Three Mistruths about the Anthem Breach and HITRUST CSF Certification

Ray Biondo
Senior Vice President and CISO BEYOND HC LLC

It has been dismaying to follow the recent inaccurate reporting in the news and misinformation posted by individuals that seem to discredit HITRUST for their own professional gains. I was previously a CISO with an organization that adopted the HITRUST CSF, obtained a HITRUST CSF Certification for a large scope of the organization, am now with a CSF Assessor organization, and believe I can accurately communicate the facts without letting my personal bias get in the way.

I do agree there are a few aspects that are worthy of having a conversation:

Why didn’t Anthem’s HITRUST CSF Certification at the time of the 2015 breach adequately identify or address the issue relating to the breach?

As clarified in this public statement by HITRUST, while Anthem did have a HITRUST CSF Certification, the system and/or area of the organization that was compromised was not within the scope of its HITRUST CSF Certification. Thus, the HITRUST CSF Certification was not even considered as part of the review by OCR in the case of this breach.

Why would HITRUST allow a system that includes PHI, PII or other sensitive information not to be in scope of a HITRUST CSF Certification?

A HITRUST CSF Certification is issued based on a defined scope, which can include a single system or multiple systems and associated infrastructure and processes. There are many legitimate reasons why scope would be defined and limited or not include the entire organization. Those reasons include the acquisition of, or merger with, a new company; a new system being implemented; or simply the organization is too large to scope as one “system.” Take Microsoft for example. They recently announced their HITRUST CSF Certification for Office 365. This system alone is a significant undertaking and it would be nearly impossible to scope the entire organization at once. Also, many organizations get started with one system to show progress and build out their scope over time. This is true for certification against ANY framework, by the way, whether it be HITRUST, ISO, PCI or another. I also confirmed with
HITRUST that in 2014 they updated their policies so that organizations must include the scope of the HITRUST CSF Certification in any public communication and not generally refer to the organization as being HITRUST Certified.

Why isn’t the HITRUST CSF risk-based and why would I certify against it?

Although some believe control frameworks encourage a “check the box” compliance-based approach to information protection, the HITRUST CSF is actually a risk-based framework.  This is because the HITRUST CSF builds upon the risk analyses used to create and maintain the NIST SP 800-53 control catalog to create a tailored, industry-level overlay of the NIST moderate impact security control baseline that considers, integrates, harmonizes, and maps to multiple legislative, regulatory, and best practice frameworks such as HIPAA, HITECH, GDPR, ISO, FFIEC, and more. Most organizations don’t have the resources to do a risk analysis on their own and need a framework-based approach that offers risk reduction while at the same time considers implementation effort and cost. Because HIPAA and NIST do not provide certifications, many organizations use the HITRUST CSF to show conformity to these regulatory and best practice standards. The Healthcare Sector Cybersecurity Framework Implementation Guide, recognized by the GAO and available from the U.S. CERT Cybersecurity Framework Website, provides joint public-private guidance for any Healthcare and Public Health Sector organization that wishes to implement the NIST Cybersecurity Framework leveraging the HITRUST CSF. It is also recognized by OCR investigations for showing compliance with HIPAA privacy and security rules. By going further and gaining HITRUST CSF Certification, organizations can demonstrate an acceptable level of due care—in an accurate, precise, repeatable, and transparent way—through an independent third-party assessment. In fact, organizations go through very similar processes for PCI, ISO, and government system-level certifications. Here is a link to an article in the ISSA Journal that describes how to leverage a control-based framework like the HITRUST CSF to simplify the risk analysis process.

So is HITRUST CSF Certification worth it? Would you hire someone based only on his or her professional certification? No. You would also consider their experience and education. Does a certification guarantee that an individual won’t make a mistake? Of course not. But a certification provides the common understanding and context from which to build transparency and trust in the individual, or in the case of the HITRUST CSF, its implementation in an organization.

In my opinion the HITRUST CSF is the best information privacy and security framework and certainly the best controls-based information security framework. Remember: the NIST Cybersecurity Framework is not controls based, which means you need to define the controls needed to achieve the cyber outcomes it specifies, and which is why it marries well with the HITRUST CSF. You also need a reliable method of demonstrating the effectiveness of an organization’s privacy and security controls, which is done through the CSF Assurance program.

There is always room for improvement and I believe it is critical to the state of the security of our nation that we come together, step up as leaders, and work to make our existing programs better—not simply resorting to complaints and spreading mistruths.