Managing Cyber Security Risk & Compliance With HITRUST
The proliferation of technology left governments and regulators scrambling to develop data privacy and information security regulations. Due to their rapid development, many of these newly created regulations like the Health Insurance Portability and Accountability Act (HIPAA), contained non-descript requirements open to interpretation, leaving potential gaps in information security programs across the country.
To minimize the confusion around HIPAA compliance, The Health Information Trust Alliance(HITRUST) initially established their cybersecurity framework to provide clarity to healthcare organizations regarding HIPAA compliance. HITRUST CSF has since been adapted to include nationally and internationally accepted security and privacy-related regulations, standards, and frameworks such as ISO, NIST, PCI and COBIT.
HITRUST Cyber Security Framework
HITRUST CSF plays a pivotal role in the healthcare industry and has since been adopted by other industries that need to manage and safeguard sensitive data. Due to a global need for information security, organizations striving to be compliant with numerous regulations focus on implementing a HITRUST CSF compliant program. By following the best practices prescribed by HITRUST CSF, organizations can improve overall efficiency and boost data protection levels. HITRUST CSF is both a risk and compliance-based framework and contains a comprehensive set of controls that are helpful in tracking compliance, planning remediation strategies, mitigating security threats, effective third-party risk management and reducing overlapping efforts required to satisfy all compliance requirements.
Who Should Adopt HITRUST CSF?
HITRUST simplifies the data security assessment and attestation process for covered entities which includes healthcare providers such as doctors, dentists, nurses, and establishments or entities like urgent care clinics, nursing homes, hospitals, pharmacies, and their associates.
An increasing number of healthcare organizations require their vendors to be HITRUST CSF compliant, and only open their doors for trustworthy vendors. Therefore, businesses that intend to work with major healthcare organizations will likely need to be HITRUST certified. Because information security is not an industry-specific issue, many organizations outside of healthcare that require some form of assurance are working towards HITRUST CSF compliance because it is an amalgamation of best practices drawn from standards like ISO, NIST and PCI DSS.
HITRUST vs HIPAA
Before diving into HITRUST CSF and HIPAA, you may be wondering:
How is HIPAA linked to HITRUST?
Are they compatible with each other?
If an organization is HIPAA compliant then does it need HITRUST certification as well?
Which one is superior to the other?
As discussed earlier, HITRUST is a wider-reaching framework that is built upon best practices from other regulations and standards including HIPAA. HIPAA acts as a baseline to protect sensitive health information and ensure its accessibility and is limited to medical professionals, vendors and other people on a need-to-know basis. The scope of HIPAA is limited to only protecting patient information and does not impart any guidelines for overall information security.
On the other hand, HITRUST CSF is a cybersecurity framework that draws from other standards building upon existing regulations. HITRUST CSF unifies all the requirements outlined in HIPAA as well as from other widely recognized acts and standards to create a single comprehensive framework that any organization can work towards. HITRUST CSF comprises of extracts from the following:
Control Objectives for Information and Related Technology (COBIT)
International Organization for Standardization (ISO)
Federal Trade Commission (FTC)
Centers for Medicare and Medicaid Services
National Institute of Standards and Technology (NIST)
Payment Card Industry Data Security Standard (PCI DSS)
Other federal and state entities
Particularly for healthcare, HITRUST CSF compliance ensures you are HIPAA compliant while providing greater security to confidential or sensitive patient information. In addition to this, it helps in optimizing security operations, reduces organizational risks, and addresses HIPAA's key limitations in securing the flow of sensitive information.
HITRUST CSF Expansions:
Due to the dynamic nature of technology, HITRUST CSF is updated on an annual basis. As of Dec 2020, HITRUST is on version 9.4.2. This latest version has been further expanded to maintain its relevancy and incorporate requirements from the evolving & dynamic regulatory and risk management landscape. HITRUST version 9.4.2 further harmonized requirements from authoritative sources including the CMMC framework. In addition, the expansion of new compliance requirements mandates that security controls can be scaled and adapted to any size and level of complexity in an organization, both nationally and internationally. Such modifications make HITRUST CSF a highly configurable and powerful integrated framework that can be applied by any company looking to securely manage its data.
HITRUST Structure
Instead of showing the full range of security controls altogether, HITRUST specifically defines distinct domains and control objectives. The latest version of HITRUST v9.4.2. contains 14 control categories, comprised of 49 control objectives and 156 control specifications. For each control, there are three levels of implementation. Level 1 is the baseline, whereas Level 3 ensures a high level of protection and includes more requirements. Implementation Requirements provide details on the necessary controls to achieve compliance for each level. Furthermore, some requirements are industry-specific and are applicable to those organizations belonging to the respective industry segment.
HITRUST Certification Process:
Ultimately, becoming HITRUST Certified indicates your organization's commitment to information security. It has become a benchmark for handling sensitive data with utmost care. It also helps organizations, business associates, and vendors to manage risks across their third-party supply chain. Before the certification takes place, organizations need to prepare themselves and can perform the following:
Self-Assessment and Readiness: Organizations need to conduct risk analysis which helps in the determination of implementation level.
Remediation: Based on the risk analysis, organizations will perform remediation and patch up all risks.
Validation Assessment: CSF assessor will analyze the self-assessment reports and remediation actions performed by an organization.
Quality Assurance Review: CSF assessor will review the performance of controls and determine satisfaction level.
Certification: If all performance controls are deemed satisfactory, then a letter of certification is issued.
Information security regulations and data privacy acts are perpetually playing catch up, and HIPAA is no different. Due to its expedited development, HIPAA's compliance requirements were ambiguous, only generating more confusion. HITRUST CSF was created to alleviate the uncertainty around HIPAA, acting as a foundational framework to help you create a robust risk and compliance management system.
Using GRC software like StandardFusion, it has never been easier to build and scale your organization's information security management system (ISMS). Track compliance to multiple frameworks at a time including HITRUST CSF, GDPR, CCPA and FedRAMP, and manage the entire risk and compliance lifecycle with a single tool. Map your controls directly to your requirements and visualize the connections between all the moving parts of your management system. Connect with our team to get started on your own HITRUST CSF compliant system today!
