HITRUST today released the following statement regarding the HIPAA settlement relating to the Anthem security breach in 2015.
An inaccurate media story earlier today reported that Anthem had a HITRUST CSF Certification at the time a breach occurred in 2015 and it did not adequately identify or address the issue relating to the breach. While Anthem did have a HITRUST CSF Certification, the organization did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification.
A HITRUST CSF Certification is issued based on a defined scope, which can include a single system or multiple systems and associated infrastructure and processes that are documented in the Certification Report.
While the system impacted was not in scope, no information security controls framework is capable of eliminating all breaches entirely given the pace of emerging threats and sophistication of state-sponsored threat actors and cyber criminals. A key component of any comprehensive information risk management framework is the ability to offer risk reduction while considering implementation and costs allowing those leveraging to benefit by receiving updated guidance relating to emerging risks. The HITRUST CSF and CSF Assurance programs are enhanced regularly based on updated regulations, standards and best practices – including reviews of emerging threats and breach analysis.
Third party assessments are vital to providing reliable, transparent assurances to internal and external stakeholders (such as a board of directors, senior management, regulators and customers). A certification based on a strong controls-based framework adds significant value to an organization by demonstrating an acceptable level of due diligence and due care for the protection of sensitive information. The HITRUST CSF and CSF Assurance programs have been used successfully to demonstrate compliance with the HIPAA privacy and security rules by organizations as part of OCR investigations.
The HITRUST CSF is the basis for the Health and Public Health Sector implementation guidance for the NIST Cybersecurity Framework and in 2018, the Government Accountability Office (GAO) Report to Congressional Committees on Critical Infrastructure Protection recognized the alignment of the framework to the [HITRUST CSF] allows organizations to demonstrate compliance with NIST.
HITRUST also worked with the Department of Homeland Security and HHS to publish the Healthcare Sector Cybersecurity Framework Implementation Guide, helping healthcare organizations integrate all aspects of the NIST Framework into their cybersecurity programs. Building on this model, HITRUST is committed to developing additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors.
For additional information, please refer to:
- Report to Congressional Committees on Critical Infrastructure Protection – https://www.gao.gov/assets/700/690112.pdf
- Healthcare Sector Cybersecurity Framework Implementation Guide – https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.
HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit www.hitrustalliance.net.
Kevin Lightfoot, 469-269-1117