AWS Partner Network (APN) Blog

How to Streamline HITRUST Compliance with AWS and A-LIGN

By Cheryl Cage, Sr. Security Partner Strategist – AWS
By Blaise Wabo, Healthcare and Financial Services Knowledge Leader – A-LIGN

A-LIGN-AWS-Partners-2023
A-LIGN
A-LIGN-APN-Blog-CTA-2023

With the rise of the average cost of a data breach, the need to protect sensitive data is increasingly important across industries. It’s critical companies ensure they have the right controls and security in place to protect data against evolving cyber threats.

The HITRUST Common Security Framework (CSF) is a comprehensive, flexible, and certifiable security and privacy framework providing clear and actionable guidelines to navigate the complex landscape as technology, federal and state laws, and regulations continue to evolve.

Originally focused on healthcare, HITRUST is now used by organizations across industries to demonstrate regulatory compliance and risk management to a global audience.

An even wider adoption of HITRUST is also underway, with the Qualified Health Information Networks Designation (QHIN) within the Trusted Exchange Framework and Common Agreement (TEFCA). QHIN is a new federal designation to mark networks interconnected to increase national health information exchanges (HIEs). The HITRUST r2 certification is the only framework that currently meets the TEFCA cybersecurity standards.

Not surprisingly, HITRUST compliance can be a complex and time-consuming process. Organizations can enhance the efficiency of their HITRUST compliance with A-LIGN’s compliance automation platform. A-SCEND integrates with Amazon Web Services (AWS) to automate evidence collection and continuously monitor cloud security in accordance with Center for Internet Security (CIS) benchmarks.

A-LIGN is an AWS Select Tier Services Partner and AWS Marketplace Seller that’s also a member of the Global Security & Compliance Acceleration (GSCA) program. A-LIGN provides auditing and cybersecurity assessment consulting services across multiple security frameworks for private and public sector entities and is a leading HITRUST CSF external assessor.

In this post, we will provide an overview of the HITRUST framework, benefits of using AWS services with A-SCEND, and provide practical guidance and best practices for streamlining HITRUST compliance. By following these strategies, organizations can reduce the time and cost associated with HITRUST compliance.

Shared Responsibility and Inheriting HITRUST Controls

The HITRUST CSF is a certifiable framework designed to help organizations achieve compliance with multiple regulatory requirements, including HIPAA, HITECH, NIST, and PCI DSS. It includes 19 different domains, such as access control, incident management, and risk management, each with its own set of requirements that must be implemented and validated.

AWS participates in HITRUST’s external inheritance program. This follows the AWS Shared Responsibility Model and enables AWS customers to inherit controls from AWS’s certification into their own HITRUST assessment, helping to accelerate the path to certification and reduce costs.

Let’s look at how AWS can help you prepare for a HITRUST assessment:

AWS Customer HITRUST Shared Responsibility Matrix

  • The HITRUST Shared Responsibility Matrix (SRM) defines security and privacy responsibilities between AWS and its customers to help determine the HITRUST requirement statements you may be able to fully or partially inherit.
  • HITRUST also maintains general instructions about inheritance within its MyCSF User Guide.

AWS Artifact

  • With AWS Artifact, you can view and download AWS’s security and compliance reports, including the AWS HITRUST CSF certification letter, SOC reports, PCI reports, FedRAMP customer package, and many others.
  • Customer Compliance Guides (CCGs) help determine audit scope and customer responsibilities for AWS services based on the configuration options applicable to a service, related compliance topics, and control requirements.

AWS Services in Scope by Compliance Program

  • With AWS Services in Scope, you can leverage AWS HITRUST CSF certified services to support the HITRUST CSF validation process. For example, customers may use AWS Key Management Service (AWS KMS) to manage keys in their HITRUST CSF environment.

Landing Zone Accelerator for Healthcare

AWS Customer Compliance Guides

  • Customer Compliance Guides (CCGs) are an informative resource for customers leveraging the Shared Responsibility Model in navigating their security and compliance needs. The CCGs are derived from AWS Service User Guides and provide a consolidated view of AWS security practices based on configurable options for a service and related compliance topics and control requirements.

