The influx of technologies such as electronic health records and mobile and biomedical devices continues to add to the growing cybersecurity risks in healthcare, an industry that also faces increased cybersecurity threats from phishing and ransomware attacks. On top of that, escalating regulatory pressures related to IT security in the healthcare industry contribute to a perfect storm of cybersecurity risk.
Despite this increased focus on cybersecurity, many healthcare organizations still struggle to determine their highest security risks and priorities for addressing those risks, including meeting the demands of multiple frameworks, reporting, and processes that address both cybersecurity and compliance needs. The Health Information Trust Alliance Common Security Framework (HITRUST CSF®) is one tool that can eliminate the confusion of multiple cybersecurity frameworks and help organizations streamline compliance and reporting and benchmark their organization’s security against a robust security framework. Here, three Certified CSF® Practitioners (CCSFPs) answer important questions about the benefits of HITRUST® for healthcare IT security.
Q: How does the HITRUST CSF® benefit healthcare providers?
A: Frameworks help entities organize and manage their IT security controls. They also provide metrics for those controls, including dashboards organizations can use to track, report, benchmark, and measure performance. The HITRUST CSF® is unique in that it combines several IT security frameworks and requirements into one single framework, reducing complication and overlap. It covers multiple industry standards for IT security and includes main components from well-respected and authoritative IT security standards sources (see Exhibit 1). Covered frameworks and processes include Control Objectives for Information and Related Technologies (COBIT), Health Information Technology for Economic and Clinical Health (HITECH) Act requirements, ISO 27001/2 standards, payment card industry (PCI) regulations, Health Insurance Portability and Accountability Act (HIPAA) rules, meaningful use and Merit-Based Incentive Payment System (MIPS) requirements, and state laws.
Incorporating compliance and risk management principles, the HITRUST CSF® defines a process to effectively and efficiently evaluate compliance and security risk. The framework’s comprehensive nature helps organizations communicate the state of their cybersecurity controls to other organizations, such as third-party vendors. With an option to achieve HITRUST CSF® certification, the framework also gives organizations a tangible way to show patients, clients, and vendors that the organization complies with cybersecurity rules and has strong controls in place to protect sensitive data.
Q: What is included in the HITRUST CSF®?
A: The HITRUST CSF® is made up of several building blocks. The current version of the HITRUST CSF® includes 14 control categories – 13 related to security and one related to privacy. These control categories are broken down into 46 control objectives and individual controls an organization implements at varying levels.
Controls within the categories and objectives are tied to 19 assessment domains, which help organizations assess how they are performing in specific cybersecurity categories:
- Information protection program
- End point protection
- Portable media security
- Mobile device security
- Wireless security
- Confirmation management
- Vulnerability management
- Network protection
- Transmission protection
- Password management
- Access control
- Audit logging and monitoring
- Education, training, and awareness
- Third-party assurance
- Incident management
- Business continuity and disaster recovery
- Risk management
- Physical and environmental security
- Data protection and privacy
The HITRUST CSF® version 9 also features more than 1,600 requirement statements organizations can review to determine if they have successfully implemented various cybersecurity controls. The number of requirements changes based on the scope of the individual organization’s controls.
In addition, the HITRUST CSF® features multiple implementation tiers. Tier levels are based on factors including the organization’s type and size and what kinds of technology the organization uses. Therefore, framework implementation looks unique for each organization. For example, a 10-hospital healthcare system would need to implement security controls in a manner different from how a startup healthcare technology company with 10 employees would do so. Both can use the HITRUST CSF® but would implement the security controls at different levels.
Q: How can an organization get started with implementing the HITRUST CSF®?
A: These are some steps healthcare organizations can follow to begin using the HITRUST CSF®:
- Align the organization to a set framework to have a baseline for the controls that will be required of the organization.
- If a qualified organization, go to the HITRUST® website and download the framework free of charge.
- Assemble an internal HITRUST CSF® project team consisting of staff members from departments such as business, IT, finance, and legal.
- Become familiar with the HITRUST CSF® and purchase a MyCSF® subscription for a self-assessment or validated assessment.
- Define the organization’s assessment scope (which is different for each organization and is based on unique variable risk factors).
- Decide on assessment type (self-assessment or validated assessment) and reporting type.
- If the organization is pursuing a HITRUST CSF® certification, work with an approved HITRUST CSF® Assessor to complete assessment testing and validation and to submit the assessment to HITRUST® for certification.
The self-assessment option is a way for organizations to conduct an internal review of cybersecurity controls. Organizations score themselves against a baseline set of requirement statements and can submit the self-assessment to HITRUST®, but it is not required. As an option, the self-assessment can then be transferred into the validated assessment object where an organization would then submit to an approved HITRUST CSF® Assessor for validation. The HITRUST® validated assessment option is a higher degree of testing that requires organizations to either submit the self-assessment or fill in the validated assessment and submit it to an approved HITRUST CSF® Assessor for validation. Once the validation is completed, the assessor submits the assessment to HITRUST® for review and reporting – the result being either a validated report or a validated report with certification.
The HITRUST CSF® certification is good for two years. At the end of the first year, an approved HITRUST CSF® Assessor firm needs to conduct an interim assessment of the organization’s compliance to determine if controls are still in place, how the organization is progressing with any corrective action plans identified in the initial assessment report, and whether there have been any changes in scope that need to be tested. Organizations are encouraged to share their final reports with customers to signify they have good cybersecurity controls in place.
Q: Where can a healthcare provider turn for assistance?
A: Adopting the HITRUST CSF® and achieving a HITRUST CSF® certification are significant undertakings. Many organizations simply do not have the staff members and time required to complete this work without assistance. An approved HITRUST CSF® Assessor firm can provide valuable input and help organizations with the entire process, from setting up a HITRUST MyCSF® subscription to completing a self-assessment, testing internal controls, and completing a validated assessment with the goal of eventually achieving HITRUST CSF® certification.
With the significant cybersecurity threats facing healthcare organizations today, it is important that organizations can demonstrate to internal staff and external customers that they are taking IT security seriously. Achieving HITRUST CSF® certification is a tangible way to show that cybersecurity is a top priority in this new era of healthcare.