top of page
Search

Get acquainted with HITRUST

  • Writer: Keith Sanks
    Keith Sanks
  • May 16, 2023
  • 4 min read

Table of Contents



HITRUST is a non-profit organization that provides data protection standards and certification programs to help organizations safeguard sensitive information, manage information risk, and achieve compliance goals.

HITRUST stands out from other compliance frameworks by harmonizing multiple authoritative sources such as HIPAA, SOC 2, NIST, and ISO 27001. It is the only organization with a framework, assessment platform, and independent assurance program, leading to widespread adoption.


A Brief History:

Established in 2007, HITRUST aimed to make information security a core pillar of the healthcare industry. Over time, it expanded beyond healthcare and became a widely adopted security and privacy framework globally. HITRUST assists organizations of all sizes and industries in maintaining high-level information security.


Benefits of HITRUST Compliance:

  • Streamline information risk management programs.

  • Effectively protect sensitive information.

  • Reduce risk and prevent theft of data.

  • Stay updated on cyber attacks and security risks.

  • Simplify compliance efforts with a unified security framework.

  • Demonstrate commitment to security and gain trust.

  • Lower insurance premiums by meeting cybersecurity standards.

  • Eliminate the need for multiple assessments and reports.

  • Facilitate faster collaborations with HITRUST CSF-certified vendors.

  • Prove compliance with HIPAA-mandated requirements.


The HITRUST Framework:



  • The HITRUST Framework integrates various regulations, standards, industry frameworks, state-specific laws, and business requirements into a central control repository. Instead of complying with multiple frameworks individually, organizations can perform a single assessment to meet their regulatory obligations.

  • The framework's flexibility allows for customization based on an organization's risk factors, regulatory requirements, resources, and assessment type.

HITRUST Controls:

The HITRUST CSF includes 14 control categories, 49 control objectives, and 156 security and privacy-related control specifications. Control objectives define desired results, while specifications outline specific tasks and requirements to achieve those objectives.


Importance of HITRUST Compliance:

As digital information and healthcare technology grow, organizations face increased vulnerability to cyberattacks and breaches. HITRUST compliance helps maintain data security, manage risk, and reduce the likelihood of data breaches. It also facilitates ongoing improvements and ensures adherence to evolving threats and regulations.


HITRUST Certification:

HITRUST developed the HITRUST Common Security Framework (CSF) to manage security risks associated with healthcare information and sensitive data. The framework integrates 44 security and privacy-related standards, regulations, and frameworks to provide a risk-based approach with prescriptive and scalable controls. Although originally intended for the healthcare industry, HITRUST CSF is now industry-agnostic and applicable to organizations across various sectors.

HITRUST CSF certification is a crucial step for organizations looking to demonstrate that their systems meet the rigorous standards and regulations of the framework. Certified assessors provide detailed reports to help organizations improve their maturity levels. HITRUST Certification confirms that an organization has partnered with an authorized HITRUST External Assessor to pass a comprehensive security evaluation, meeting all industry regulations while maintaining high standards of data loss prevention and information risk management. This sets the organization apart from others within the industry and verifies that security and consumer transparency are top priorities.

The certification process is detailed, time-consuming, and intense, but it ultimately sets the organization up for success. Achieving HITRUST Certification shows that the company has taken the time to meet all regulatory requirements of the HITRUST framework, making it the gold standard for compliance in healthcare and a wide range of industries with regulatory compliance standards. Furthermore, HITRUST offers different assessment offerings that allow organizations to implement best practices and enhance security even without full certification.


The Certification Process



To ensure success in achieving HITRUST Certification, proper preparation is crucial. Most organizations typically engage an Authorized HITRUST External Assessor or a certification partner to guide them in determining the assessment type and the necessary controls to be addressed. One of the primary steps in the assessment process is defining the scope, which identifies the affected business units and subsidiaries and outlines what is covered by the controls. Failure to establish the scope correctly may result in too many or too few requirements needed for certification. Proper scoping helps organizations save time and money during the assessment process, which comprises four main phases: readiness, remediation, validated assessment, and HITRUST Quality Assurance review. The ultimate goal of the assessment process is certification, which confirms an organization's compliance with the HITRUST framework's regulations and industry standards, setting them apart from others in their industry.

