HITRUST Cybersecurity Framework
In short, the HITRUST CSF® prescribes the controls and provides a framework to support data protection and security compliance. It’s a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.
The HITRUST assessment framework was developed with the intention of bringing harmony to the concept of open system data sharing and information security. It helps organizations in the health care industry, and other sectors handling sensitive information, by providing a comprehensive and flexible mapping key to ensure data security.
What Is HITRUST?
HITRUST® was “born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
HITRUST, in collaboration with healthcare, business, financial, technology and information security leaders, established HITRUST CSF, a risk management and compliance framework that can be used by organizations that create, access, store, or exchange personal health and financial information.
HITRUST – Controls and Framework for Risk Management
HITRUST collaborated with various leaders in business, information security, financial services, technology, and healthcare to create and develop the HITRUST assessment framework.
This certifiable framework was designed to simplify the process of data security and information privacy assessment and attestation for covered entities and their associates with a standard methodology, requirements, and tools. At the same time, the framework is meant to flex and mature with the organization, accompanying it even as data collection, storage, and sharing policies and practices change over time.
Advantages of Implementing the HITRUST Framework
Let’s take a closer look at the advantages of relying on the HITRUST framework for risk management assessment and security attestation.
Streamlines the Compliance Process
The HITRUST framework combines relevant information from existing security standards and compliance regulations defined by the federal and state governments, as well as third-party, and international bodies. These include:
- HIPAA: HIPAA was enacted in 1996 “to publicize standards for the electronic exchange, privacy and security of health information.” Those covered by HIPAA include health plans, healthcare providers, healthcare clearinghouses, and business associates wherein certain members have access to healthcare records.
- HITECH: Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH was enacted to promote adoption and meaningful regular use of health information technology capabilities for electronic healthcare information transmission.
- PCI: A third-party interest, the PCI has become intertwined with numerous industries. Working within HITRUST’s framework helps PCI issuers understand how vital their compliance is to ensuring patient and/or customer security and privacy.
- COBIT: Created in 1996 by ISACA, COBIT provides a good-practice system framework to promote the best practices in IT management and governance.
By unifying these regulations into a single, comprehensive set of prescriptive controls, HITRUST has built a powerful and clear framework. HITRUST offers solid guidance, not just for analysis and assessment, but also for tracking and reporting compliance, as well as planning remediation strategies.
Addresses Cybersecurity Across Industries
Organizations across different industries – including the medical, life sciences, financial, technology sectors, and more – must ensure protection from similar types of cybersecurity threats. Using a single, overarching framework is a huge advantage for companies that have interests, third-party vendors, and business interactions between different industries.
What industries does HITRUST certification benefit? Learn more about how HITRUST Is Moving Beyond Health Care.
Increases Efficiency with Assessment & Attestation
HITRUST increases efficiency when it comes to regulatory compliance and risk management. It helps eliminate inefficiencies and overlaps created by trying to show compliance with multiple regulatory standards. CIOs and other information technology leaders can understand and follow the set of prescriptive controls and regulations laid out by the HITRUST framework for full compliance. In the end, organizations are able to save time and energy.
Allows Secure Sharing of Sensitive Data
In contrast to HIPAA – which is often thought of as “prohibitive” and regulation-heavy without allowances and means to share data – HITRUST framework controls enable entities to share data within a safe framework. The HITRUST’s comprehensive approach makes it easier for information technology managers to maintain high-quality standards while allowing the free flow of PHI and other sensitive information.
Enables Flexibility to Fit Organizational and System Structure
The HITRUST framework is intended to be used by companies which store, process, access, or transmit sensitive data – independent of their size, organizational structure, or IT infrastructure. Organizations are able to define the scope of HITRUST assessments, in terms of the organization and systems, including facilities, devices, applications, and infrastructure components.
Because the HITRUST framework is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements. They can select the specific controls that are reasonable and appropriate for their organization or propose alternative controls to mitigate risk in accordance with HITRUST certification requirements. Additionally, security controls can be scaled, adapting to any size and level of complexity in an organization.
Grows with the Organization and Security Regulations
HITRUST’s maturity model encourages continual improvement. As the individual organization works to improve data security over time, the HITRUST framwork adapts to reflect its maturity level. And because the field of cybersecurity is constantly evolving, newer versions of the HITRUST CSF are periodically released to stay up to date with any changes in the standards from the various regulatory bodies.
