HITRUST: Cybersecurity for Healthcare and More

By Robert Godard, CPA, CISA, HITRUST-CCSFP, Principal, I.S. Partners, LLC’s Business Process/Advisory Services
Twitter: @ISPartnersLLC

Data security is a hot topic across industries, and considering the growing threats to data, the need to protect sensitive data is increasingly important. However, the discipline of data security is fragmented in terms of the systems used to enhance protection.

Organizations now have an industry-wide platform that can be used to implement these protections across the board. While it was originally designed to manage regulatory compliance and risk for the healthcare industry, the HITRUST CSF® is leading the way towards a solution that will bring all regulatory requirements for cybersecurity under one umbrella. Organizations outside of the healthcare industry have taken notice, providing leverage to expand the framework into other industries. These include Google, Marriott, AT&T, Amazon, Microsoft, Salesforce, and others. It is now being widely applied within the retail, financial services, travel, and hospitality industries.

With each new updated version released, the HITRUST framework further unifies requirements across industries.

What Is the HITRUST CSF?
HITRUST CSF is a flexible, certifiable information security framework that provides organizations with a comprehensive and efficient approach to regulatory compliance and risk management. Developed in collaboration with information security professionals across various industries, the HITRUST CSF brings relevant regulations and standards into a single overarching security framework. These include:

  • HIPAA. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was enacted “to publicize standards for the electronic exchange, privacy and security of health information.” Those covered by HIPAA include health plans, healthcare providers, healthcare clearinghouses, and business associates wherein certain members have access to healthcare records.
  • HITECH. Enacted as part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted to promote adoption and meaningful regular use of health information technology capabilities for electronic healthcare information transmission.
  • PCI. A third-party interest, the Payment Card Industry (PCI) has become intertwined with the healthcare industry as it represents a frequent means of payment for patients. Working within HITRUST CSF’s framework helps PCI issuers understand how vital their compliance is to ensuring patient security and privacy.
  • COBIT. Created in 1996 by ISACA, Control Objectives for Information and Related Technologies, or COBIT, provides a good-practice system framework to promote best practices in IT management and governance.

By using the HITRUST CSF as a practical guide, IT professionals can clearly track progress towards achieving compliance with these many standards and regulations from governing bodies, as well as others such as NIST and the FTC. Applying the HITRUST CSF framework can also help with SOC 2 reporting requirements since they both feature many of the same elements of the Trust Service Principles of Security.

What Is the Advantage of Using HITRUST for Risk Assessment & Attestation?
By unifying these frameworks, HITRUST now works with organizations of all sizes and industries. For companies that have interests beyond healthcare, the HITRUST CSF unifies different security frameworks to make the compliance process clearer and more efficient. Scalable in nature, it can handle all types of data and deliver them in one comprehensive report.

Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.

How Has the HITRUST Cybersecurity Framework Improved?
HITRUST is dedicated to making HIPAA compliance simple and straightforward. Because it is constantly improved and updated, businesses who use the HITRUST Approach consistently meet HIPAA standards for having recognized security measures in place.

For example, HITRUST Version 8 integrated the Trust Principles and Criteria for security, confidentiality, and availability laid out by the American Institute of Certified Public Accountants (AICPA), which is closely associated with SOC 2 reporting. This update also strengthened protocols to provide a consistent, managed means of de-identification of data, along with the easy sharing of information and compliance needs among various key entities and stakeholders. Since no singular approach is ideal for all organizations, the flexible framework guides IT professionals in assessing controls, risks, and potential outcomes for secure decision-making.

Control language of these early versions focused on ePHI and the healthcare industry. But HITRUST CSF version 9.2, released in 2019, expanded the applicability of HITRUST to other industries by making it possible for non-healthcare-related organizations to remove ePHI and healthcare language. It also added data protection requirements from Europe’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA), and the language is reworded to include all types of sensitive data, allowing for wider adoption across industries. This gives the HITRUST CSF the ability to gain assurance over its information security and privacy practices.

These changes and updates from HITRUST can strengthen vendor relationships and their commitment to security. They provide a well-defined and consistent risk management framework to assist in benchmarking your organization’s cyber security program against other industry internal and external organizations. When your organization is well-equipped to evaluate vendors and suppliers, it protects both your organization and the third-party vendors already in the supply chain.

HITRUST CSF v9.3 introduced new standards to meet California Consumer Privacy Act requirements. The CCPA was passed in 2018 and went into effect at the beginning of 2020. HITRUST CSF v9.3 framework specifically addresses data access requirements, including the protection, transmission, and storage of consumer information. It also helps organizations understand when the CCPA is relevant to their operations and when it’s possible to opt out of requirements. This version adopted more requirements that affect multiple industries, providing a more comprehensive, unified framework and best practices for data privacy and security compliance beyond healthcare.

The latest version of the framework was released just this month; v9.5 was designed to better enable the HITRUST compliance and reporting for HIPAA regulations.

Ongoing updates aim to build stronger data protection for every industry with an established and highly recognized framework and assessment methodology that works.

Why Is HITRUST Certification Important?
Today, HITRUST is a well-recognized framework of compliance standards agreed upon worldwide. It aims to provide the clearest, most streamlined path to security compliance for all types of business. In practice, that means that organizations can meet regulatory standards and demonstrate compliance with one validated assessment, instead of multiple assessments for each piece of new legislation or industry standard that is introduced.

The HITRUST CSF certification process is important for consolidating an organization’s commitment to data security as well as its information risk management practices. Certification helps organizations display their leadership to current and potential vendors, gaining trust and a reputation for being a forward-thinking organization that cares about protecting data security.