The HITRUST CSF draws from 17 different information security frameworks (such as ISO27001/2, NIST 800-53 and PCI-DSS), removes duplicate and overlapping controls, and synchronizes them into one overarching framework that is both prescriptive and measurable. The CSF contains 13 Control Categories comprised of 42 Control Objectives and 135 Control Specifications. These include specifications for managing both physical and logical access, authentication of end-users, asset management and personnel security. The specifications are best-practice based and scale according to the type, size and complexity of the organization applying them. For example, a 10-person clinical practice that might lack expertise and resources may only use a self-assessment to establish how well they are protecting patient data, whereas a larger insurance provider may opt for independent certification of each of its data centers. The choice of how to use the CSF is left up to the organization using it.
HITRUST in Practice
To ensure consistent application of the CSF across organizations, the HITRUST Alliance has created the HITRUST CSF Assurance Program — if the CSF is the heart of HITRUST, the CSF Assurance Program is the brains. It offers a practical mechanism for validating an organization’s compliance with the framework, and it provides a way for organizations to decide which of its healthcare ecosystem partners is trustworthy enough to share Protected Health Information (PHI).
The Program specifies common requirements, methodology and tools that enable healthcare organizations and their business associates to take a consistent approach to managing compliance and to assess and report against multiple sets of requirements. The approach typically progresses through three phases: a Self-Assessment Phase, a Validation Phase and a Certification Phase.
The Self-Assessment Phase proceeds as its name implies. Organizations fill out a series of online questionnaires that help them baseline their security program. In the Validation Phase, a HITRUST assessor will work with an organization to review more substantive evidence of compliance beyond the questionnaires. The most rigorous phase is the Certification Phase, in which the HITRUST assessor conducts on-site controls testing that ultimately leads to submission of a certification report to the HITRUST Assurance Committee — the body that ultimately awards HITRUST Certification status to participating organizations. This independent review process removes biases and conflicts of interest that sometimes occur with other compliance programs.
While not a guarantee against having a data breach, an organization that meets the criteria for achieving HITRUST Certification can be assured it is addressing and reducing risks — particularly those emerging from the adoption of EHR technology, with health data propagating amongst network-accessible cloud data centers and mobile devices. Even if an organization opts not to obtain certification, which is not a requirement, the HITRUST CSF improves security while reducing compliance costs and complexity.
For those healthcare organizations that want higher levels of assurance (validated or certified) and reporting, the best approach for implementing HITRUST is to be coached through the process by a HITRUST assessor company from the start, which reduces the time and expense of achieving certification. The assessors are rigorously screened to ensure they can competently address technical security issues such as firewall monitoring and management, audit trail logging and analysis, multi-factor authentication schemes and data encryption strategies. The screening process verifies these companies have an established process for conducting compliance audits and quality control, and are current on HITRUST developments for guiding clients through the nuances of the certification process.
As its name implies, HITRUST provides a level of trust and seal of approval. With the nation’s healthcare system undergoing a transformation, more egregious data breaches are likely to occur without a set of security controls more comprehensive and stringent than the regulations they’re meant to appease. HITRUST answers that need.