What is HITRUST CSF: A Guide to Compliance
Regardless of the industry type, a secured data store remains the priority for all. HIPAA is the compliance that concerns secured data storage. However, this compliance sounds a little confusing for many. Also, its requirements seem nuanced for many.
This is where HITRUST comes into play. It proffers a highly integrated approach to understanding what HIPAA means. Let’s understand what HITRUST means, what makes it important, and what are HITRUST certification requirements.
What Is HITRUST?
HITRUST is just a smarter way to address Health Information Trust Alliance that came into being in 2007 as a reliable cybersecurity framework. It doesn’t talk about one compliance. Rather, it combines the key cybersecurity rules from compliances like GDPR, PCI-DSS, HIPAA, and many more to make sure that InfoSec remains at the core.
Basically, becoming a HIPAA-compliant service provider requires vendors into data storage and technology sector to earn HITRUST’s credential too. Experts consider it the best of the breed because it takes the help of a wide range of 3rd party assessments so that information risks and dangers are as minimum as possible.
Why is HITRUST Important?
HITRUST, despite being tedious, is strongly recommended by industry leaders because it holds great significance for organizations handling PHI. With this standard, it’s easy to:
- Meet multiple security standards in one go. Instead of going with separate security controls like PCI, NIST, and many more, concerned entities can adhere to various standards and improve their brand value.
- Save huge deal of operational expenses incurred after a data breach. When an organization loses key data, there are direct and indirect expenses to bear. For instance, the customer can file a case against use, misuse of data can lead to financial losses, and so on. When HITRUST is in place, risks and vulnerabilities are less and remain under control. Hence, these unwanted expenses won’t be anywhere to see.
- Bag more projects as industry pick service providers that are trusted and dependable. Being HITRUST certified is the biggest proof of being a dependable name.
- Have a super-flexible security ecosystem. HITRUST is not stringent and lets you include controls from different categories. Hence, you can be in charge of your security ecosystem.
HITRUST Framework - How Does It Work?
HITRUST, a well-known security framework, can be called a collection of policies and processes that healthcare industry players adopt to have a robust cybersecurity ecosystem.
You must learn about one important fact – HITRUST is the blend of many pre-existed frameworks. It’s also known as HITRUST CRF and compels concerned entities to give attention to the myriad of security domains. For example, the framework encourages the use of strong passwords, not less than 8 characters, to use across the operations.
The foundational concepts of HITRUST are extracted from IEC and ISO standards and encourage entities to establish a highly secured cybersecurity ecosystem where PHI is transmitted without any risks. World’s most renowned professionals constructed this framework. Its focus is on both the risks and compliances and lets the entities fully customize the security & privacy processes.
As the digital security approach varies with the business venture deploying it, the framework is made to be flexible and easy to scale. This flexibility contributed heavily to its worldwide popularity and acceptance today. Slowly, HITRUST is moving beyond the healthcare sector and is now adopted wherever sensitive data is handled.
Overall, we can easily conclude that HITRUST is your best possible assistance to:
- Harmonize standards, including PCI, HIPAA, NIST SP 800-171, ISO, and GDPR
- Have a scalable cybersecurity process across all the organization type
- Adopt a risk-centered approach for cybersecurity handling
- Make room for added security controls
Presently, the HITRUST CSF v11.0.0 version of this framework is active. This version is modern and features some of the most laudable updates as compared to past versions. For instance:
- It features NIST SP 800-53 revision 5 mapping
- Health Industry Cybersecurity Practices mapping was added
- Only updated NIST SP 800-171 mapping is concerned
- Modern HIPAA Privacy Rule, Breach Notification, and Security Rule mapping is included
This version features a highly traversable portfolio supporting smooth movement from one assessment to another. It doesn’t force to use of new policies and processes. Originations can continue with existing compliance programs and strengthen with best practices. It has scope for AI and makes the MyCSF tool easier than ever.
HITRUST Assessment Domains
HITRSUT assessment is extensive as it keeps 19 domains under review or consideration. These 19 domains are as stated below.
HITRUST vs HIPAA
To have a better understanding of the HITRUST framework, you need to have doubts clear about HITRUST v/s HIPAA. These two are different as HIPAA is a law while HITRUST is a framework.
HIPAA came into being at the hands of lawmakers and lawyers. Hence, it features more law-related rules and controls.
Some of the best cybersecurity experts that are well aware of HIPAA devise HITRUS. HITRUST is a way to earn HIPAA compliance and present proof to the world that organizations adopt HIPAA-defined controls well. HITRUST is built on HIPAA, which is fully independent. HITRUST simplifies HIPAA.
HIPAA instructs concerned entities to use adequate physical and technical infrastructure to safeguard PHI or protected health information. It doesn’t explain how to make it happen. But HITRUST provides a way to achieve this goal. It provides sufficient objectives that will make the covered entity HIPAA compliant.
