Pratum Blog

Internet Mesh with text overlayed: The Basics of HITRUST CSF

If it seems like you’re devoting more hours every month to reassuring partners that they can trust you, you’re not alone. In modern supply chains, companies regularly entrust their data to other organizations. HITRUST CSF is one of many compliance frameworks that aim to make everyone feel better about that data sharing. HITRUST CSF and other frameworks create objective industry standards for measuring another organization’s information security maturity. HITRUST CSF originated in the healthcare industry, but it’s a powerful framework that’s gaining traction in more fields, so it’s worth understanding how it may work for you.

HITRUST CSF’s Origins

The framework began in healthcare in 2007, when the HITRUST Alliance released its CSF (Common Security Framework). Like other frameworks and compliance protocols (such as SOC 2, PCI, HIPAA, GDPR and many others), HITRUST CSF provides objective criteria for measuring how an organization secures data. It also carries the added weight of third-party validation at its higher levels. That reassures your partners that you’re not just saying you have the right controls and policies in place; a third-party assessor has confirmed it. With a third-party certification like HITRUST CSF in hand, you can streamline many vendor security checks down to sending them a copy of your certificate rather than answering a long list of questions. A popular phrase describes this advantage as “assess once; report many.”

Because of HITRUST CSF’s healthcare roots, it naturally draws comparisons to HIPAA. One key difference is that HIPAA is a federal law, while HITRUST CSF is an industry-created standard. Also note that HIPAA is a self-attestation, meaning a company’s partners have no validation that an organization is actually doing what they say. HIPAA also contains a lot of subjectivity, leaving organizations to ask each partner exactly what they mean when they say “we comply with HIPAA.” Because HITRUST CSF is a detailed, objective standard focused on risk management, you know what it means when you see that certification. If you earn HITRUST CSF certification, you will definitely have covered your HIPAA requirements.

When organizations have a choice about which framework to use to satisfy client requests, they frequently compare HITRUST CSF to SOC 2. For most organizations, Pratum recommends starting with SOC 2 unless your partners are specifically requiring HITRUST. SOC 2 certification requires less time and expense, and SOC 2 allows more flexibility in defining your own control activities.

HITRUST CSF is gradually gaining traction outside the healthcare industry, and when version 10 arrives in the spring of 2021, it will include some new language targeted at making it applicable to more industries.

How HITRUST CSF Works

CSF contains 19 domains and 135 controls and offers three Implementation Phases that all build on each other. (In other words, if you reach Phase 3, you’ve covered everything in Phase 1 and 2.) The three phases of HITRUST are:

1

HITRUST CSF Readiness Assessment – Using the MyCSF online portal, you’ll walk through the framework yourself and receive a CSF Self-Assessment Report. Many companies hire an Authorized CSF Assessor to help with this process, which typically takes about six months.

2

HITRUST CSF Validated Assessment – This phase requires you to hire a third-party Authorized External Assessor organization, whose work normally includes an onsite visit. The assessor submits their report to HITRUST within the MyCSF tool and HITRUST then issues a Validated Report. This process normally takes another six months.

3

HITRUST CSF Certification – At this phase, HITRUST actually reviews and certifies the organization’s entries and the assessor’s validation. This process can take 3-4 months.

Why Would You Use HITRUST CSF?

The most common driver for choosing any information security framework is that your customers demand it. In the healthcare space, some major companies such as Humana, CVS Caremark, United Healthcare Group and others refuse to work with any vendors until they complete a HITRUST CSF certification. In those cases, using HITRUST CSF is an easy decision, even if it’s not an easy process.

But many companies that have a choice in the matter are embracing HITRUST CSF, too. One of this framework’s advantages is the fact that if you’re working with partners across industries, you can use HITRUST for many of them. That can save you from trying to figure out the Venn diagram of multiple industry-specific frameworks. It also saves time and money because a single HITRUST certification may save you from complying with several other standards at the same time.

The HITRUST CSF Process

You should know at the outset that earning HITRUST CSF certification is a big undertaking. It requires about a year of work and a significant investment—$100,000 and up for most organizations. So the decision to pursue it obviously requires analysis of the business opportunities it will create for you (or preserve, if key clients are demanding you get it).

