Repeat after me: frameworks are not standards. They are instead often used as a guide to navigate through the underlying standards.
There are lots of frameworks cropping up in the cybersecurity world. If you’re completely new to the idea of, let’s say protecting critical infrastructure and not sure even how to begin working out the right controls, then you take a trip to NIST’s own Critical Infrastructure Security Framework.
Is there anything similar in the world of healthcare to navigate its complex security and privacy regulations?
The folks at the Health Information Trust Alliance or HITRUST have, after working with healthcare and IT experts, come up with their own Common Security Framework (CSF).
Nitty Gritty of Common Security Framework
A healthcare security framework has to take into account the entire scope of healthcare security, including not just the actual health data, but other data as well, for example, financial and transactional information.
So it’s not surprising that HITRUST’s sprawling CSF — over 400 pages of guidance goodness covering 13 different areas — has controls that map into HIPAA’s safeguards for protected health information, PCI’s DSS for credit card, and COBIT controls related to financial information—to name just a few!
The overall idea is you dive into CSF to refer to an area in healthcare you’re interested in safeguarding, say access control, and then find the actual compliance and regulatory mappings. CSF provides several levels of these mappings — that would be Level 1, Level 2, and Level 3 — so that you have increasing granularity in your implementation.
For example, in the case of CSF’s information access control policy (Control 1.1a), CSF directs you to HIPAA 164.308 a(4). Remember that HIPAA requirement? It’s where HIPAA tells you to implement a policy so that authorized users access the minimal information for employees to do their jobs.
Keep in mind that HIPAA is technology neutral and not overly prescriptive. So if you want a more specific requirement for getting this done, the Level 2 mapping then directs you to ISO 27002 A.9.1.1. To jog your memory, this is where the ISO folks get into the weeds on prescribing specific controls for apps and information.
Varonis Can Help
Yes, we can! CSF is a giant meta-standard and a good resource for those planning comprehensive solutions for every aspect of healthcare security, down to the level of electrical equipment safety — see CSF Control 0.8.d and it’s NIST Cybersecurity Framework mapping!
Varonis already provides support for many of the key compliance standards — especially the aforementioned HIPAA and PCI—which form the basis of many of the Level I and Level II mappings.
If you’re looking for an overall map — yes, another map !— that shows some of the key areas where Varonis can help in CSF, please review the table below.
| CSF CONTROL CATEGORY | MAPPINGS | SOLUTIONS |
| 01: Access Control
(.02) Authorized Access to Information System (.06) Application and Information Access Control |
|
|
| 02: Human Resources Security
(.04i) Termination of Employment/removal of access rights |
|
|
| 03: Risk Management
(.01b) Performing Risk Assessments (.01c) Risk Mitigation |
|
|
| 06: Compliance
(c) Protection of organizational records (retention) (d) Data protection and privacy of covered information (retention) |
|
|
| 07: Asset Management
(.02d) Classification Guidelines |
|
|
| 09: Communication and Operating Management
(.10aa) Monitoring/audit logging |
|
|
| 10: Information Systems Acquisition, Development, and Maintenance
(.04) Security of System Files |
|
|
| 11: Information Security Incident Management
(01a) Reporting Information Security Events |
|
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