You can consider HIPAA as a destination and HITRUST as a bus that you have to take to reach that destination.
Benefits of Implementing the HITRUST
Being a HITRUST-certified organization brings a wide range of benefits and positive outcomes for the concerned entity, such as:
- Easy compliance
For the healthcare industry, it’s not easy to be compliant as many security standards co-exist, and too many security controls are there to handle. HITRUST simplifies all these compliances and lets the entity understand which control matters the most.
- Better cybersecurity risks addressing
HITRUST covers 3rd party vendors and business associates when it comes to the healthcare sector. Hence, maintaining good cybersecurity practices is possible across the industry.
- Get rid of inefficiencies quickly and swiftly
By combining various security controls, HITRUST ensures that compliance deployment and risk management are better than ever. It’s viable for CIOs to take care of all the concerning controls from a unified platform.
- Promote secured transmission of sensitive information
Unless HIPAA, which is very restrictive about data transmission, HITRUST lets the organization pass on sensitive data without any worries as it backs it with strong security controls.
- Flexibility in deploying security arrangements
HITRUST is flexible enough to bring desired results in all kinds of businesses dealing with sensitive PHI. This framework is compliance-centric and risk-based. Hence, it’s easy to include various security controls in the security-governing strategy.
- Stay updated
HITRUST is based on the maturity level concept. This concept compels organizations to grow and scale continuously, resulting in adopting the best-in-industry cybersecurity standards.
HITRUST Controls & Requirements
HITRUST Certification is achievable only when organizations are able to earn the minimum-essential score for different domains. The scoring is complex as it depends on the maturity level. As far as the control domains of HITRUST are concerned, there are 19 domains, which we have already explained.
Each domain is further divided into multiple control objectives. Now, what are control objectives? Well, they are far-reaching goals that each domain tries to achieve. Each objective explains certain actions that the team has to take related to that specific domain.
For instance, one of the ‘Information Protection Program’s control objectives is to make sure that only authorized users are accessing PHI and that their data usage is fully tracked.
In Access Control, user registration is one control objective that emphasizes having a fully documented user registration and de-registration process. Users should only grant access when access is fully authorized.
Healthcare industry players can obtain it to prove that they have effective security controls to protect sensitive data. It has been available since 2007.
HITRUST Certification shows compliance against CSF or Common Security Framework. To obtain this certification, organizations have to adopt or attain all the recommended security controls. Now, CSF features the most celebrated and preferred security controls, as explained in standards like PCI, ISO, COBIT, and HIPAA.
There are two varieties of HITRUST at present. The first variety is i1 or Implemented One Year validated assessment. It’s a relatively new assessment and keeps its focus on the adoption of standard security controls effective to prevent moderate-level risks.
Nearly 219 statistics are reviewed under this category. This is a less flexible version and features security controls from HIPAA and NIST SP 800-171 standards. It’s valid only for one year and is easily renewed. For the renewal, one has to go through the assessment once again.
The next variety is a risk-based 2-year or r2-validated assessment. As the name suggests, the second variety is entirely risk-based and is a well-established version. It’s functional for the past 10 years and is considered as most reliable because regress assessment and evaluation are involved in the process.
Over 2000 stats are extensively evaluated in this certification type. You have full freedom to decide the security controls for the review. Hence, it’s more flexible than the first variety. It’s a mixture of many compliances that include HIPAA, NIST, CSF, PCI DSS, and multiple others.
As far as its validity is concerned, it’s valid for 2 years. But, you can lose earned certification if any security breaches, after being certified, are observed. Also, security policies and practices should remain the same throughout the assessment and certification validity period. If any major changes happen, validity will certainly lapse.
Its procedure is very long. It’s not like waking up one fine morning, and the certification is there to be yours. Depending upon the business’s size and processes concerned, one can take six to nine months to be ready for the assessment itself.
This much time is consumed because the assessment features readiness and remediation tests. Beyond that, it may take 3+ months for assessment-validation. However, you need to understand that this timeline is not fixed for both certification types. Earning r1 is simpler than the r2 variety. So, be ready to spend more time with the r2 assessment. Many even consider it an equivalent to SOC2 audit, which is the industry’s standard in cybersecurity.
You’re not HITRUST compliant as long as you’re not conducting HITRUST audits. These audits are not conducted by just any random auditor. Rather, concerning organizations must hire a verified, certified, and licensed 3rd party auditor. The role of the auditor here is to gather the evidence from self-assessment and then delve deeper into the security processes being adopted.
Going forward, the auditor will also explain how to document the controls, reflect them in the policy, verify the controls, and all logs should be part of the auditing report. Depending upon the data under concerned and the scale at which auditing is happening, two or more auditors are more likely to exist.
The result of the HITRUST audit is mentioned in the audit report, which is mainly prepared by the auditor, reflecting his views on the security-controls of the entity.