The process looks like this:

1. Scoping – You’ll start by using the framework’s system and organizational factors to scope your engagement. You’ll buy a license to HITRUST’s MyCSF online portal and fill out a detailed scoping questionnaire that leverages factors such as how much data you handle, how many active users you have, etc., to produce a list of the controls that will apply to you.

2. HITRUST CSF Readiness Assessment – Using MyCSF, you’ll do a thorough self-attested assessment of your current controls and policies. At this stage, you’ll be gathering documents, researching how you handle data and uploading documents and information to MyCSF. HITRUST reviews your submission to confirm that all the correct information is present and then issues a HITRUST CSF Readiness Assessment Report.

3. HITRUST CSF Validated Assessment – Now you’re ready to engage an Authorized External Assessor organization for a third-party validated assessment to affirm that the work you’ve done during the readiness assessment phase is still accurate and legitimate.

4. HITRUST Review – Through MyCSF, the External Assessor will submit their report to HITRUST for quality assurance review and the issuance of a HITRUST CSF Validated Assessment Report, which is valid for two years. To ensure you’re staying on track, your External Assessor will do a HITRUST CSF Interim Assessment after one year by testing some sample control requirements from across the 19 CSF domains.

HITRUST allows you to write corrective action plans (CAPs) for any areas where you fall short in your assessment. Typically, you’ll be expected to provide evidence in a year at the Interim Assessment that you’re taking meaningful action on your corrective action plan(s). And keep in mind that if you earn your certification with dozens of corrective action plans listed, your partners may decide that you have a long way to go and debate whether they can trust you with their data.

How Pratum Can Help

Pratum’s consultants specialize in a wide range of compliance frameworks and have assisted multiple clients with their HITRUST CSF journeys. Our consultants can assist IT teams with readiness assessments, identifying gaps and CAPs to implement new controls. HITRUST CSF puts a premium on seeing specific language in your policies, and our consultants can help ensure that you write them correctly.

Pratum also supports organizations during the validation stage. We’ll help interpret questions from the assessors and serve as your liaison to ensure that you can answer questions accurately and make your case when you feel an assessor may be viewing something incorrectly.

We’re eager to answer your questions as you consider whether HITRUST CSF is a smart investment for your organization. Please contact us today.

Woman on Computer with text overlay Shifting your organization's security model mindset

How do you protect data when it leaves your building?

A few years ago, hardly anyone asked that question because data stayed home. But with the rise of cloud services, mobile computing and a pandemic, the trend of data following users became the norm in a matter of weeks. Suddenly, your data’s security had far less to do with your physical facility’s security. As a result, there is fresh interest in zero-trust architecture, where the mindset switches from a device-centric security model to a data-centric model.

In a zero-trust world, IT leaders assume that devices, networks and individual user accounts have already been breached. So they attach security factors to the data itself. This not only boosts security but expands the organizations’ business opportunities. With a zero-trust approach, you can continue doing business with a valuable partner even if you’re not confident in their security systems. Thanks to a data-centric model, your data protects itself.

Moving to a Data-Centric Mindset

Not long ago, organizations could almost literally keep an eye on their data. Employees mostly worked in offices on company-owned devices plugged into company networks (or at least linked to company wireless networks). Data lived on a centralized server. For the most part, protecting your data meant controlling who entered your building.

Today, data roams the globe without its traditional bodyguards. The boundaries between work and personal life have blurred as employees access data around the clock and on a variety of desktop and mobile devices and networks. “We’re never fully at work and never fully at home,” says Pratum Founder and CEO Dave Nelson. “We’re always just kind of everywhere.”

The pandemic obviously accelerated adoption of remote work by years. And with 90% of HR leaders saying they intend to maintain some form of work-from-home policies after the pandemic, the call for a data-centric model has unprecedented momentum.

Many organizations are still basing their security model on something that doesn’t exist anymore. You no longer control the devices or networks. And that’s scary for data managers and business leaders. Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.”

David Nelson President and CEO, Pratum

Who's Really Accessing Your Data?

From an identity perspective, we now have complete strangers touching organizational data every day. When an employee logs in from a remote location, how much do we know about the security of their network? Are they working on a home computer with outdated antivirus protection? When a vendor logs into your distribution and inventory platform, how do we even know it’s them and not someone who stole their credentials? Are your industry partners protecting the login credentials you give them or handing them out to multiple employees?

