Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

HITRUST Common Security Framework – Improving Cyber Resilience?

A few weeks ago, Anthem agreed to a record $16 million HIPPA settlement with federal regulators to close the chapter on a data breach that exposed data on nearly 79 million individuals in 2015. This payment is in addition to the $115 million Anthem shelled out as part of a class-action lawsuit over the same breach in 2017.

A few weeks ago, Anthem agreed to a record $16 million HIPPA settlement with federal regulators to close the chapter on a data breach that exposed data on nearly 79 million individuals in 2015. This payment is in addition to the $115 million Anthem shelled out as part of a class-action lawsuit over the same breach in 2017. This latest settlement revealed new details about the breach, including the fact that Anthem was audited and certified under the HITRUST Common Security Framework (CSF) just five months before hackers were able to infiltrate its computer systems. This raises questions regarding the effectiveness of compliance audits.

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the HITRUST CSF as part of HIPPA assessments establish a much higher standard of scrutiny for privacy and disclosure requirements, compared to many other verticals. This is justified, since the industry maintains a vast amount of highly sensitive data on individuals, which is extremely coveted by cyber criminals. Healthcare records are a hot commodity on the Dark Web, fetching much higher selling prices than credit cards. 

HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. Like the NIST Cybersecurity Framework, it integrates relevant regulations (e.g., HIPAA) and standards (NIST 800-53, ISO 27001, PCI DSS) into a single overarching security framework. So what benefits does HITRUST CSF offer healthcare organizations?

Security-minded, mature healthcare providers typically already have a solid security program in place that incorporates many of the standards, guidelines, and best practices referenced in the framework. While HITRUST CSF doesn’t necessarily improve cyber resilience for these types of organizations, it does provide a common nomenclature and methodology to help less advanced providers assess their level of security preparedness and benchmark their programs. 

Compliant Doesn’t Equal Security

The Anthem breach and thousands of others are proof that regulatory compliance – and its checkbox approach to security – doesn’t translate to greater security. While many experts agree that compliance with security frameworks has value when it comes to developing proper policies for certification, organizations need to be aware that it does not provide immunity from breaches. HITRUST CSF and other guidelines help reduce risk but cannot eliminate all cyber threats and often give organizations a false sense of security. 

Ultimately, the mindset of healthcare organizations needs to change if they want to prevent data breaches and ensure that protected health information (PHI) is properly protected. Attackers have learned to side step sophisticated security mechanisms using phishing attacks and social engineering techniques to compromise user credentials and walk in through the front door. Even adhering to HIPAA rules or HITRUST CSF cannot prevent hackers from gaining access to PHI under these conditions.

The HITRUST CSF, for instance, requires that organizations implement several administrative safeguards, which include logging access to PHI and routinely checking these access logs. However, if hackers camouflage their attacks by leveraging compromised credentials, even a high-level review of these logs would not immediately reveal any abnormal behavior needed to stop the intrusion in its tracks.

Advertisement. Scroll to continue reading.

As a result, healthcare organizations should consider moving towards a “never trust, always verify” security model. This ‘Zero Trust Privilege’ concept requires granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, organizations can minimize their attack surface, improve audit and compliance visibility, and reduce risk – while lowering security complexity and costs.

Healthcare organizations must recognize that HIPAA and HITRUST CSF compliance does not guarantee their systems are adequately protected from threats. These guidelines represent a minimum barrier to entry for attackers. Security, as has been stated many times before, is a journey which requires continuous monitoring and robust controls that must be adapted to new threats, and not an annual checkbox exercise.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...