The HITRUST CSF pulls from many major pre-existing frameworks to provide a complete, certifiable security standard. Learn about the many different cybersecurity frameworks that can be incorporated into your organization’s HITRUST assessment to help streamline your approach to compliance.
Confusing. Difficult. Expensive. Overwhelming. Do you associate these words with the plethora of cybersecurity assessments available today? Many organizations are unsure of where to start and what assessments or audits will best prove to their customer that they take data security seriously.
While there are a variety of different audit options for any organization, the HITRUST CSF provides comprehensive, scalable, flexible and prescriptive solutions for organizations. By pulling from many major pre-existing frameworks and working with organizations to better understand their needs, the HITRUST certification provides a complete, certifiable security standard. Let’s first define HITRUST CSF and then take a look at the many frameworks that can be incorporated into the assessment. You’ll see how beginning with HITRUST CSF will streamline your approach to compliance!
What is HITRUST CSF?
The certification provides an integrated, prescriptive framework that works primarily with the needs of the healthcare industry in order to comply with the necessary cybersecurity standards. However, this framework is able to be scaled for various sizes and types of organizations in any industry and their control systems.
It also allows for the tailoring and scaling of controls with HITRUST oversight to ensure that the integrity of the systems remain intact, and applications remain consistent. With a comprehensive framework for organizations of any size, system, or regulatory requirement, the HITRUST certification allows for organizations to easily assess their current compliance while providing implementation requirements based on an organization’s risk factors.
What are the types of HITRUST Assessments?
HITRUST has two methods to approach complying with the HITRUST CSF with each providing their own unique benefits, depending on the needs of an organization. They include the self-assessment, and a validated assessment, which leads to HITRUST certification. They each function on varying degrees of assurance based on the cost, effort level, and time required. The benefits of any type of HITRUST CSF Assessment include:
- Scalability for organizations of any size
- Understand their current level of compliance with the CSF and areas of general risk
- Stay up-to-date on the latest security risks
- Save time on numerous compliance audits
The HITRUST CSF is designed to be completed by an organization in order to minimize time and resources when demonstrating compliance with the CSF. The self-assessment can also be used as a stepping stone to a validated assessment. The benefits include:
- Low to medium level of effort needed to complete
- Can be quickly completed
- Lower investment in terms of budget and time
However, one of the drawbacks of a self-assessment report is that it provides the lowest level of assurance, as no validation comes from the self-assessment: it simply results in a HITRUST issued CSF Self-Assessment report.
Validated or Certified Assessments
A validated assessment is a more rigorous assessment process, with an increase in assurance level performed by a CSF third-party assessor firm to validate the information gathered by the organization. One of the benefits of receiving a CSF Validated Assessment includes providing an increased assurance level to the relying entity.
The process is more rigorous due to testing conducted and authorized by an external CSF assessor at the organization. A validated assessment requires a medium to high level of effort for completion, due to the rigorous testing procedures. Upon completion, HITRUST reviews the complete assessment and issues a validated report as the outcome if the organization has failed to receive a rating of ‘3’ or higher on any of the controls. If an organization received at least a ‘3’ on HITRUST’s scale and has shown a high level of maturity they will receive a certified assessment.
The benefits of receiving a CSF certified assessment include:
- A report that is good for two years, with an interim assessment completed at the one-year mark
- The most complete assurance level certified by HITRUST
- Results in an official certification to provide to clients, partners, etc.
A certified assessment is only earned once an organization successfully demonstrates that they are able to meet all of the controls in the CSF required for certification at the appropriate level based on organizational needs.
The HITRUST Framework & Cybersecurity Assessment Integrations
HITRUST did a great job of mapping CSF requirements to existing standards for other cybersecurity assessments. Once an organization earns HITRUST certification, they may have already covered all of the requirements for a variety of other frameworks. If your organization uses a firm (like A-LIGN) to conduct your audits, you avoid hiring multiple auditors to earn other cybersecurity certifications.
