HITRUST合规
The HITRUST Common Security Framework (CSF) allows healthcare entities to demonstrate compliance with many different standards and regulations such as HIPAA, ISO, NIST, SOC 2, GDPR, PCI, CMS, MARS-E, and more. 你可以在这里了解更多关于他们的背景:http://hitrustalliance.net/about-us/
HITRUST脑脊液评估人员之一,LBMC 网络安全 participated in the effort to integrate security standards from Centers for Medicare and Medicaid Services (CMS) and NIST into the HITRUST Alliance framework. In 2010, 我们成为首批HITRUST脑脊液评估组织之一, 使我们非常有资格使用HITRUST脑脊液来确保您组织的信息安全可靠.
浏览明升体育app下载服务小册子 (PDF)
什么是HITRUST?
HITRUST, 与私营部门的领导人合作, 政府, 技术, 以及信息隐私和安全空间, 建立HITRUST脑脊液, 可被任何组织使用的可认证框架, accesses, stores, 或者交换敏感信息.
每个组织都可以获得梦寐以求的HITRUST脑脊液认证, 但这需要一点耐心, 很多行政支持, and, sometimes, 援助之手.
了解更多关于HITRUST、HITRUST脑脊液的信息,以及使用HITRUST评估的六大主要优势.
点播研讨会时间:0:05:47
Speaker:
- Robyn Barton, HITRUST授权外部评估委员会股东,实践领导者 & 质素小组委员会委员
您的政策和程序是否符合HITRUST标准?
无论您是维护现有的HITRUST认证还是第一次寻求认证, 现在可能是审查HITRUST指南并确保您的政策和程序达到标准的好时机.
1. 政策和程序的适用性
策略和过程成熟度级别以及相关评分仅适用于r2评估. 记住, however, 尽管e1和i1评估的重点只放在控制实施上, 一些需求陈述仍然需要审查政策和程序文件.
2. 政策和程序潜伏期
The minimum number of days that a remediated or newly implemented policy or procedure must be in place to be considered for scoring is 60 days. 对于当前处于补救阶段的组织, 政策和程序更新需要存在60天,以便在测试期间进行评估. 另外, 对于正在进行验证评估的组织, 可以利用已实施60天的政策和程序. 注意:实现、度量和管理成熟度级别的天数为90天.
3. 策略和程序评分
政策和程序的成熟度等级是根据 HITRUST控制成熟度评分标准 基于对政策或程序强度的计算, 以及由文档处理的评价元素的百分比.
4. 政策及程序格式
HITRUST引用了策略和过程的以下定义.
| Document | 定义 |
| Policy | 由管理层正式表达的总体意图和方向, most often articulated in documents that record high-level principles or course of actions; the intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, 企业管理团队制定的目标和战略计划. |
| Procedure | A detailed description of the steps necessary to perform specific operations in conformance with applicable standards. 过程被定义为过程的一部分. |
Please note that HITRUST does not require that policy statements reside in only policy documents or that procedures reside in only procedure documents. 文档可以采用多种形式,包括标准、手册、指导方针、指令等.
关于HITRUST的误解
HITRUST® continues to see tremendous growth and success in the marketplace by helping address the multitude of security, 组织面临的隐私和监管挑战. 当公司开始他们的HITRUST之旅时,我们经常听到一些常见的误解.
1. 你能通过HIPAA认证吗?
不幸的是, HIPAA安全规则的众多管理标准和实现规范, 技术和物理保障措施, 不管这些术语意味着什么, 缺乏医疗保健组织实际实施所需的处方. HITRUST脑脊液®映射到HIPAA安全规则, 违反通知, 和隐私规则作为可选的监管因素,可以选择纳入r2评估. 当选择, 这些将为您的组织满足规则的要求提供合理的保证. 另外, HITRUST offers a MyCSF 合规 and Reporting Pack for HIPAA that compiles evidence from the r2 assessment and generates a report that parses applicable HIPAA requirements to an organization’s HITRUST assessment. 该报告可以直接与审核员或调查员共享,以证明合规性.
2. 如果我不是医疗保健实体,我仍然可以获得HITRUST认证吗?
绝对! HITRUST, 与隐私合作, 来自公共和私营部门的信息安全和风险管理领导者, develops, 维护并提供对其广泛采用的风险和遵从性管理框架的广泛访问. It now includes 46+ mapped authoritative sources and has strong adoption rates across a broad spectrum of industries including manufacturing, banking, 航空公司/娱乐, 和电信. Indeed, 如果你进入了这些行业, you likely are hearing about HITRUST as a way to communicate your organization’s security and privacy practices using the HITRUST脑脊液.
3. 一个普遍的误解是,HITRUST是由于OCR HIPAA审计失败而产生的, 这是真的吗??
OCR的HIPAA审计直到2011年才开始. HITRUST成立于2007年. 自2010年2月以来,LBMC一直是HITRUST脑脊液的坚定支持者.
4. 组织能否通过NIST网络安全框架认证?
The NIST 网络安全 Framework (CSF) is a globally recognized set of standards that provides organizations the foundational elements necessary to design, assess, 使他们的网络安全计划成熟.