HITRUST CSF – the Latest Version
The most recent version went into effect on January 1, 2020. HITRUST CSF v9.3 added new and updated requirements adopted from:
- California Consumer Privacy Act,
- Insurance Data Security Act of South Carolina,
- NIST SP 800-171 R2 (DFARS),
- NIST Framework for Improving Critical Infrastructure Cybersecurity,
- CMS ARS 3.1,
- IRS Publication 1075: Safeguards for Protecting Federal Tax Returns and Return Information,
- CIS CSC v7.1, and
- ISO 27799:2016 Health informatics.
Find out more about How HITRUST CSF v9.3 Impacts Risk Management for Organizations.
The HITRUST Assessment Framework
Rather than designing broad-spectrum focal points, the architects of the HITRUST CSF created a series of highly specialized controls and domains. By separating each of these specific areas, it is easier to pinpoint problems so you can quickly and accurately reassess and make corrections to your information security system.
HITRUST Assessment Domains
The HITRUST CSF uses 19 domains to make it easier for you and your team to isolate data protection concerns. In total, these domains include 135 security controls.
|HITRUST Domain Control||Description of the Controls Included|
|1||Information Protection Program||Processes should be in place to ensure confidentiality, integrity, and availability of sensitive data. This includes the information security management system (ISMS).|
|2||Endpoint Protection||This refers to anti-virus/anti-malware configurations, firewalls, intrusion detection systems, software updates, patches, and more. It includes requirements common to laptops, workstations, storage (e.g., NAS) and servers.|
|3||Portable Media Security||This control domain includes mobile storage (e.g., USB drives, CD-ROMs, DVD-ROMs, backup tapes).|
|4||Mobile Device Security||This covers requirements specific to laptops, smart phones and tablets.|
|5||Wireless Security||This refers to all aspects of corporate and guest wireless networks but does not include protections for devices connected to other networks.|
|6||Configuration Management||This includes all aspects of configuration management (e.g., configuration item identification, configuration status accounting, change control and configuration audit), as well as environments used for development and testing.|
|7||Vulnerability Management||This includes vulnerability scanning and patching, antivirus/anti-malware and network/host-based penetration detection systems, and updates.|
|8||Network Protection||This includes all aspects of perimeter and internal network security, such as network-based application-level firewalls and intrusion detection systems, DDOS protection and IP reputation filtering.|
|9||Transmission Protection||This includes web and network connections, such as those for VPN, email, and chat.|
|10||Password Management||This covers specific issues around the use of traditional passwords.|
|11||Access Control||This control includes all aspects of access control other than the use of traditional passwords.|
|12||Audit Logging and Monitoring||This refers to controls for audit logging and monitoring.|
|13||Education, Training, and Awareness||This domain control is for the awareness campaigns, as well as the initial and continual education and training provided for security personnel and standard users.|
|14||Third-Party Assurance||This refers to all aspects of managing risk linked to third parties, such as vendors and business associates.|
|15||Incident Management||These controls relate to incident monitoring and detection activities, incident response, and breach reporting.|
|16||Business Continuity and Disaster Recovery||This covers all aspects of contingency, business continuity, and disaster recovery, like planning, implementation, testing.|
|17||Risk Management||This includes risk assessment, risk analysis, and other operations connected to risk management.|
|18||Physical and Environmental Security||This domain includes physical and environmental security requirements for data centers and other facilities charged with storing, disposing of, and/or destroying sensitive information.|
|19||Data Protection and Privacy||The final domain addresses the organization’s compliance and privacy program and related controls.|
HITRUST Controls and Levels of Implementation
The HITRUST framework has defined 135 controls for information security, which are divided into three separate levels of implementation. These levels are based on organizational and regulatory risk factors. Each of the three levels of implementation builds comprehensively on the level before it. Level 1 is considered the baseline, while Level 3 has the greatest number of requirements and assures the greatest level of protection. Most organizations use a variety of levels of implementation, according to their specific data protection needs.
Ready to get started? Get more information about Preparing for HITRUST Assessments.
Enlist Expert Help for HITRUST Compliance
I.S. Partners, LLC. is an Approved HITRUST Assessors assisting clients with HITRUST readiness, creating and implementing effective remediation strategies, and validating assessments for certification. Contact the I.S. Partners team at 215-631-3452 for an initial consultation.
Learn more about theHITRUST Certification Process