Way back in 1996, the increasingly dangerous information security landscape made it necessary to enact strict measures that would protect the storage and transmission of sensitive patient data. To that end, the Health Insurance Accountability and Portability Act (HIPAA) was passed to set guidelines for all healthcare providers in the areas of data security, log collection, and review management.
In today’s constantly evolving cybersecurity milieu, these priorities have expanded to also include any entity that handles or exchanges data, including finance and insurance firms, which should also take these steps to protect the information they manage. In spite of the stiff fines that have been put in place to discourage noncompliance, many providers are still presenting an environment with insufficient security controls.
The Health Information Trust Alliance (HITRUST) offers organizations a consistent, standardized way to better manage these security requirements.
The Basics of HITRUST
The HITRUST common security framework (CSF) was developed in 2018 by a consortium of security, IT, and healthcare experts. Consequently, organizations now have an actionable yardstick that they can employ to evaluate their own compliance and demonstrate it to their customers.
The standards contained in the HITRUST CSF function as guidelines that help organizations in assessing the systems that provide for data storage, transmission, and creation. Furthermore, the framework allows for the assessment of the security controls that protect these environments. Finally, it gives providers insights into the security risks and vulnerabilities that pose threats to the confidentiality, security, and integrity of this crucial data.
Benefits of HITRUST Certification
While the auditing process is quite time-consuming and arduous, the advantages of HITRUST certification are undeniable. They include the following:
- Enables organizations to use HITRUST audit findings to comply with regulatory frameworks, including PCI DSS, NIST, and HIPAA in a cost-effective manner
- Is scalable, with the ability to adjust to a company’s evolving needs
- Enhances the credibility of a company’s brand since security controls are customizable and are being upgraded constantly to protect systems against hacking.
As you will soon see, obtaining HITRUST CSF certification is neither fast nor easy. However, given these compelling benefits, most providers ultimately decide to go through the process.
How to Conduct a HITRUST Assessment
Before getting started, it helps to get an overview of the complex array of standards your enterprise will be expected to evaluate. In general, there are 19 domains upon which you will need to focus. These are the following:
- Access controls
- Your mechanisms for logging and monitoring audits
- Disaster recovery and business continuity strategies
- Configuration management
- How you protect your data and keep it private
- Policies, protocols, and practices for staff training and awareness
- Endpoint security protection infrastructure
- Incident management
- Programs and procedures for protecting information systems
- Security for tablets and other mobile devices
- Technology and procedures for protecting the security of your networks
- End-user password management
- Security of your physical plant
- Portable media security
- How you will manage risk
- Mechanisms for evaluating the security of third-party vendors
- All mechanisms that protect transmitted data
- Vulnerability management
- Protection of all wireless systems and devices.
For each of these items, you will use a risk-based approach to set security standards. Before investing in an expensive and time-consuming primary audit, HITRUST recommends that companies first perform their own self-assessment.
What is a HITRUST Self-Assessment?
You can think of a HITRUST self-assessment as a dry run of the actual audit. The good news is that you are allowed to use all of the same tools, requirements, and methods as the auditor eventually will but with the additional ability to correct flaws or insufficiencies on your own without penalty. The self-assessment process contains the following general steps:
- Define the scope of the assessment, assigning a project coordinator to spearhead all elements of the project. This should be someone with a high level of authority who is competent in the organization, interviewing staff, gathering documents, and delegating tasks appropriately.
- Articulate the scope of your company. This should include its structure, the industry regulations controlling it, and its physical facilities, particularly those that relate to data in any way.
- Define the systems to be assessed.
- Evaluate your security practices and documentation for compliance based on the HITRUST security controls through inspection, observation, analysis, and review.
- Interview stakeholders to understand how security controls are implemented and if they are working effectively.
- Test systems for vulnerabilities using penetration testing, vulnerability scans, and configuration setting validation.
- Thoroughly document your findings, with special emphasis on weaknesses and areas of noncompliance.
- Report your findings. Include all areas of non-compliance as well as tangible strategies to mitigate each.
- Submit your report package to HITRUST, including the baseline questionnaire, description of the scope, and a review of your security program, the tests you performed, and all plans for corrective action. HITRUST will perform limited validation. Anywhere from two to eight weeks, you should get the results back.
In addition, you are required to submit the report to executive management for their review and response. Based on these findings, management will make recommendations as to how your team will mitigate the identified risks.
- Produce a corrective action plan (CAP) for mitigating the cited issues. Emphasis is placed on cost-effectiveness, efficiency, and measurable outcomes, particularly in the areas of the highest priority.
Of course, management will also seek to reduce or eliminate altogether any practices that are unproductive, dangerous, or inefficient.
What is a CSF Validated Assessment?
After completing the self-assessment, reporting its findings, and implementing remediation measures, your company will undergo the CSF Validated Assessment. Conducted by an approved CSF assessor, it mirrors the procedure you already went through on your own and is scored using a complex maturity approach to control implementation.
If your controls meet or exceed the current CSF requirements, you will receive a report indicating that you have attained HITRUST CSF validation. Depending on your organizational scope, this process may take anywhere from six to eight weeks, perhaps even longer.
What is CSF Certification?
Once validation is complete and your information is submitted to HITRUST, you enter into the lengthiest part of the assessment. For the next few months or even one to two years, HITRUST will scrutinize every aspect of your report to ensure that you comply with each and every regulation and have provided all necessary forms of documentation.
In due course of time, you will receive word from the HITRUST Alliance as to whether you have been granted that most sought-after of honors: HITRUST CSF Certification.
As you well know, the security landscape is constantly changing. Therefore, even the most rigorous certification must be updated on a regular basis. In the case of the HITRUST CSF, you are required to conduct an annual audit to demonstrate that your practices and controls are in sync with the latest changes in IT security.
This process is much less time-consuming than the initial audit, which can take anywhere from one to three years to complete. By contrast, your yearly assessment should be accomplished in one or two months.
Safeguarding patient and customer data is one of the most important responsibilities with which any company can be charged. Fortunately, the HITRUST CSF is there to guide you through every step of this complex process. Expensive and time-consuming as it undeniably is, this tool enables both you and the people and entities you serve to have the peace of mind that can only come when you know that the information you hold is safe.