HITRUST recognizes that many organizations prefer the reporting structure defined in the NIST 网络安全 Framework. 结合r2验证评估, HITRUST issues a NIST CSF report scorecard that details an organization’s compliance with NIST 网络安全 Framework-related controls included in the HITRUST脑脊液 framework.
5. HITRUST程序是真正的一次评估,多次报告™审核程序吗?
Yes. Experienced audit firms have developed processes to enable their staff to combine the criteria for multiple audit needs and apply those savings to your organization through increased efficiency, 减少审计疲劳, 更高的质量, 结果的一致性和可靠性. 如果审计公司劝阻你不要采用这种方法, 他们可能没有员工技能或工具来正确执行.
6. HITRUST脑脊液框架的设计是否允许我获得ISO 27001认证?
HITRUST脑脊液框架和认证流程可用于协助ISO 27001认证工作. 和任何评估一样, be sure to do your homework on your service provider’s skills and knowledge performing any assessment or readiness exam. There are many benefits that can be derived from combining security and/or privacy assessment testing when multiple reporting options are needed. 在合并评估时, the intent and specific requirements of the certification must be taken into account – beginning at the planning stage of the project.
在最近的HITRUST白皮书中描述了一个很好的例子. http://hitrustalliance.net/casestudy/leveraging-hitrust-mycsf-to-maintain-iso-27001-certification/以下是HITRUST关于该主题的常见问题解答中的几点, 如果您正在寻找一家能够支持您获得多个认证的公司:
- ISO 27001认证的重点是信息安全管理体系(ISMS)。, 其中包括对信息安全风险评估和处理过程的评估. However, 组织可以根据需要设计控制, 或从任何来源识别它们”(ISO 27001), § 6.1.3.b, p. 4). Further, 尽管ISO 27001附件A包含控制目标和控制的清单, 它们并非详尽无遗,可能需要额外的控制目标和控制”(同上)., § 6.1.3.c, p. 4). 尽管ISO审核员必须出具一份“适用性声明”,其中包含必要的控制措施(见6).1.(b和c)和纳入的理由, 不管它们是否被执行, 以及从附件A中排除管制的理由”(同上)., § 6.1.3.d, p. 4),不超出附件A的要求. 随后, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO认证评审员在如何评估控制的有效性方面也有一定的自由度, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.
- HITRUST脑脊液提供了一个全面的基线, 为特定组织量身定制的规定性控制需求, 系统和监管风险因素. Detailed testing procedures prescribed by these baseline requirements focuses on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. Like ISO, 测试必须由经批准的评估人员进行, 被HITRUST称为授权外部评估机构. 质量保证由HITRUST提供.
关于这个主题的更多信息可以找到 here.
客户证明
HITRUST服务
HITRUST准备就绪和专业知识
作为HITRUST评估员,LBMC 网络安全’s experts can help ensure that your organization is prepared for HITRUST as you embark on the journey of certification and establishing a well-known and generally-accepted security framework within any industry.
HITRUST认证
HITRUST has developed an assurance program that allows for independent HITRUST certification or validation against the framework. These validation or certification engagements must be performed by organizations (assessors) that have been specially trained and vetted by HITRUST as having experience and expertise specifically in healthcare information security.
HITRUST中期评估
根据HITRUST的要求, 在认证的第一年之后,必须完成一项临时评估,作为后续行动. LBMC 网络安全 can help provide this assessment to gauge the organization’s current state against the HITRUST脑脊液 and will leverage any evidence gathered to submit an Annual Review Letter to HITRUST.
HITRUST桥梁评估
The COVID-19 pandemic has created difficulties in carrying out certain aspects of HITRUST脑脊液 Assessments due to restrictions on travel, meetings, 以及访问公司网站的权限. 作为回应,HITRUST发布了要求延长认证期限的指南. 如果您正在寻找外部评估员来执行评估,LBMC随时准备为您提供帮助. 拥有十年帮助公司满足HITRUST需求的经验, 以及业内最有经验的团队, 我们哪也不去!
网络研讨会:HITRUST 1评估
- 什么是HITRUST i1实施验证评估和认证?
- 为什么要创建这个新选项?
- i1和r2之间的关键区别.
- 如何选择适合你的选项.
按需网络研讨会时长:7:36
作为评估师“十年俱乐部”的负责人, LBMC是业内服务时间最长的评估员,拥有业内最有经验的团队. 回到2010年2月, our leaders signed on the dotted line to join in a movement that has become the modern-day gold-standard in security and privacy assessments. 我们已经培养了一个由专家领导的评估团队,他们为这一成功做出了最长的贡献.
我们已经帮助无数组织实现了他们的目标 HITRUST脑脊液 认证的目标. 是的,我们在这一过程中吸取了很多教训. 事实上,我们是评估委员会的成员,并协助教育和推广行业. 我们感到被强迫, 也有一定的义务, 为那些即将踏上这段旅程的人提供一些鼓励和建议. 请随时与我们联系,了解我们如何帮助您完成您的旅程!
