The HITRUST CSF

Sue Horn
| 11/14/2017
The HITRUST CSF Framework

Data breaches are cropping up more frequently in the healthcare industry – an unsettling upward trend. For example, in 2016, Newkirk Products experienced a breach in which an unknown hacker accessed information on nearly 3.3 million patients. The vulnerability was introduced by third-party software. Third-party vulnerabilities are just one of the many areas HITRUST hopes to strengthen in healthcare organizations’ resilience.

Healthcare industry data breaches like these are not likely to subside in the near future. The IBM-sponsored Ponemon Institute “2017 Cost of Data Breach Study” estimated that the average global cost of a data breach is $141 per record. But for healthcare organizations, that average cost is much higher: $380 per record.

What can healthcare organizations do to minimize the impact of data breaches? First and foremost, they must implement appropriate information security controls. Currently, healthcare organizations face several information security challenges, including:

  • Inconsistent implementation of acceptable minimum controls
  • Differing interpretations on appropriate implementation of controls
  • Increasing regulatory scrutiny
  • Growing risk and liability, including data breaches, regulatory violations, and extortion
  • Public and regulatory concern about the increasing number of breaches in the industry
  • A rapidly changing business, technology, and regulatory environment
  • Increasing requirements from customers, business partners, and vendors

Clearly, information security is a complex process, and healthcare organizations have unique needs. The HITRUST CSF® – a security framework developed by HITRUST, in collaboration with information security experts – is a solution for healthcare organizations that want to implement a control framework. The HITRUST CSF® offers the following benefits:

  • It harmonizes existing healthcare controls and requirements from standards, regulations, businesses, and third parties.
  • It incorporates both compliance and risk management principles.
  • It defines a process for effectively and efficiently evaluating compliance and security risk, including the Health Insurance Portability and Accountability Act (HIPAA) final rule requirements.
  • It supports HITRUST CSF® Certification.

While HITRUST may be an unfamiliar name, the framework is not completely new. The HITRUST CSF® in part combines many tried and tested cybersecurity frameworks to create a “best of all worlds” framework specifically for healthcare. The framework includes controls and concepts from ISO/IEC 27001:2005 and has evolved to include:

  • HIPAA/HITECH
  • State privacy laws
  • PCI
  • COBIT
  • NIST
  • FTC
  • CMS
  • California Civil Code
  • Texas Medical Privacy Act  
  • FFIEC IT Examination Information Security Booklet
  • FedRAMP
  • Department of Homeland Security (DHS) Cyber Resilience Review

hitrust 1

Source: HITRUST

It is not recommended to jump directly into a validated assessment but rather to address the HITRUST CSF® assessment as a six-month to one-year process. The first step toward validation is for the organization to perform a self-assessment. The self-assessment can give the organization an idea of how close it is to certification during a validated assessment. The next step is remediation. Remediation can be performed within an organization, or with the help of an experienced and Approved HITRUST CSF® Assessor. Once remediation has taken place, an organization is ready for the validated assessment.

Source: HITRUST

An organization must choose an Approved HITRUST CSF® Assessor firm, and then the validated assessment must be completed in 90 days. There are different paths on how the self-assessment and validated assessment processes work.

The HITRUST CSF Assessment Flow 2017

Source: HITRUST

The HITRUST CSF® is built on tried and true frameworks that have been in use in the technology field for years. The HITRUST CSF® is the most comprehensive security framework for healthcare, and it is a message to clients and business partners that you’re serious about cybersecurity.