The first version of the Health Information Trust Alliance Common Security Framework (HITRUST CSF) was released in March 2009 and was developed to provide organizations with a framework specifically devoted to the protection of ePHI and PHI data in the healthcare industry, while also allowing for the adoption of health information systems and exchanges. Under HITRUST, the CSF incorporates security controls and requirements based on those from multiple standards and regulations, as well as some unique to HITRUST, into a certifiable framework of security controls that scales according to the type, size, and complexity of the organization and its systems. These requirements, synced into a single set of controls, are mapped to their sources for compliance purposes. Efficiencies are achieved by implementing this combined framework due to the comprehensive and prescriptive nature of the CSF control set, allowing organizations to simultaneously meet multiple compliance initiatives based on a single audit. The HITRUST CSF includes 14 control categories, 49 objectives, and 149 total control specifications (which may contain multiple levels of control components). At least 64 of these control specifications are required to be in place and operating effectively for an organization to become HITRUST certified.
HITRUST offers a self-assessment option for organizations looking to conduct an assessment internally; however, organizations are well served to obtain the expertise of a qualified CSF assessor organization, such as Interactive Security, to identify the strengths and weaknesses of their information security program and to make recommendations about how to address any issues.
- HIPAA Security Rule
- Payment Card Industry Data Security Standard (PCI DSS)
- Control Objectives for Information and Related Technology (COBIT)
- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
- International Organization for Standardization (ISO)
- Federal Trade Commission (FTC) Red Flags Rule
- Centers for Medicare and Medicaid Services Addressable Risk Safeguards (CMS ARS)
- State requirements
- Multiple other standards
- Health plans / insurance plans
- Hospitals and medical facilities
- Doctor's offices
- Health information exchanges
- Biotech companies
- IT service providers (data centers, etc)
HIPAA and HITRUST assessments share the common objective of safeguarding healthcare information and ePHI. Performing a security assessment around HIPAA Security Rule controls and addressing any resulting audit recommendations can evidence the organization's compliance with HIPAA requirements, however the HIPAA Security Rule was originally intended to apply to a wide range of organizations from a small clinic to a large hospital chain, which led to the subjective and vague nature of the requirements to be HIPAA compliant without also relying on ISO or NIST assessments.
With the more prescriptive and risk-based HITRUST assessment and certification process, requirements are adjusted based on the specific risks of the organization and focus on common causes of information breaches within the healthcare industry. The HITRUST approach also considers compliance with other regulations, allowing organizations to take a comprehensive approach towards meeting compliance and information security objectives. The HITRUST CSF's implementation specifications scale is based on several key factors and allows organizations of varying sizes to leverage the CSF as a guide to develop an effective approach to information security. HITRUST represents a certifiable framework that incorporates and maps requirements of existing frameworks and standards and current regulations, while taking an efficient and risk-based approach to information security and protecting ePHI.
HITRUST Security Assessment and Certification
Are you wondering about your organization's data risks and in need of a current HITRUST Security Assessment and Certification? Contact the Interactive Security team at 267-396-8166 or fill out the form to the right. We can help you understand the specific steps your organization needs to take to be HITRUST compliant.
"Interactive Security is a highly valued external security auditor and adviser to the Judge Group. Easy to work with, professional and can always be relied on to deliver results no matter the size or scope of the project. I strongly recommend Interactive Security as a go to security partner."
"Interactive Security provides clear and concise directions on information needed in order to provide accurate reports in a timely fashion. The staff is efficient and friendly thereby providing services in a cost-effective manner which is an obvious benefit. Communications or concerns are responded to in a timely manner as well. I would highly recommend their services and have done so on numerous occasions."
"Interactive Security gets the job done! Shawn knows how to communicate at all levels of our organization, from Executive to Staff, which has greatly contributed to successful strategic and tactical decisions associated with maintaining our PCI compliance certification. Not just a QSA, but a partner that is always willing to pick up the phone and answer my questions."