Obtaining HITRUST Certification
One must go through a 100% verified and authentic self-assessment. So, it must be done with the help of the auditor. By self/readiness assessment, we meant a careful examination of security controls applied and checking whether they align well with the CSF-defined security controls.
Its judgment is an internal job conducted by an independent 3rd party auditor. You need to make sure that the auditor you’re going to hire for this assessment is coming from a HITRUST External Assessor Organization (HEAO). This way, you can be sure about transparency and result quality.
Once the auditing is fully done, the next step towards being HITRUST certified is to inform the HEAO and ask for an extensive assessment. It provides you with clarity on the security control gaps.
As you’re engaged in auditing and HITRUST assessment, you will be directed to use MyCSF tools for documentation and self-assessment. You must only pick the tools that CSF recognizes and accepts for the task. You can use the MyCSF tools on a subscription basis or by getting a CSF Report. The first option is costly but lets you use the tool for the whole year.
If you decide to go with the CSF Report, remember that you will be able to access the tool only with the assessment for up to 90 days. But, it’s a way too pocket-friendly option, as compared to a subscription-based option.
The HITRUST assessment will grant you a score. The CSF scoring system is different from PCI or HIPAA scoring system, as you need to earn a passing score in each domain or category.
The passing score here is 3 out of 5, which is a tough score. To claim the certification, the concerned organization has to score 3 or more in all 19 pre-defined domains. However, becoming HITRUST certified, even after scoring less than 3, is possible if the organization is meeting the standard measurable quality level. The scoring proof has to be submitted to CSF by the hands of an independent assessor. In the absence of proof, the HITRUST alliance is allowed to drop the certified status of the entity.
There is one specialty about the CSF score. You can inherit it from 3rd party vendors. For example, you can use the tools and technologies of an already-certified cloud service provider and hand over the responsibility of login or encryption-related domains to them. They will manage security controls from these domains for you as you’re their customer.
If you want to obtain this certification, it’s essential that all the auditing/assessments complete within 90 days from the day you started the process. Hence, you must plan your resources accordingly.
How Much Does It Cost?
It’s not an easy-on-pocket certificate.
Multiple expenses like auditor fees, HITRUST fees, use of HITRUST-recommended tools, and audit report creation services are there for any HITRUST seeker.
As mentioned above, there are two ways to get the MyCSF tool. If you go with the report-only version you’re your expenses will be less. The subscription option will make the certification costlier. The assessment fee that you have to pay for External Assessor also varies. In general, it varies from $30K to $250K.
The difference is so wide because it depends on the hiring period and the type of assessment you’re going through. R2 assessment keeps over 2,000 controls into consideration and assessors will charge more for this.
However, there is no fixed expense to bear. The size of your organization and the amount of data you handle is the final cost determinant here. As far as an estimated HITRUST cost is concerned, one can spend anywhere from $50,000 to $200,000. Even if the price is on a little higher side, it’s worth a try because this assessment will help you achieve the most competitive standards in the industry.
Steps To Prepare For The HITRUST Assessment
It demands a strategic approach to be succeeded. However, the process becomes easy to follow or understand if you prepare yourself the right way.
10 strategic steps you can follow are:
- Decide on the project coordinator so that you have a responsible person to set goals and track the progress of the assessment.
- Define the project structure and quality standards clearly to avoid any goof-ups at a later stage.
- It’s better to hire an expert. Pick someone from a HITRUST Authorized External Assessor organization to enjoy quality service.
- Keep the high authorities updated about the HITRUST judgment and make sure that they know their importance.
- Keep your eyes on realistic goals. There is no point in having goals that sound impressive but are not easy to achieve.
- Make sure that the project has a well-defined goal that the rest of the team will follow.
- Do enough planning and set a timeline. The project timeline should be based on the assessments you’re going to conduct. Each assessment should have been given enough attention.
- Develop a culture of open communication within an organization so that the teammates can share their concerns and worries about the assessment without any hesitation.
- Have enough documentation and a database to support you. Collect notes related to HITRUST CSF standards so that you are avoiding failures.
- Conduct system testing at regular intervals to make sure that the tools you’re using are 100% risk-free.
- As the assessment period is 90 days, it’s strongly recommended to use a tracker to make sure you’re finishing the assessments within the provided timeline.
The kind of data the healthcare industry handles demands zero leniencies. Data transmission from one point to another, data storage, and data processing have to be best and risk-free. Many compliances are there to make sure this is happening. However, all these compliance and their rules can sound too overwhelming for many.
HITRUST is the easiest possible method that helps you emerge as a dependable vendor or service-provider in the healthcare domain. The guide explained it in detail. If you belong to this industry or a business that deals with sensitive/private user data, start putting your efforts into accomplishing your aim of attaining HITRUST compliance.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.