Why the need for the HITRUST Approach?
The Health Information Trust Alliance, HITRUST, is an organization governed by several organizations from the healthcare industry and technology companies. HITRUST created and maintains the Common Security Framework (CSF), a framework to help healthcare organizations and their providers show their security and compliance in a consistent and streamlined manner.
Assembling and maintaining all the components of risk management and compliance programs comes with unique challenges. HITRUST understands and has built an integrated approach to solving these problems with components that are aligned, maintained, and comprehensive to support your organization’s goals.
The HITRUST CSF is a prescriptive set of controls that meets the requirements of multiple regulations and standards.
The framework provides a way to comply with standards such as ISO/IEC 27000-series HIPAA, since the HITRUST incorporates various security, privacy, and other regulatory requirements from existing frameworks.
What is the difference between HITRUST and HIPAA?
While HIPAA is a law created by law for compliance and regulation, HITRUST is a framework created by security industry experts, which includes components of HIPAA.
HITRUST gives organizations a way to show evidence of compliance with HIPAA-mandated security controls along with aligning to frameworks like ISO27001. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.
Evolution of Zero Trust to support the healthcare environment
Many healthcare applications leverage Citrix and other virtual desktop technology to deliver Cerner, Allscripts and other medical applications to the various endpoint devices including tablets, nurses workstations, and mobile devices. Many of the medical applications originally only deployed on-premise now have a variety of cloud and hosted offerings. These medical software companies offered cloud options to help medical facilities ramp on the platform while minimizing hardware costs.
Gartner helped define the term, “SASE or Service Access Service Edge”.
SASE grew because CIO’s and CISO’s needed to define a new network edge or a secured entry point for end-users to connect to prior to gaining access to the actual corporate network. Previously, users would end their remote connection via virtual private networks or “VPNs” into a device within their companies’ data center to access the various medical applications.
In a SASE model, organizations could leverage a “cloud-based SASE” service to become the new network edge. Users would connect to the SASE service first, then companies would activate their “Zero Trust” endpoint security model by defining authentication policies prior to the user accessing the internal corporate network. The SASE solution would leverage the service provider’s SD-WAN for ease-of-use global proximity point of presence connectivity for less latency while implementing a consistent security endpoint security model. Medical applications could be accessed faster and with a greater level of security prior to the connection of the medical portals.
Pen testing and vulnerability scanning for HITRUST and zero trust frameworks
The achievement of HITRUST certification requires a satisfactory completion of a HITRUST validated assessment by an external assessor firm . Organizations will need to hire HITRUST qualified firms with a strong background in the entire certification process. Another critical role an organization should be leveraging is a 3rd pen tester to engage with a series of black, gray, and white box engagements prior to the formal assessment for certification. The 3rd party pen could pose as a white hat hacker in tandem with the internal HITRUST group or the outside pen tester could execute a black box test. Both 3rd party pen test engagements should around the HITRUST/HIPAA medical record data controls to include identifying the following possible vulnerabilities:
- Third-party access to data
- The use of mobile devices
- The number of users accessing the HITRUST/Hipaa platforms
- Normal daily transactions are impactful to the controls of the system system.
Combined with ongoing vulnerability scanning of the HITRUST/HIPAA platforms, pen testing also should be executed after remediations have been completed.
Pen testing Zero Trust access layer into the HITRUST model
In current Zero Trust/SASE models, once the user has authenticated and their device has passed the security compliance requirements, is the corporate network and data safe? Well, yes in many cases. The device is validated for patch levels, compliance, and users’ access is restricted either by application or network.
However, how will the corporate know that the user is really that person? Leveraging a 3rd party pen tester will shed some light on how vulnerable or secure the new remote access is. Zero trust architectures along with SASE cloud access providers are designed to be very secure. However, the validation of the access of the users through the Zero trust layer into the internal HITRUST/Hipaa platforms is 100% on the organization. By leveraging 3rd party pen testing, organizations demonstrate a continuous monitoring and secure posture validation process and culture.
