Any time you can introduce new safety measures into your auditing process, the more you can steel your healthcare-related computing system against data breaches and other dangers. The recently announced general availability of HITRUST Version 8 (v8) adds two new elements that will serve to enhance your business’s efforts to maintain confidentiality, security and ready availability of healthcare data.
A HITRUST CSF Refresher Before Learning More About HITRUST Version 8
“The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
In conjunction with fellow healthcare, business, technology and information security leaders, HITRUST established HITRUST CSF, which is a certifiable framework. HITRUST CSF is available to any and all organizations that need to create, store, access or exchange personal health and financial information.
The HITRUST CSF, as an information security framework, takes into account all the existing requirements of regulations and standards with which IT departments must comply. A few of the most prominent standards and regulations include the following:
- HIPAA: The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was enacted “to publicize standards for the electronic exchange, privacy and security of health information.” Those covered by HIPAA include health plans, healthcare providers, healthcare clearinghouses, and business associates wherein certain members have access to healthcare records.
- HITECH: Enacted as part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted to promote adoption and meaningful regular use of health information technology capabilities for electronic healthcare information transmission.
- PCI: A third-party interest, the Payment Card Industry (PCI) has become intertwined with the healthcare industry as a major form of payment for many patients. Working within HITRUST CSF’s framework helps PCI issuers understand how vital their compliance is to ensuring patient security and privacy.
- COBIT: Created in 1996 by ISACA, Control Objectives for Information and Related Technologies, or COBIT, provides a good-practice system framework to promote the best practices in IT management and governance.
By using the HITRUST CSF as a guide and a practical tool, all of these standards and regulations, as well as others from additional governing bodies and their standards and regulations, such as NIST and the FTC, IT professionals can clearly keep every consideration in mind when it is time for certification. HITRUST CSF information can also help with SOC 2 reporting requirementssince they both feature many of the same elements of the Trust Service Principles of Security.
IT Leaders Will Find Even More Benefits with the General Availability of HITRUST Version 8
You might wonder just what expanded requirements HITRUST Version 8 you and your dedicated IT team will face. As always, the updates for HITRUST CSF serve to buffer support for your system so you can better and more easily protect the privacy, security and availability of your healthcare-related data.
The basic updates for HITRUST Version 8 include “a more granular support for cybersecurity, AICPA SOC2 reporting, contextual data de-identification, cloud services, and expanded requirement details.”
Updates Involving the American Institute of Certified Public Accountants
This latest HITRUST Version 8 release integrates the American Institute of Certified Public Accountants’ (AICPA) mapping of the HITRUST CSF to the AICPA’s own Trust Principles and Criteria for security, confidentiality and availability. The closer ties to this auditing principle, closely associated with SOC 2 reporting, will make regulations and standards compliance that much easier for busy healthcare-oriented organizations and busy IT team members.
The De-Identification of Data
The V8 allows for contextual data de-identification when necessary, according to HITRUST De-Identification Framework’s assessment protocol. This particular aspect of HITRUST Version 8 improves on the protocols that set out to provide a consistent, managed means of de-identification of data, along with the easy sharing of information and compliance needs among various key entities and stakeholders.
Since no singular approach to de-identification is ideal for all organizations, a set of 12 characteristics—to help assess controls, risks and potential outcomes−helps guide IT professionals when it comes to de-identification. Working within the standards and regulations already so firmly set in the HITRUST CSF, it is easier to objectively and concisely determine the proper characteristics.
The Center for Internet Security Critical Security Controls
HITRUST Version 8 also includes the addition of the Center for Internet Security Critical Security Controls (CIS CSC), along with recent cybersecurity guidance the President’s Precision Medicine Initiative (PMI). CIS controls are developed to help all organizations, particularly healthcare-related organizations, in this case, stop the most pervasive and dangerous cyber threats. The combined effort of the leading CIS CSC experts and those guiding HITRUST CSF help close the gap, adding safeguards that healthcare entities need to implement to address in order to stave off extant and emerging digital security threats.
Additional Benefits Associated with HITRUST Version 8
The V8 release also features updates to improve PCI practices, cloud security, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Finally, the more granular mappings of all the requirement statements help you and your IT team better assess your understanding and compliance to all the critical standards and regulations that serve to protect patients’ private data and your organization’s standing in their respective industry.
Learn More About HITRUST Version 8 and What It Will Do for Your Organization
I.S. Partners, LLC. stays apprised of all updates to HITRUST CSF and any of the standards and regulations associated with it. If you need help determining what V8 entails and how you and your IT team can keep up, call us at 215-675-1400 to learn more.