Those questions, Nelson says, overturned many long-held best practices. “We saw a lot of IT leaders freaking out when business leaders came to them and said, ‘I know you’ve done all this work over the last 15 years to make our network and data secure, but we’re going to send everybody home, and we need those people to get access to all that data from devices you don’t know.’”

Zero-trust architecture ensures your data is safe, even if, for example, someone intercepts it while your employee is working on a coffee shop network. IT leaders can quit worrying about the specific device or network in use because their security has now become data-centric.

Components of Zero-Trust Architecture

Moving to zero-trust architecture represents a major IT project, but many information security consultants are telling their clients that it should become a top priority. Though widespread adoption is starting only now, the concept has been around for years. All the major information security players support the use of zero-trust architecture, including Microsoft, Fortinet, Cisco and Amazon Web Services.

That’s essential, because in a zero-trust environment, each use of data must be vetted through multiple security layers. For example, you might grant read-only access to a file as long as the user is on a computer with antivirus software installed. Before users can modify the file, their devices must clear a much higher security bar. For example, the system might run a basic “health screen” of the computer for proof that it has run an antivirus check in the last 12 hours, has an acceptable firewall, is part of an approved domain, etc. The system may also grant provisional access by requiring, for example, that the computer run another antivirus scan before it is allowed to modify files.

While the number of zero-trust components varies by the platform you’re using, these are the six core principles:

1. Identities – Strong authentication tools should validate every user’s identity. It starts with strong passwords/PINs and extends into digital signatures and multifactor authentication tools such as tokens, certificates and biometrics. In all situations, organizations should follow a policy of least-privileged access, in which users receive access only to the data they need to do their job.

2. Devices – Any device seeking to access company data must comply with policies such as having a firewall turned on and rules validated; anti-malware software turned on and set to scan daily; and auto-update enabled to ensure software is adequately patched.

3. Applications – The system should inventory all applications and data locations, including client-server (ERP, core platforms, accounting, etc.); desktop (Adobe, Microsoft Access, My Documents/Desktop); and cloud solutions (Salesforce, AWS, etc.). Administrators should determine ownership and management responsibilities and enforce and audit security compliance.

4. Telemetry & Monitoring – We’re overwhelmed with system activity reports, so you need a robust system to make sense of all the noise and spot potential threats. (Pratum’s Security Operations Center ingests about 6 billion events each day across all of our managed XDR/SIEM clients. Organizations should track detailed usage statistics such as date/time of access; location of the access; sizes of files accessed; bandwidth utilization and more.

User & Entity Behavior Analytics (UEBA) solutions model typical user behavior and flag anomalous activity. This system might, for example, note that a user who typically works 9-5 is logging in at midnight from a new device. That might indicate an attempted breach in progress.

In a similar vein, Extended Detection and Response (XDR) solutions with Security Information and Event Management (SIEM) track activity in all corners of your technology stack and proactively stop potential threats before they can do any damage.

5. Networks – Networks still play a key role as security boundaries since they can be explicitly trusted and can encrypt all communications.

6. Information Rights Management (IRM) – In a platform using IRM, data carries its own rules for use. For example, e-mail may be set to restrict forwarding of messages marked as confidential. In Word or Excel, users may be prohibited from opening or printing files unless they are using a company-owned device. Note that these rules often can be circumvented if they aren’t used in conjunction with file encryption.

The Power of Conditional Access

A key step in the zero-trust system is assigning conditional access to different types of files, recognizing that there isn’t a one-size-fits-all solution here. Locking every file down in the same way will surely make daily work harder than it needs to be for many users. Setting file access levels should not fall solely on the IT team. IT needs input from other leaders to explain the sensitivity of data in any given file type and who should be able to use it.

This chart provides examples of how an organization may set access for various types of files.

Chart with Example of Conditional Access Policy

As you consider how your environment needs to adapt to new working styles and whether zero-trust architecture may be right for your organization, Pratum can help. Contact us today for a free consultation on the best way to protect your critical data.

