shall include the requirements for conducting an assessment, receiving a report and requirements regarding remediation as part of the contract with the connecting organization in lieu of alternative security mechanisms. HIEs and connecting organizations shall maintain the reports as evidence of their assessment for a period of six (6) years in accordance with the HIPAA requirements Phase 3 Requirements HIEs and connecting organizations are required in Phase 3 of the Assurance Program for HIEs to conduct an assessment in accordance with the process and requirements of the broader HITRUST CSF Assurance Program for the year in which the assessment is conducted. The assessment must meet the assurance requirements as described in Appendix C. Part of the assessment must evaluate the organization s prior CAP and the progress towards the items contained therein at the time of the assessment. The organization must demonstrate reasonable progress towards the remaining items from the prior review. HIEs and connecting organizations are expected to receive a CSF Validated or Certified, Report where applicable, from HITRUST including maturity for each domain, recommendations for improvement and an updated CAP. The assessment must be conducted within 12 months following the end of Phase 2 for the assessed entity. Connecting organizations are required to provide a copy of the report and updated CAP to the HIEs to which they are connecting. HIEs shall include the requirements for conducting an assessment, receiving a report and requirements regarding remediation as part of the contract with the connecting organization in lieu of alternative security mechanisms. HIEs and connecting organizations shall maintain the reports as evidence of their assessment for a period of six (6) years in accordance with the HIPAA requirements. Following the completion of Phase 3, all connecting organizations will be expected to conduct an assessment according to the requirements of Phase 3 every two (2) years Recourse for Non-compliance Organizations that do not meet all of the requirements set forth for any Phase are required to send a designated individual responsible for information security and, if a separate person, an individual responsible for compliance to an approved HIPAA training program. The individual(s) must attend the course and provide evidence of completion to the HIE no later than ninety (90) days following the Assessment deadline of the Phase in which the organization is in. The organization will not advance to the next Phase until the current Phase has been completed as set forth in the original requirements. 11

12 Appendix A Assurance Program for HIEs Timeline Join the HIE Conduct Phase 1 Assessment Provide CSF Validated Report to HIE Provide CAP to HIE Remediate Policy, Mobile Computing and Removable Media Gaps Conduct Phase 2 Assessment Provide CSF Validated Report to HIE Provide Updated CAP to HIE Conduct Phase 3 Assessment Provide CSF Validated / Certified Report to HIE Provide Updated CAP to HIE Repeat Phase months months months months months months months 12 NOT FOR DISTRIBUTION OUTSIDE WORKING GROUP

13 Required Assurance Level Appendix B Phase 2 Assurance Level Requirements CSF Self- Assessment CSF Validated via Third Party Assessment Health Plan / Insurance / PBM Covered Lives Fewer than 1 Greater than 1 Medical Facility / Hospital Licensed Beds Fewer than 1,000 Greater than 1,000 Physician Practice visits per year Fewer than 60,000 Greater than 60,000 Third Party Processor records processed per year Fewer than 10 Greater than 10 Pharmacy Companies prescriptions per year Fewer than 10 Greater than 10 BioTech Companies Annual spend on R&D Less than $100,000 Greater than $100,000 IT Service Provider / Vendor employees Fewer than 500 Greater than NOT FOR DISTRIBUTION OUTSIDE WORKING GROUP

14 Required Assurance Level Appendix C Phase 3 Assurance Level Requirements CSF Self- Assessment CSF Validated CSF Certified Health Plan / Insurance / PBM Covered Lives Fewer than 1 1 to 7½ Greater than 7½ Medical Facility / Hospital Licensed Beds Physician Practice visits per year Fewer than 1,000 Fewer than 60,000 1,000 to 10,000 60,000 to 180,000 Greater than Greater than 10, ,000 Third Party Processor records processed per year Fewer than to 60 Greater than 60 Pharmacy Companies prescriptions per year Fewer than to 70 Greater than 70 BioTech Companies Annual spend on R&D Less than $100,000 $100,000 to $200 More than $200 IT Service Provider / Vendor employees Fewer than to 2,500 Greater than 2, NOT FOR DISTRIBUTION OUTSIDE WORKING GROUP