HITRUST Cybersecurity Framework

In short, the HITRUST CSF® prescribes the controls and provides a framework to support data protection and security compliance. It’s a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.

The HITRUST assessment framework was developed with the intention of bringing harmony to the concept of open system data sharing and information security. It helps organizations in the health care industry, and other sectors handling sensitive information, by providing a comprehensive and flexible mapping key to ensure data security.


HITRUST® was “born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”

HITRUST, in collaboration with healthcare, business, financial, technology and information security leaders, established HITRUST CSF, a risk management and compliance framework that can be used by organizations that create, access, store, or exchange personal health and financial information.

Does Your Organization Need to Get HITRUST Certified?

HITRUST – Controls and Framework for Risk Management

HITRUST collaborated with various leaders in business, information security, financial services, technology, and healthcare to create and develop the HITRUST assessment framework.

This certifiable framework was designed to simplify the process of data security and information privacy assessment and attestation for covered entities and their associates with a standard methodology, requirements, and tools. At the same time, the framework is meant to flex and mature with the organization, accompanying it even as data collection, storage, and sharing policies and practices change over time.

Advantages of Implementing the HITRUST Framework

Let’s take a closer look at the advantages of relying on the HITRUST framework for risk management assessment and security attestation.

Streamlines the Compliance Process

The HITRUST framework combines relevant information from existing security standards and compliance regulations defined by the federal and state governments, as well as third-party, and international bodies. These include:

  • HIPAA: HIPAA was enacted in 1996 “to publicize standards for the electronic exchange, privacy and security of health information.” Those covered by HIPAA include health plans, healthcare providers, healthcare clearinghouses, and business associates wherein certain members have access to healthcare records.
  • HITECH: Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH was enacted to promote adoption and meaningful regular use of health information technology capabilities for electronic healthcare information transmission.
  • PCI: A third-party interest, the PCI has become intertwined with numerous industries. Working within HITRUST’s framework helps PCI issuers understand how vital their compliance is to ensuring patient and/or customer security and privacy.
  • COBIT: Created in 1996 by ISACA, COBIT provides a good-practice system framework to promote the best practices in IT management and governance.

By unifying these regulations into a single, comprehensive set of prescriptive controls, HITRUST has built a powerful and clear framework. HITRUST offers solid guidance, not just for analysis and assessment, but also for tracking and reporting compliance, as well as planning remediation strategies.

Addresses Cybersecurity Across Industries

Organizations across different industries – including the medical, life sciences, financial, technology sectors, and more – must ensure protection from similar types of cybersecurity threats. Using a single, overarching framework is a huge advantage for companies that have interests, third-party vendors, and business interactions between different industries.

What industries does HITRUST certification benefit? Learn more about how HITRUST Is Moving Beyond Health Care.

Increases Efficiency with Assessment & Attestation

HITRUST increases efficiency when it comes to regulatory compliance and risk management. It helps eliminate inefficiencies and overlaps created by trying to show compliance with multiple regulatory standards. CIOs and other information technology leaders can understand and follow the set of prescriptive controls and regulations laid out by the HITRUST framework for full compliance. In the end, organizations are able to save time and energy.

Allows Secure Sharing of Sensitive Data

In contrast to HIPAA – which is often thought of as “prohibitive” and regulation-heavy without allowances and means to share data – HITRUST framework controls enable entities to share data within a safe framework. The HITRUST’s comprehensive approach makes it easier for information technology managers to maintain high-quality standards while allowing the free flow of PHI and other sensitive information.

Enables Flexibility to Fit Organizational and System Structure

The HITRUST framework is intended to be used by companies which store, process, access, or transmit sensitive data – independent of their size, organizational structure, or IT infrastructure. Organizations are able to define the scope of HITRUST assessments, in terms of the organization and systems, including facilities, devices, applications, and infrastructure components.

Because the HITRUST framework is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements. They can select the specific controls that are reasonable and appropriate for their organization or propose alternative controls to mitigate risk in accordance with HITRUST certification requirements. Additionally, security controls can be scaled, adapting to any size and level of complexity in an organization.

