Build a Risk Management Program with the HITRUST CSF®

Creating an information risk management and compliance program is essential for any small or large business that gathers, stores, or transmits customer data or other information over the internet. Having the necessary security controls in place lowers the risks of hackers and scammers stealing data and performing identity theft, while helping your company avoid costly fines and litigation. In addition, you can bring more trust to your operations when vendors, clients, and partners know that your information risk management and compliance program meets all local, state, and federal regulations.

Yet, how do you know whether your information risk management and compliance program meet industry-specific levels? Are there any gaps in the control measures, and are these controls sufficient in achieving specified objectives?

HITRUST® is the leading data protection standards development and certification organization. The organization has assisted the healthcare and public health sector (HPH) with protocols, assessments, and certifications that meet specified privacy regulations. Now, HITRUST has created a certification program that businesses in a multitude of industries can use to organize their information risk management and compliance programs.

HITRUST CSF® Assurance Program

The HITRUST CSF Assurance Program is a simplified, risk-based compliance assessment and reporting program. It includes risk management oversight and assessment tools that are standardized for accuracy and consistency, while flexible enough to fit the unique regulatory needs of various businesses. For organizations, HITRUST offers a number of advantages:

• • Saving time and money – A main advantage of the HITRUST CSF is that it combines the best practices, statutory requirements, and regulatory standards followed within multiple industries. It brings together compliance efforts related to HIPAA, HITECH, PCI, COBIT, and NIST, as well as other regulations. The HITRUST CSF is a single, comprehensive framework. By adopting this, businesses save on the time and expense that comes with compliance efforts. They can assess once and report to multiple regulatory bodies.
  • Effective risk management – The HITRUST CSF Assurance Program makes the risk management process more complete and effective. It gives organizations better insight into their internal and third-party risk and facilitates a proactive approach to mitigation. The HITRUST CSF Maturity Model also encourages continual improvement towards strong risk management.
  • Simplified compliance – Organizations can focus on improving their security posture because compliance efforts are streamlined. The HITRUST CSF Assurance Program provides a consistent approach that is clear and easy to follow.

Is HITRUST Certification Right for Your Organization? Find out.

The Right HITRUST Implementation Level for Your Risk Management Needs

The HITRUST CSF provides a scorecard that is used to determine the level of cybersecurity protection that is present and see whether it meets requirements set by regulatory bodies. The scorecard consists of compliance risk ratings for each control category within the scope. Your company can perform one assessment and ensure that controls meet the required standards in your particular industry.

Related articles: Your Essential Guide to the HITRUST CSF Certification Process and Look Up Terms in the HITRUST Glossary.

When building a risk management program, your organization must determine the level of risk that it faces and implement the appropriate level of protection. The HITRUST CSF provides guidance in making this determination. It describes three different types of risk factors – organizational, regulatory, and system risks. When these three types are considered together, they determine the right implementation level for a specific security control.

Organizational Risk

Factors related to the size of the entity fall under organization risk. This takes into consideration both the physical breadth of the company – in terms of geography and number of facilities – as well as the volume of business – in terms of the number of patients or customers, transactions, and operations performed.

Regulatory Risk

Different organizations are responsible for complying with different sets of regulations. That set is determined by the state(s) and country(ies), as well as the industry(ies) it works in. For example, healthcare organizations must comply with HIPAA regulations, while financial institutions are required to meet GLBA regulations. The HITRUST CSF includes the controls required by these different regulations. Yet, the assessment scope can and should be narrowed to include only those that are applicable and appropriate for a particular organization.

System Risk

The attributes of your organization’s IT infrastructure represent system risk factors. These include the devices used to store, process, and transmit sensitive data. They also take into account the number of users with access to the environment, third-party accessibility, and transaction processing volume.

How HITRUST Implementation Categories Work

HITRUST implementation levels are assigned to each of the 135 security controls listed in the HITRUST CSF. They outline and explain what comprises “acceptable” threat mitigation for an organization managing organization, regulatory, and/or system risk to varying degrees.

To achieve certification, an organization must comply with at least level one. For a stronger risk management program, the organization should evaluate whether greater control restriction is appropriate for its environment and the threats it faces.

Level 1 includes the basic security requirements for all types and sizes of systems and organizations of varying complexity. Level 2 and 3 encompass and build upon the level 1 requirements. Higher implementation levels are designed to address higher levels of risk.

Read next: How to Prepare for a Successful HITRUST Assessment.

Expert Guidance for HITRUST Implementation & Compliance

Whether you are performing an internal readiness assessment, or you are looking for an external auditor to assist you in achieving HITRUST CSF certification, turn to I.S. Partners, LLC. We are well versed in a range of IT assurance programs, including HITRUST CSF, so that you can reach your security goals without anxiety.

Reach out to the professionals at I.S. Partners LLC today or use our convenient contact form to receive a quote for assessment and advisory services.

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.