Helpful AWS Services

AWS offers many services to help you implement technical controls as required by HITRUST:

Configuration Management

  • AWS Config is a key enabler for achieving technology control automation, including a selection of AWS Config managed rules which are predefined and customizable. You can use AWS Config managed rules to detect changes in your AWS environment and identify areas of potential non-compliance. AWS Config Conformance Packs extend that capability by allowing AWS Config managed rules and remediation actions to be grouped into a single pack that can be deployed across multiple AWS accounts.
  • AWS Systems Manager helps maintain security and compliance by scanning your instances against patch, configuration, and custom policies.

Monitoring and Performance

  • AWS CloudTrail allows you to track and automatically respond to account activity threatening the security of your AWS resources. With Amazon CloudWatch Events integration, you can define workflows that execute when events that can result in security vulnerabilities are detected.

Governance and Compliance

  • AWS Security Hub can run automated, continuous security checks based on industry standards and best practices such as CIS benchmarks.

End-to-End HITRUST Compliance Management

A-SCEND helps you gain instant visibility into your HITRUST compliance—from readiness to report. Integrating with more than a dozen AWS services to automate the collection of evidence and continuously monitor your cloud security, A-LIGN customers have reported saving as many as 60 hours through this process.

A-LIGN-HITRUST-A-SCEND-1

Figure 1 – A-SCEND’s API connections with AWS services.

Evidence Collection

A custom information request list (IRL) is created and uploaded into the A-SCEND portal. A-LIGN automates the evidence collection by pulling evidence into A-SCEND and mapping it to the request list. The data pulled is generated into reports in PDF or Excel and attached to A-LIGN request list items.

A-LIGN-HITRUST-A-SCEND-2

Figure 2 – Customized AEC requests in the A-SCEND platform.

To show an example of how A-SCEND can help gather evidence and manage continuous monitoring for specific HITRUST requirements, let’s walk through the process of gathering evidence for a password management control.

Step 1: A-SCEND Creates an Information Request List

HITRUST requirements are generally ambiguous, and it can be difficult to decipher what type of evidence is needed for a specific control. A-LIGN creates a custom request list specific to that requirement that’s easy to interpret.

This custom request list for the password management control will be uploaded to the customer’s A-SCEND portal. Customers will be prompted to submit the identified evidence for that request. Once the request list is created, the dashboard will show that 100% of the evidence is open.

Once evidence is uploaded for the password management control, users can click submit and it will change the dashboard to signal the assessors have started reviewing. If additional evidence is required, the dashboard will signal that action is required.

Step 2: A-SCEND Gathers Evidence via API Connection

A-LIGN establishes the API connection once it sets up your A-SCEND account.

Once the API connection is established, password management is identified as evidence that is gathered from your AWS account. The API connection in A-SCEND pulls evidence in automatically so you don’t have to manually take a screenshot and upload the evidence to the A-SCEND portal.

A-LIGN-HITRUST-A-SCEND-3

Figure 3 – Population requests in the A-SCEND portal.

Step 3: A-SCEND Continuously Monitors Controls

If there’s a configuration you are responsible for that was not configured properly, A-SCEND flags that request for continuous monitoring and notifies you of any misconfigurations immediately.

You also have year-round access to custom requests in A-SCEND and will be notified immediately if there is any issue, even when you’re not actively pursuing your HITRUST certification.

A-LIGN-HITRUST-A-SCEND-4

Figure 4 – Checking AWS configuration benchmarks through continuous monitoring.

Step 4: A-SCEND Uploads All Evidence to MyCSF Portal

One of the most important features of A-SCEND is the ability to upload all evidence to the MyCSF portal.

If you’re relying on AWS to perform password management control, you are not responsible for that specific control. Request for inheritance is done via MyCSF, and AWS will accept the inheritance and apply the score of that control to the customer’s overall score.