Laptop with Microsoft Exchange on Screen with text overlay Microsoft Exchange Breach: What We Know So Far

In early March, the zero-day breach of the Microsoft Exchange Server instantly became the cybersecurity story of 2021 so far. Along with the SolarWinds breach of late 2020, this represents the second suspected state-sponsored cyberattack in quick succession, continuing to provide a wakeup call to many organizations.

When news broke about the four Exchange vulnerabilities on March 2, Pratum consultants immediately began contacting clients and instructing them to update their servers with Microsoft’s available patches as soon as possible. However, it’s crucial to understand that hackers exploited the vulnerability before the patches were released. So even if your servers have been patched, this remains a live situation as Pratum’s cybersecurity experts continue to determine exactly what the attackers accomplished with the zero-day attack. The following summary covers what we know so far about the situation. We will continue to update this blog as more information becomes available.

Impacted Systems

The new Exchange Server vulnerabilities primarily affect on-premises e-mail servers frequently used by small- and medium-size businesses. This was a widespread attack that sought to compromise any Exchange server it could find through online scans. When the attackers located a vulnerable Exchange Server, they typically inserted malware that would allow them to develop full attacks on compromised organizations at a later date.

The breach impacts on-premises Exchange Server 2013, 2016 and 2019 and can give attackers access to e-mail accounts, as well as a foothold to act within the targeted environments over the long term. Microsoft stated that the attack was initially traced to HAFNIUM, a state-sponsored group operating out of China. The United States has seen the highest number of attacks.

The vulnerability was initially identified in January and became widely known when Microsoft announced its patches on March 2. As news of the vulnerability spread, attackers worldwide quickly began to exploit the vulnerability by implanting ransomware and other malware. In the second week of March, reports indicated that the number of attacks was doubling every few hours. Experts estimate that as many as 60,000 organizations have been hacked so far.

When the vulnerability was publicized, Pratum’s incident response team began working around the clock to help clients investigate their systems to identify when their system was compromised and what type of activity took place during the compromise.

What You Can Do Now

Here are Pratum’s key recommendations as of this writing:

  • Install the Updates – By March 2, Microsoft had released updates covering approximately 95% of all exposed versions of Microsoft Exchange Server. Ideally, you’ve already updated your server with the available patches. If not, install the updates immediately. (Even two weeks after news of the vulnerability broke, experts estimated more than 80,000 servers worldwide remained unpatched.)
  • Check Your Vulnerability – This Microsoft script on GitHub can check whether your system is still vulnerable. Remember: If you can scan your own system that easily for vulnerabilities, so can hackers. You also can check whether your domain is on the list of those potentially compromised. Note that this list isn’t updated, so if you’ve installed the patches, your domain will still appear on the list.
  • Search for Threats – Installing the update and closing the vulnerability does not solve the problem. Nearly every case that Pratum has investigated has revealed web shells planted in February, which could open your system to backdoor attacks and malware. (A web shell is a malicious script that hackers embed so that they can exploit your system via a web server.) You will need to pursue a threat-hunting strategy to fully determine what compromises your system may have suffered. Pratum can assist with this threat-hunting effort. You also can read Microsoft’s latest mitigation guidance here. You’ll find additional info through Microsoft’s list of observed indicators of compromise (IOCs). This site from the federal Cybersecurity and Infrastructure Security Agency includes a chart of observed malicious activities.
  • Block Known Malicious IPs at the Firewall – We haven’t located a single, comprehensive list of these known IPs online, but Pratum is building its own reference list. Please contact us to learn more.
  • Reset All Administrator and User Passwords – Don’t overlook this basic precaution.
  • Back Up Your Exchange Server – This backup should be in a different location, outside of your network, even if you have installed the patches. We expect new malware and ransomware attacks to emerge, and you should be prepared by backing up your server.
  • Engage a Digital Forensics Team to Examine Your Network – It will almost certainly take weeks or months to determine how threat actors infiltrated systems before the patches were applied. Most organizations will need a digital forensics expert to root out any malware that may be on your network. Note that with thousands of organizations compromised, availability of incident response teams is likely to be limited.
  • Follow Developing Events – Pratum will update this blog as new information becomes available. We also recommend following the well-known cybersecurity news source Krebs on Security for updates.

If you need assistance in understanding exactly what vulnerabilities still exist in your system because of this breach, please contact Pratum to talk with one of our advisors.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.