HITRUST is both a risk- and compliance-based, certifiable, cybersecurity framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. It is widely adopted in the healthcare industry and seen as a gold-standard measure when it comes to security compliance because it is so thorough. It was purpose-built to ensure a comprehensive set of baseline security controls that took into consideration existing but siloed security standards such as NIST, PCI and HIPAA.
Background on HITRUST
HITRUST was designed around the understand that effectively managing data, information risk and compliance is complex and ever-changing. To combat this challenge, HITRUST uses an integrated approach to align your organization's information risk management and compliance program.
Facets of HITRUST
There are 3 distinct facets of the HITRUST CSF: the 13 domains of the control (14 if you include one around Privacy), the 3 levels of implementation and 3 degrees of assurance.
Domains of Control
There are 13 domains of control with an additional control specifically geared towards privacy. These domains of control highlight an area where HITRUST differs from something like HIPAA compliance, where there are fewer, broad and more general control buckets. Each of these domains is made up of controls themselves, currently totalling 135 (plus an additional 14 if you factor in the privacy domain).
Levels of Implementation
As organizations look to implement each of these controls for the specific domains, there are 3 levels in which they adopt for their organization. These levels build on each other like a sort of Russian doll, where in order for an organization to meet the requirements for level 2 HITRUST CSF implementation they must meet all of the requirements for level 1 and level 2.
Because the layering of requirements gets more and more demanding as organizations climb the different levels of implementation, it is useful for organizations going through their first certification to know that few organizations have attained the same level across all of the controls. Usually an organization may have resources in place to get to level 3 in one control but only level 1 in another.
Remember: security assurance is a process of continual improvement.
Degrees of Assurance
Speaking of assurance, HITRUST has 3 "levels" for assessing how an organization has put the framework into practice. The demands on an organization in terms of both time and resources grows so while checking off the self-assessment list feels good it is important to remember that larger organizations are requiring more and more of the vendors they work, regardless of size, and going the route of a full certification may be what your business needs to do to stay competitive.
- The Self Assessment: just like it sounds, right now you can go to HITRUST.net and download the self-assessment to see how you are chalking up. Usually companies will do this leading up to an audit or just simply as a way to see how they are doing against a certifiable framework before plunging a lot of effort into the process.
- CSF Validated: things are getting more real here as organizations have to work with an approved and certified, 3rd party assessor. The process is completed onsite and following its completion an official report is generated.
- CSF Certified: this is the real deal, on-site badge and all. In order for an organization to be certified they must meet all of the requirements across each of the controls. These certifications typically take months to complete but are valid for 2 years.
HITRUST, the Healthcare Industry and HIPAA
With the growing number of data breaches, more providers and organizations operating in the healthcare industry are requiring the organizations they work or partner with to have certifiable and measurable controls in place. The investment in the time and resources to achieve and maintain HITRUST CSF Certified Compliance show the commitment and controls an organization has in place.
What about HIPAA?
HIPAA is a broad and vague compliance framework for the healthcare industry. It covers all things healthcare, with Cybersecurity being only a small facet. HIPAA is enforced by the Office of Civil rights, which can levy fines and penalties for data breaches. It's more reactive in nature whereas certification in HITRUST, a much more rigorous and specifically defined framework, helps hospitals, providers and the like be confident the actual controls are in place from their vendors and partners..
Final Takeaways from HITRUST
HITRUST isn't easy, but with security teams and tools failing to keep up with attackers despite the growing sophistication in technologies, organizational leaders are turning to the stringent framework to show the right processes and controls are in place when a breach does happen. When ...not if.
Security operations are not easy but streamlining them is critical to ensuring the quickest identification, remediation and response to security threats. If HITRUST is on the horizon for your organization this or next year, JupiterOne can help.
JupiterOne and a DevSecOps mindset has helped organizations achieve and maintain HITRUST CSF Certification in a matter of months, while drastically improving the operation efficiency of security teams.
Streamline your security operations and simplify the path to compliance today with JupiterOne.