What is HITRUST?
HITRUST or Health Information Trust Alliance is one of the most prominent accreditation organizations in the healthcare industry. Healthcare is a top industry targeted by cyber thieves due to a wealth of patient data and an excessive number of integrated technologies. In 2018 alone, there was at least one healthcare breach a day, and 15 million patient records were lost.
The Health Insurance Portability and Accountability Act's (HIPAA) Security and Privacy Rules mandate "reasonable and appropriate" healthcare data protection. Still, they don't necessarily specify a way for organizations to prove compliance.
HIPAA compliance quickly became an obstacle for healthcare companies. In 2007, a committee of security professionals from various healthcare organizations came together to form an organization called the Health Information Trust Alliance (HITRUST). The organization had a single goal in mind to standardize security controls around electronically protected health information (ePHI) to create a verifiable path to HIPAA compliance.
The HITRUST CSF
Since 2007, HITRUST has carefully selected and assessed controls from federal and industry best practices that support HIPAA's information protection requirements, funnelling them into a certifiable control framework known as the HITRUST CSF.
The HITRUST CSF is now the most widely adopted framework in the U.S. healthcare industry, more than 80 percent of hospitals and health plans have adopted the CSF as a resource or as the basis for their overall program.
HITRUST wanted to provide healthcare organizations guidance on how to apply security controls concerning HIPAA. The alliance recognized a need for one unified and consistent approach on how to apply security in a global marketplace with varying data protection standards.
As a result, ISO/IEC 27001 was chosen as the HITRUST CSF's foundation, as its high-level controls are designed to suit any organization, in any industry, and any country. The HITRUST CSF builds on this foundation with each new release, moving towards its promise of One Framework, One Assessment by encompassing requirements from multiple standards and regulations, such as HIPAA, HITECH, PCI, ISO/IEC, COBIT, SOX, NIST, and GDPR.
HITRUST has quickly become the gold standard in healthcare and other industries to assess and report information risk security and compliance. HITRUST is an excellent option if your organization needs to comply with HIPAA but need a third-party validation to show you have been audited and have achieved applicable security requirements.
Also, HITRUST Certification carries the following benefits to an organization in any industry:
Requirements of HITRUST
The HITRUST CSF can be broken down into three main parts: controls, implementation levels, and requirements. The release of HITRUST CSF v9 increased the number of controls required for HITRUST CSF Certification from 66 to 75. There are three implementation levels for each control, each with its requirements. Each level builds on the prior level's requirements. By design, HITRUST is more stringent than other frameworks, and requirements can number in the hundreds.
HITRUST CSF Certification
There are five steps to the HITRUST CSF® Certification process. NCC Group works with organizations through each of the five steps, which can take on average between 6 months to a year to complete depending on your organization's level of readiness and measures needed to implement the appropriate controls. The steps are as follows:
Step 1: Scope
Download the HITRUST CSF to learn more about the framework and its controls. The benefit here is to avoid taking on too many requirements, or conversely not enough requirements, needed for your organization. Accurately defining scope is the single best way to reduce time and financial burden in your journey to HITRUST CSF Certification.
Step 2: Access MyCSF
Contact HITRUST to gain access to the HITRUST MyCSF® tool. From there, you'll be able to create an assessment based on your previously defined scope and upload your existing policies and procedures to assess them against the assessment's HITRUST CSF control requirement statements. Purchasing an annual subscription to the HITRUST MyCSF has numerous benefits, including reducing duplicative efforts between the self and validated assessments.
Step 3: Self-Assessment
This step is completely internal, but selecting an assessor allows for a facilitated self-assessment to take place. This assessment provides reviews of documents, scoring, control descriptions, and of course, identifying gaps along with providing recommendations. HITRUST also offers a HITRUST CSF Self-Assessment Report, which will document findings in an official report which can be used to give assurances to customers.
Step 4: Validated Assessment
When you are ready to begin your HITRUST, CSF Validated Assessment, and the organization will either utilize the previously scoped and generated assessment or will need to create a new assessment, depending upon your HITRUST MyCSF access level.
NCC Group won't validate until all safeguards are in place and effective for at least 90 days. From there, it will take approximately 90 days to complete testing, sampling, and validation of the controls before submitting to HITRUST.
HITRUST requires a thorough QA of all validated assessments before submission to be performed by NCC Group. We've generally seen our clients' control sets starting around 300 requirements on the low end and on up to over 600 for more extensive projects. HITRUST CSF Validated Assessments that do not meet scoring requirements for HITRUST Certification will be issued a HITRUST CSF Validated Report.
Step 5: Ongoing Testing
HITRUST CSF Certification is good for two years, after which a full re-validation will need to be undertaken. A trusted review is required after year one of validation.
Difference between HITRUST and HIPAA
HIPAA is legislation created by lawyers and lawmakers, HITRUST is a framework created by experts in the security industry, including aspects of HIPAA.
HITRUST provides a way for CSF organizations to demonstrate proof of compliance with HIPAA-mandated security controls. HITRUST takes and builds upon HIPAA requirements, incorporating into a framework based on security and risk.
According to HHS, The HIPAA Privacy Rule requires that covered bodies apply appropriate administrative, technical, and physical safeguards to protect the confidentiality of protected health information (PHI) in any form.
It means that the cover entered entities should implement appropriate safeguards. To limit incidental information, and to avoid the prohibition, use and disclosure of PHI in relation to the disposal of such information.
HITRUST can help provide measurable criteria and objectives for implementing appropriate administrative, technical and physical security measures. HITRUST does not replace HIPAA compliance or prove that an entity is HIPAA compliant, but is widely accepted as a good approach.