Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

There’s Something About Frameworks: A Look at HITRUST’s CSF

Data Security

Repeat after me: frameworks are not standards. They are instead often used as a guide to navigate through the underlying standards.

There are lots of frameworks cropping up in the cybersecurity world. If you’re completely new to the idea of, let’s say protecting critical infrastructure and not sure even how to begin working out the right controls, then you take a trip to NIST’s own Critical Infrastructure Security Framework.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Is there anything similar in the world of healthcare to navigate its complex security and privacy regulations?

The folks at the Health Information Trust Alliance or HITRUST have, after working with healthcare and IT experts, come up with their own Common Security Framework (CSF).

Nitty Gritty of Common Security Framework

A healthcare security framework has to take into account the entire scope of healthcare security, including not just the actual health data, but other data as well, for example, financial and transactional information.

So it’s not surprising that HITRUST’s sprawling CSF — over 400 pages of guidance goodness covering 13 different areas — has controls that map into HIPAA’s safeguards for protected health information, PCI’s DSS for credit card, and COBIT controls related to financial information—to name just a few!

The overall idea is you dive into CSF to refer to an area in healthcare you’re interested in safeguarding, say access control, and then find the actual compliance and regulatory mappings. CSF provides several levels of these mappings — that would be Level 1, Level 2, and Level 3 — so that you have increasing granularity in your implementation.

For example, in the case of CSF’s information access control policy (Control 1.1a), CSF directs you to HIPAA 164.308 a(4). Remember that HIPAA requirement? It’s where HIPAA tells you to implement a policy so that authorized users access the minimal information for employees to do their jobs.

Keep in mind that HIPAA is technology neutral and not overly prescriptive. So if you want a more specific requirement for getting this done, the Level 2 mapping then directs you to ISO 27002 A.9.1.1. To jog your memory, this is where the ISO folks get into the weeds on prescribing specific controls for apps and information.

Varonis Can Help

Yes, we can!  CSF is a giant meta-standard and a good resource for those planning comprehensive solutions for every aspect of healthcare security, down to the level of electrical equipment safety — see CSF Control 0.8.d and it’s NIST Cybersecurity Framework mapping!

Varonis already provides support for many of the key compliance standards — especially the aforementioned HIPAA and PCI—which form the basis of many of the Level I and Level II mappings.

If you’re looking for an overall map — yes, another map !— that shows some of the key areas where Varonis can help in CSF, please review the table below.

 

CSF CONTROL CATEGORY MAPPINGS SOLUTIONS
01: Access Control

(.02) Authorized Access to Information System

(.06) Application and Information Access Control

  • HIPAA 164.308(a)
  • PCI DSS 8.1, 8.2
02: Human Resources Security

(.04i) Termination of Employment/removal of access rights

  • HIPAA 164.308(a)
  • PCI DSS 8.1.3
03: Risk Management

(.01b) Performing Risk Assessments

(.01c) Risk Mitigation

  • HIPAA 164.308a
  • PCI DSS 1.2
06: Compliance

(c) Protection of organizational records (retention)

(d) Data protection and privacy of covered information (retention)

  •  PCI DSS 3.1
07: Asset Management

(.02d) Classification Guidelines

  • HIPAA 164.308a

 

09: Communication and Operating Management

(.10aa) Monitoring/audit logging

  • HIPAA 164.308,164.312
  • PCI DSS 10.1
10: Information Systems Acquisition, Development, and Maintenance

(.04) Security of System Files

  • PCI  DSS 2.2
11: Information Security Incident Management

(01a) Reporting Information Security Events

  • HIPAA 163.308a
  • HIPAA 164.404
  • PCI DSS 12
Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.