Listen to: "Bonding Industries Through HITRUST: How the HITRUST CSF is Expanding Beyond the Healthcare Industry"
Data security is a hot topic in every industry but has remained fragmented in terms of the systems used to enhance protection. Organizations now have an industry-wide platform that can be used across the board to implement these protections. Originally designed to manage regulatory compliance and risk for the healthcare industry, the HITRUST CSF has taken center stage in providing a solution to bring all regulatory requirements under one umbrella. Organizations outside of the healthcare industry have taken notice, providing leverage to expand into other industries.
With its recent release of the HITRUST CSF v9.2 update, this framework now unifies requirements across authoritative sources such as HIPAA/HITECH, ISO, NIST, PCI DSS, and COBIT. What does this mean? By unifying these frameworks, the system now works with organizations of all sizes and industries. Scalable in nature, it can handle all types of data, delivered in one comprehensive report.
Why the HITRUST CSF?
Organizations across industries have realized the similarities in cyber security threats. With so much at stake, the need to protect sensitive data is increasingly important. For companies who have interests beyond healthcare, the HITRUST CSF brings everything together in one place.
Benefits of the HITRUST CSF
The foundation of all HITRUST programs and services is the HITRUST CSF, a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with information security professionals across various industries, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.
What makes the 9.2 version different?
The control language of previous versions focused on ePHI and the healthcare industry. This new version integrates data protection requirements from Europe’s General Data Protection Regulation (GDPR), and Singapore’s Personal Data Protection Act (PDPA), and the language is reworded to include all types of sensitive data, allowing for wider adoption across industries. This gives the HITRUST CSF the ability to gain assurance over its information security and privacy practices.
Organizations who specialize in healthcare-related information still have the capabilities of performing ePHI-focused assessments but must select the Health Insurance Portability and Accountability Act (HIPAA) as an included regulatory risk factor. non-healthcare related organizations can remove the ePHI and healthcare language.
More changes are due down the line with the release of version 9.3 and version 10. Version 9.3 expands the number of authoritative sources included in the CSF to 44 by adding: the California Consumer Privacy Act (CCPA) 1798; the South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655; and NIST SP 800-171 R2 (DFARS). Version 10 of HITRUST CSF will have two approaches for organizations to streamline their processes:
- HITRUST Control Core: a Blanket framework to be used by any industry.
- HITRUST Control Core + Industry Focus: Customized framework incorporating additional control requirements based on industry or unique requirements.
Users can look to the Control Core + Industry Focus as a way to incorporate industry-specific best practices. It may also generate higher numbers of control requirements. This could take greater effort and expense. This version also takes a look into customer expectations, existing industry standards, and current program maturity as considerations.
Changes to boost visibility
These changes and updates from HITRUST can strengthen vendor relationships with their commitment to security. They provide a well-defined and consistent risk management framework to assist in benchmarking your organization’s cybersecurity program against other industry internal and external organizations. Well-equipped to evaluate vendors and suppliers, this protects your organization and the third-party vendors already in the supply chain.
The HITRUST CSF also helps organizations boost confidence. Once a company has gone through the HITRUST Certification, this demonstrates to vendors that your organization is fully committed to data security. HITRUST Certification also helps organizations display their leadership to current and potential vendors, gaining trust and a reputation for being a forward-thinking organization that cares about protecting data security.
These enhancements help envision stronger data protection and information risk management practices in every industry with an established and highly recognized framework and assessment methodology that works. With an industry-standard solution in place, internal and external stakeholders will be more comfortable with organization management as they address their own industry-specific standards. Additionally, these organizations will be able to assess where they are in relation to existing and changing industry control requirements. This way, organizations can better communicate their security and privacy protocols, solidifying their position within the market.