Grows with the Organization and Security Regulations

HITRUST’s maturity model encourages continual improvement. As the individual organization works to improve data security over time, the HITRUST framwork adapts to reflect its maturity level. And because the field of cybersecurity is constantly evolving, newer versions of the HITRUST CSF are periodically released to stay up to date with any changes in the standards from the various regulatory bodies.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


HITRUST CSF – the Latest Version

The most recent version went into effect on January 1, 2020. HITRUST CSF v9.3 added new and updated requirements adopted from:

Find out more about How HITRUST CSF v9.3 Impacts Risk Management for Organizations.

The HITRUST Assessment Framework

Rather than designing broad-spectrum focal points, the architects of the HITRUST CSF created a series of highly specialized controls and domains. By separating each of these specific areas, it is easier to pinpoint problems so you can quickly and accurately reassess and make corrections to your information security system.

HITRUST Assessment Domains

The HITRUST CSF uses 19 domains to make it easier for you and your team to isolate data protection concerns. In total, these domains include 135 security controls.

 HITRUST Domain ControlDescription of the Controls Included
1Information Protection ProgramProcesses should be in place to ensure confidentiality, integrity, and availability of sensitive data. This includes the information security management system (ISMS).
2Endpoint ProtectionThis refers to anti-virus/anti-malware configurations, firewalls, intrusion detection systems, software updates, patches, and more. It includes requirements common to laptops, workstations, storage (e.g., NAS) and servers.
3Portable Media SecurityThis control domain includes mobile storage (e.g., USB drives, CD-ROMs, DVD-ROMs, backup tapes).
4Mobile Device SecurityThis covers requirements specific to laptops, smart phones and tablets.
5Wireless SecurityThis refers to all aspects of corporate and guest wireless networks but does not include protections for devices connected to other networks.
6Configuration ManagementThis includes all aspects of configuration management (e.g., configuration item identification, configuration status accounting, change control and configuration audit), as well as environments used for development and testing.
7Vulnerability ManagementThis includes vulnerability scanning and patching, antivirus/anti-malware and network/host-based penetration detection systems, and updates.
8Network ProtectionThis includes all aspects of perimeter and internal network security, such as network-based application-level firewalls and intrusion detection systems, DDOS protection and IP reputation filtering.
9Transmission ProtectionThis includes web and network connections, such as those for VPN, email, and chat.
10Password ManagementThis covers specific issues around the use of traditional passwords.
11Access ControlThis control includes all aspects of access control other than the use of traditional passwords.
12Audit Logging and MonitoringThis refers to controls for audit logging and monitoring.
13Education, Training, and AwarenessThis domain control is for the awareness campaigns, as well as the initial and continual education and training provided for security personnel and standard users.
14Third-Party AssuranceThis refers to all aspects of managing risk linked to third parties, such as vendors and business associates.
15Incident ManagementThese controls relate to incident monitoring and detection activities, incident response, and breach reporting.
16Business Continuity and Disaster RecoveryThis covers all aspects of contingency, business continuity, and disaster recovery, like planning, implementation, testing.
17Risk ManagementThis includes risk assessment, risk analysis, and other operations connected to risk management.
18Physical and Environmental SecurityThis domain includes physical and environmental security requirements for data centers and other facilities charged with storing, disposing of, and/or destroying sensitive information.
19Data Protection and PrivacyThe final domain addresses the organization’s compliance and privacy program and related controls.

HITRUST Controls and Levels of Implementation

The HITRUST framework has defined 135 controls for information security, which are divided into three separate levels of implementation. These levels are based on organizational and regulatory risk factors. Each of the three levels of implementation builds comprehensively on the level before it. Level 1 is considered the baseline, while Level 3 has the greatest number of requirements and assures the greatest level of protection. Most organizations use a variety of levels of implementation, according to their specific data protection needs.

Ready to get started? Get more information about Preparing for HITRUST Assessments.

Enlist Expert Help for HITRUST Compliance

I.S. Partners, LLC. is an Approved HITRUST Assessors assisting clients with HITRUST readiness, creating and implementing effective remediation strategies, and validating assessments for certification. Contact the I.S. Partners team at 215-631-3452 for an initial consultation.

Learn more about theHITRUST Certification Process

About The Author

Comment on this article

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top