The protection of patient data is of paramount importance to any company that operates in the healthcare sector. In order to streamline the complex process of complying with a wide range of security standards, representatives from information security, technology, business and healthcare formed a consortium known as the Health Information Trust Alliance (HITRUST).
The result of the collaborative efforts of this group is a framework of security controls whose scope takes some of the main regulatory structures into consideration, including NIST, HIPAA and HITECH. It is called the HITRUST Common Security Framework (CSF), and understanding the HITRUST requirements it contains is a necessity for today’s healthcare-related practices and companies.
The HITRUST CSF Structure
In order to help companies organize their priorities, the HITRUST CSF is broken down into 19 distinct HITRUST domains that all must be addressed in order to comply with HITRUST certification requirements. These include the following:
- Safeguarding the privacy and integrity of information
- Protecting remote devices that interact with a network
- Maintaining the security of flash drives and other portable devices that interface with a network
- Maintaining the security of smartphones, tablets and other similar devices that interface with a network
- Ensuring the security of wireless connections
- Ensuring that procedures for managing system configuration are secure
- Ensuring that robust mechanisms are in place to identify and correct vulnerabilities
- Providing comprehensive policies, protocols and technology to protect the security of all parts of the network
- Safeguarding the security of transmitted data
- Putting systems in place regarding end user practices, including password safety
- Controlling all aspects of system access procedures
- Demonstrating thorough procedures for monitoring and logging security events for auditing purposes;
- Providing effective employee training on all aspects of system security;
- Assuring that vendors and other third parties adhere to strict data and systems security standards
- Having a full set of plans in place in the event that a security event occurs
- Establishing a full set of procedures and protocols to ensure that systems can be up and running as soon as possible after a security incident occurs in order to recover from breach or other disasters
- Assessing, managing and mitigating risks
- Protecting the security of the physical plant and the virtual infrastructure
- Taking steps to facilitate the protection and privacy of the data stored in all areas of the system.
Furthermore, the framework also contains 75 control objectives and 156 specific HITRUST controls.
HITRUST Requirements Explained
The HCF features three distinct implementation levels that can be applied to the 156 controls. Level 1 contains the least stringent set of requirements, with the next two levels building progressively on that foundation. Which level a company must adhere to is determined by the degree of risk it possesses for each control, with variables such as the size of the company and the number of records stored figuring into the calculation.
Complying With The HITRUST CSF
In order for organizations to be in compliance with the HITRUST certification requirements, they must put the stipulations laid out in the framework into practice. Meeting these standards is different for all organizations depending on a particular company’s level of risk on the various controls across all domains.
Degrees Of Assurance
Organizations in health or related industries often want to demonstrate the fact that they have complied with HIPAA and other accepted standards. To that end, a company can conduct their own self-assessment of compliance, the lowest level. For a more rigorous set of proofs, they can also become HITRUST CSF Validated or HITRUST CSF Certified. It is important to understand the differences among these steps.
During the self-assessment, an organization uses the HITRUST myCSF tool as a guide to assess its own unique environment and needs. This tool is patterned after the structure of the ISO 27001 standard with its 11 control clauses, with additional categories to take privacy practices, risk management and establishing an information security management program into consideration. At the end of the test, suggestions are provided that cover areas of strength in relation to the relevant standards as well as specific elements that need to be improved.
After completing a self-assessment and implementing any mitigation strategies that are needed, some organizations opt to gain extra compliance assurance by consulting with a certified CSF assessor. This firm can validate the results that have already been achieved and answer any questions that team members may have.
Building on CSF validation, CSF certification is the highest assurance level, requiring even more time and effort. The process involves sending the results of CSF validation directly to HITRUST for review. If the company is deemed compliant, HITRUST CSF certification is granted for two years. Upon receiving this certification, an organization can then advertise itself as such in press releases, organizational literature and on its website.
As concern over data-related liability costs, inconsistent standards and security breaches continues to grow, the HITRUST common security framework provides important benefits by furnishing a robust and comprehensive set of standards that your company can implement. As a result, you and your management team will be able to determine vulnerabilities, adjust policies and procedures, gather resources and implement and maintain protocols. Once you are able to demonstrate compliance, your stakeholders will have the added assurance that comes with knowing they have entrusted their data to an organization that meets or exceeds all industry security specifications.