In short, the HITRUST CSF® prescribes the controls and provides a framework to support data protection and security compliance. It’s a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.
The HITRUST CSF was developed with the intention of bringing harmony to the concept of open system data sharing and information security. It helps organizations in the health care industry, and other sectors handling sensitive information, by providing a comprehensive and flexible mapping key to ensure data security.
What Is HITRUST?
HITRUST® was “born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
HITRUST, in collaboration with healthcare, business, financial, technology and information security leaders, has established HITRUST CSF, a risk management and compliance framework that can be used by – any and all – organizations that create, access, store, or exchange personal health and financial information.
HITRUST CSF – Controls and Framework for Risk Management
HITRUST collaborated with various leaders in business, information security, financial services, technology, and healthcare to create and develop HITRUST CSF.
This certifiable framework was designed to simplify the process of data security and information privacy assessment and attestation for covered entities and their associates with a standard methodology, requirements, and tools. At the same time, the framework is meant to flex and mature with the organization, accompanying it even as data collection, storage, and sharing policies and practices change over time.
Advantages of HITRUST CSF
Let’s take a closer look at the advantages of relying on HITRUST CSF for risk management assessment and security attestation.
Streamlines the Compliance Process
The HITRUST CSF framework combines relevant information from existing security standards and compliance regulations defined by the federal and state governments, as well as third-party, and international bodies. These include:
- HIPAA: HIPAA was enacted in 1996 “to publicize standards for the electronic exchange, privacy and security of health information.” Those covered by HIPAA include health plans, healthcare providers, healthcare clearinghouses, and business associates wherein certain members have access to healthcare records.
- HITECH: Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH was enacted to promote adoption and meaningful regular use of health information technology capabilities for electronic healthcare information transmission.
- PCI: A third-party interest, the PCI has become intertwined with numerous industries. Working within HITRUST CSF’s framework helps PCI issuers understand how vital their compliance is to ensuring patient and/or customer security and privacy.
- COBIT: Created in 1996 by ISACA, COBIT provides a good-practice system framework to promote the best practices in IT management and governance.
By unifying these regulations into a single, comprehensive set of prescriptive controls, HITRUST has built a powerful and clear framework. HITRUST CSF offers solid guidance, not just for analysis and assessment, but also for tracking and reporting compliance, as well as planning remediation strategies.
Addresses Cybersecurity Across Industries
Organizations across different industries – including the medical, life sciences, financial, technology sectors, and more – must ensure protection from similar types of cybersecurity threats. Using a single, overarching framework is a huge advantage for companies that have interests, third-party vendors, and business interactions between different industries.
What industries does HITRUST CSF benefit? Learn more about how HITRUST Is Moving Beyond Health Care.
Increases Efficiency with Assessment & Attestation
HITRUST CSF increases efficiency when it comes to regulatory compliance and risk management. It helps eliminate inefficiencies and overlaps created by trying to show compliance with multiple regulatory standards. CIOs and other information technology leaders can understand and follow the set of prescriptive controls and regulations laid out by the HITRUST CSF for full compliance. In the end, organizations are able to save time and energy.
Allows Secure Sharing of Sensitive Data
In contrast to HIPAA – which is often thought of as “prohibitive” and regulation-heavy without allowances and means to share data – HITRUST CSF controls enable entities to share data within a safe framework. The HITRUST CSF’s comprehensive approach makes it easier for information technology managers to maintain high-quality standards while allowing the free flow of PHI and other sensitive information.
Enables Flexibility to Fit Organizational and System Structure
The HITRUST CSF is intended to be used by companies which store, process, access, or transmit sensitive data – independent of their size, organizational structure, or IT infrastructure. Organizations are able to define the scope of HITRUST assessments, in terms of the organization and systems, including facilities, devices, applications, and infrastructure components.
Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements. They can select the specific controls that are reasonable and appropriate for their organization or propose alternative controls to mitigate risk in accordance with HITRUST CSF requirements. Additionally, security controls can be scaled, adapting to any size and level of complexity in an organization.
Grows with the Organization and Security Regulations
HITRUST’s maturity model encourages continual improvement. As the individual organization works to improve data security over time, HITRUST CSF adapts to reflect its maturity level. And because the field of cybersecurity is constantly evolving, newer versions of the HITRUST CSF are periodically released to stay up to date with any changes in the standards from the various regulatory bodies.
Overview of HITRUST CSF Versions
Here’s a quick overview of how HITRUST has changed over time and shaped the current risk management and compliance environment.
HITRUST CSF v8 (2016)
The updates for HITRUST Version 8 included “a more granular support for cybersecurity, AICPA SOC2 reporting, contextual data de-identification, cloud services, and expanded requirement details.”
- It integrates the AICPA’s Trust Principles and Criteria for security, confidentiality and availability. The closer ties to this auditing principle – associated with SOC 2 reporting – makes applying regulations and compliance standards easier for busy IT teams.
- It allows for contextual data de-identification when necessary, according to HITRUST De-Identification Framework’s assessment protocol. A set of 12 characteristics help assess controls, risks and potential outcomes to guide IT professionals in data de-identification.
- It incorporates CIS CSC protections related to emerging digital security threats, recent cybersecurity guidance from the President’s Precision Medicine Initiative, and key controls from the NIST Cybersecurity Framework.