A-LIGN-HITRUST-A-SCEND-5

Figure 5 – Inheritance requests uploaded to MyCSF.

Any customer responsibility for that control requires evidence which A-SCEND can automatically pull from your AWS instance. That evidence is then fed to MyCSF through the offline module upload.

A-LIGN-HITRUST-A-SCEND-6

Figure 6 – Inheritance scores accepted into MyCSF.

Continuous Monitoring

A-SCEND is CIS Benchmark Assessment Certified to enable the continuous monitoring of cloud security compliance. It automatically checks more than 50 AWS configuration benchmarks, such as encryption and password policies, alerting you to remediate risks that could otherwise cause exceptions during your HITRUST assessment. This helps improve your score during the assessment and reduces the number of corrective actions and gaps.

HITRUST Policies and Procedures

Prioritizing strong HITRUST policies and procedures is crucial to passing the audit and earning a HITRUST certification. A-SCEND documents the best practices for all 19 domains of a HITRUST assessment and provides policy templates within its Policy Center for you to build your required HITRUST documentation.

A-LIGN-HITRUST-A-SCEND-7

Figure 7 – Policy Center outlining configuration standards in A-SCEND.

Best Practices for Streamlining HITRUST Compliance

Streamlining HITRUST compliance requires a comprehensive approach that leverages the capabilities of both AWS and A-SCEND. Here is some practical guidance and best practices for organizations seeking to streamline their HITRUST compliance efforts:

  • Understand HITRUST inheritance: The HITRUST Inheritance Program enables organizations to leverage the certifications and attestations of their third-party service providers to help demonstrate compliance. Organizations should carefully review their AWS environment to determine which AWS services are in scope for HITRUST compliance and which compliance requirements can be inherited from AWS. A-SCEND streamlines this process with automation.
    .
    A-LIGN consultants help organizations map their respective inherited controls using the HITRUST Shared Responsibility Matrix early in the planning process. These controls are then submitted for inheritance to AWS during the planning phase, minimizing any delays prior to submission to HITRUST.
  • Automate evidence collection: Automated evidence collection can significantly reduce the time and effort required to demonstrate compliance. A-SCEND helps ensure evidence is efficiently, consistently, and accurately collected.
  • Leverage CIS benchmarks: Organizations should ensure their AWS environment is configured in accordance with the latest CIS benchmarks to help improve the security and compliance posture. A-SCEND automates this process to alert organizations to misconfigurations that can place their compliance at risk, enabling them to fix issues before it’s too late. A-LIGN’s product vendor partnership and certification from CIS ensures A-SCEND’s automated evidence collection and monitoring features are assessing with accuracy against the latest threat landscape and best practices.

By following these best practices and leveraging the capabilities of AWS and A-SCEND, organizations can streamline their HITRUST compliance efforts and reduce the time and effort required to achieve and maintain HITRUST certification.

Conclusion

With the recent release of the Qualified Health Information Network (QHIN), healthcare organizations across the country will need to renew or earn their HITRUST CSF Validated r2 Assessment. This provides the highest assurance level certified by HITRUST, but the completion is costly and requires a great deal of time and resources.

Utilizing AWS and A-SCEND helps to qualify organizations to become QHINs and achieve the goal of universal network interoperability.

Learn more about HITRUST on AWS, and explore A-LIGN’s AWS Marketplace listings. You can also learn more about A-LIGN’s HITRUST certification services, as well as A-SCEND which is A-LIGN’s all-in-one automated compliance management solution.

.
A-LIGN-APN-Blog-Connect-2023
.


A-LIGN – AWS Partner Spotlight

A-LIGN is an AWS Select Tier Services Partner and member of the Global Security & Compliance Acceleration (GSCA) program. A-LIGN provides auditing and cybersecurity assessment consulting services across multiple security frameworks for private and public sector entities and is a leading HITRUST CSF external assessor.

Contact A-LIGN | Partner Overview | AWS Marketplace