1. Readiness

The initial phase of the HITRUST assessment process is readiness, which involves a readiness assessment that is often conducted using the HITRUST MyCSF tool. Once the scope is defined, the certification partner reviews all documentation related to policies and procedures to ensure they meet the current HITRUST requirements and controls. During this phase, the assessor tests all controls to validate their effectiveness and identifies any gaps for remediation. The duration of this process can vary, depending on the size and complexity of the organization's infrastructure, but typically takes up to eight weeks.

2. Remediation Phase

3. Validated Assessment

4. HITRUST’s Quality Assurance Review & Report Generation


List of HITRUST CSF Control Categories:


1. Information Security Management Program

Focuses on ensuring that an organization has a comprehensive and effective program in place to manage its information security risks. This includes developing policies, procedures, and standards that address the organization's unique security risks and ensuring that the security program is aligned with the organization's business objectives. The controls within this category cover areas such as risk assessment, security awareness training, incident management, third-party risk management, and continuous monitoring, among others. By implementing these controls, organizations can improve their overall security posture and reduce the risk of data breaches and other security incidents

2. Access Control

3. Human Resources Security

4. Risk Management

5. Security Policy

6. Organization of Information Security

7. Compliance

8. Asset Management

9. Physical and Environmental Security

10. Communications and Operations Management

11. Information Systems Acquisition, Development and Maintenance

12. Information Security Incident Management

13. Business Continuity Management

14. Privacy Practices

HITRUST Domains

The HITRUST CSF consists of 19 control domains, each representing a high-level subject area that corresponds to common IT process areas.



1. Information Protection Program

Control category that focuses on establishing, implementing, and maintaining policies, procedures, and processes to protect sensitive information throughout its lifecycle, including its creation, storage, use, transmission, and disposal. This domain includes controls related to data classification, access control, encryption, data retention, and destruction, among others. The objective of this domain is to ensure that information is protected from unauthorized access, disclosure, modification, destruction, or loss, and that appropriate measures are in place to detect and respond to security incidents or breaches.

2. Endpoint Protection

3. Portable Media Security

4. Mobile Device Security

5. Wireless Protection

6. Configuration Management

7. Vulnerability Management

8. Network Protection

9. Transmission Protection

10. Password Management

11. Access Control

12. Audit Logging & Monitoring

13. Education, Training & Awareness

14. Third-Party Security

15. Incident Management

16. Business Continuity & Disaster Recovery

17. Risk Management

18. Physical & Environmental Security

19. Data Protection & Privacy


Comparing HITRUST and other forms of compliance:


HITRUST vs. HIPAA:

  • While both HITRUST and HIPAA are related to healthcare, they serve different purposes. HIPAA focuses on protecting PHI, while HITRUST mitigates overall information risks.


HITRUST vs SOC 2

  • two well-known frameworks for evaluating security and risk. While both address cybersecurity issues in cloud-based systems, they differ in their scoping factors. Additionally, HITRUST was specifically designed to address security concerns related to protecting electronic protected health information (ePHI), while SOC 2 was created to assist software vendors and companies in demonstrating their security controls to customers and partners.

HITRUST vs NIST

  • NIST is a government agency that provides guidance on cybersecurity risk management through the development of policies, standards, and guidelines. Their Cybersecurity Framework is based on five core principles: identification, protection, detection, response, and recovery. Although NIST is mandatory for federal agencies and contractors, it is optional for other organizations.

 
 
 

Comments

Keith - 5Z5A8429 - 4x6.jpg

Hi, I'm Keith Sanks

I am a seasoned Cyber Security Professional with more than 16 years of industry experience. During my tenure in the Navy, I honed my skills in safeguarding National Security interests and assets against the constant threat of cyberattacks from hackers and foreign national advanced persistent threats.

  • LinkedIn

Effective. Secure. Protected

Creating a well-designed security program is essential for protecting an organization's critical assets and data from cyber threats. To achieve effectiveness, a security program must be designed with a risk-based approach that considers the organization's unique business requirements, regulatory compliance obligations, and the current threat landscape. The program must include policies, procedures, and controls that are tailored to mitigate the identified risks effectively. It is essential to establish a comprehensive security framework that includes technical solutions such as firewalls, intrusion detection systems, and endpoint protection, as well as employee training and awareness programs. A well-designed security program should also be regularly reviewed and tested to ensure that it remains effective and relevant as the threat landscape continues to evolve.

Subscribe

Thanks for submitting!

©2035 by Keith Sanks. Powered and secured by Wix

bottom of page