- It has updates to improve practices related to PCI and cloud security.
HITRUST CSF v9.1 (2018)
This version introduced substantial modifications with far-reaching implications for businesses working with clients nationally and internationally.
- It incorporates standards set by the European Union GDPR and the New York State Cybersecurity Requirements for Financial Services Companies (NY-CRFSC).
HITRUST CSF v9.2 (2019)
There are two key changes in this update, and they focus on the shift to an agnostic framework, along with the integration of international regulatory requirements.
- It removes healthcare-specific regulatory requirements from all three implementation levels and places them in a different industry control segment. This change ensures that non-healthcare entities are not required to address these particular requirements in their assessment.
- For greater clarity, it provides plain-language versions of the EU’s General Data Protection Regulation (GDPR) requirements, as well as Singapore’s Personal Data Protection Act (PDPA).
HITRUST CSF – the Latest Version
The most recent version went into effect on January 1, 2020. HITRUST CSF v9.3 added new and updated requirements adopted from:
- California Consumer Privacy Act,
- Insurance Data Security Act of South Carolina,
- NIST SP 800-171 R2 (DFARS),
- NIST Framework for Improving Critical Infrastructure Cybersecurity,
- CMS ARS 3.1,
- IRS Publication 1075: Safeguards for Protecting Federal Tax Returns and Return Information,
- CIS CSC v7.1, and
- ISO 27799:2016 Health informatics.
Find out more about How HITRUST CSF v9.3 Impacts Risk Management for Organizations.
The HITRUST CSF Structure
Rather than designing broad-spectrum focal points, the architects of the HITRUST CSF created a series of highly specialized controls and domains. By separating each of these specific areas, it is easier to pinpoint problems so you can quickly and accurately reassess and make corrections to your information security system.
The HITRUST CSF uses 19 domains to make it easier for you and your team to isolate data protection concerns. In total, these domains include 135 security controls.
|HITRUST CSF Domain Control||Description of the Controls Included|
|1||Information Protection Program||Processes should be in place to ensure confidentiality, integrity, and availability of sensitive data. This includes the information security management system (ISMS).|
|2||Endpoint Protection||This refers to anti-virus/anti-malware configurations, firewalls, intrusion detection systems, software updates, patches, and more. It includes requirements common to laptops, workstations, storage (e.g., NAS) and servers.|
|3||Portable Media Security||This control domain includes mobile storage (e.g., USB drives, CD-ROMs, DVD-ROMs, backup tapes).|
|4||Mobile Device Security||This covers requirements specific to laptops, smart phones and tablets.|
|5||Wireless Security||This refers to all aspects of corporate and guest wireless networks but does not include protections for devices connected to other networks.|
|6||Configuration Management||This includes all aspects of configuration management (e.g., configuration item identification, configuration status accounting, change control and configuration audit), as well as environments used for development and testing.|
|7||Vulnerability Management||This includes vulnerability scanning and patching, antivirus/anti-malware and network/host-based penetration detection systems, and updates.|
|8||Network Protection||This includes all aspects of perimeter and internal network security, such as network-based application-level firewalls and intrusion detection systems, DDOS protection and IP reputation filtering.|
|9||Transmission Protection||This includes web and network connections, such as those for VPN, email, and chat.|
|10||Password Management||This covers specific issues around the use of traditional passwords.|
|11||Access Control||This control includes all aspects of access control other than the use of traditional passwords.|
|12||Audit Logging and Monitoring||This refers to controls for audit logging and monitoring.|
|13||Education, Training, and Awareness||This domain control is for the awareness campaigns, as well as the initial and continues education and training provided for security personnel and standard users.|
|14||Third-Party Assurance||This refers to all aspects of managing risk linked to third parties, such as vendors and business associates.|
|15||Incident Management||These controls relate to incident monitoring and detection activities, incident response, and breach reporting.|
|16||Business Continuity and Disaster Recovery||This covers all aspects of contingency, business continuity, and disaster recovery, like planning, implementation, testing.|
|17||Risk Management||This includes risk assessment, risk analysis, and other operations connected to risk management.|
|18||Physical and Environmental Security||This domain includes physical and environmental security requirements for data centers and other facilities charged with storing, disposing of, and/or destroying sensitive information.|
|19||Data Protection and Privacy||The final domain addresses the organization’s compliance and privacy program and related controls.|
CSF Controls and Levels of Implementation
The HITRUST CSF has defined 135 controls for information security, which are divided into three separate levels of implementation. These levels are based on organizational and regulatory risk factors. Each of the three levels of implementation builds comprehensively on the level before it. Level 1 is considered the baseline, while Level 3 has the greatest number of requirements and assures the greatest level of protection. Most organizations use a variety of levels of implementation, according to their specific data protection needs.
Ready to get started? Get more information about Preparing for HITRUST Assessments.
Enlist Expert Help for HITRUST Compliance
I.S. Partners, LLC. is an Approved CSF Assessors assisting clients with HITRUST readiness, creating and implementing effective remediation strategies, and validating assessments for certification. Contact the I.S. Partners team at 215-631-3452 for an initial consultation.
Learn more about theHITRUST Certification Process