The external assessor firm has the ability to conduct multiple audits at once, de-duplicating tasks. For example, if you use an external assessor firm that handles multiple security frameworks, and are working toward your HITRUST CSF, your auditor can also complete all of the tasks for SOC 2, NIST 800-53, ISO 27001, FedRAMP, PCI DSS, and many more. Starting with the HITRUST certification and treating the assessments as one data collection process, rather than one-off assessments will save your organization a great deal of resources, time and budget.
The HITRUST CSF & SOC 2
SOC 2 reports describe the internal controls at a service organization, based on the American Institute of Certified Public Accountants (AICPA)’s Trust Service Criteria:
- Security (Common Criteria)
- Processing Integrity
SOC 2 reports provide users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report. The SOC 2 is widely used by service organizations that provide services to other business entities.
HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria. This allows licensed CPA firms, who are also CSF assessor firms to issue a SOC 2 plus HITRUST report that includes both the SOC 2 criteria and HITRUST CSF. This makes HITRUST and SOC 2 complimentary services through this converged reporting model.
The HITRUST CSF & PCI DSS
PCI DSS is a payment card industry standard used to protect payment card data. Founded by the five major card brands, Visa, MasterCard, American Express, Discover and JCB, PCI DSS defines controls to enhance credit and debit card security.
HITRUST used the PCI DSS methodology in the creation of the HITRUST healthcare standard. To correctly map the two frameworks, HITRUST received input from their board of directors, who are industry experts from major healthcare organizations, to tailor the framework to the industry’s needs. The tailoring of this framework resulted in numerous factor overlaps between the two certifications, making PCI DSS easily attainable once HITRUST CSF is achieved.
The HITRUST CSF & ISO 27001/ NIST 800-53
HITRUST recognizes the complex, global nature of the healthcare industry and the need for an industry-specific approach to information protection. Because of this, ISO/IEC 27001 and NIST SP 800-53 were chosen as the foundations upon which the HITRUST CSF was built upon due to both being an international standard for information security.
ISO 27001 differs from the HITRUST CSF, as ISO 27001 is not control-compliance based, but is instead a management/process model for the Information Management System that is assessed. One of the key differences between NIST 800-53 and the HITRUST CSF is that NIST 800-53 does not address the specific needs within the healthcare industry. While ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF. The HITRUST certification covers many more factors than ISO 27001 and NIST 800-53, making both certifications easily attainable under HITRUST CSF.
The HITRUST & FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) serves to increase confidence in the security of cloud service providers (CSPs) utilized by the federal government.
FedRAMP certification is incredibly valuable for vendors working with the U.S. government. If you are working with the state level and not truly working with the federal government, you can easily map FedRAMP requirements to the HITRUST CSF framework. Organizations that are interested in pursuing FedRAMP certification could consider adding it to their HITRUST assessment to benchmark whether they are prepared and to mature their controls as needed but should note that adding FedRAMP to a HITRUST assessment is not the equivalent of achieving FedRAMP certification.
The HITRUST & GDPR
The General Data Protection Regulation (GDPR) aims to enhance the protection of personal data of European Union (EU) residents. The GDPR not only impacts organizations within the EU, but also any organization that processes the personal data of EU residents. Failure to comply with the Articles outlined within the GDPR may not only present a reputational risk for organizations, but also the potential for the following enforcement actions:
- Restricted access to data
- EU Commission-directed data protection audits
- Fined 4% of annual worldwide revenue
HITRUST has mapped the EU’s GDPR into the HITRUST CSF comprehensive privacy controls. By doing this, HITRUST helps its customers identify and lessen gaps and risks in their existing programs, ultimately helping them grow their cybersecurity compliance.
The HITRUST & CCPA
The California Consumer Privacy Act of 2018 (CCPA) allows consumers to have more control over the personal information that businesses oftentimes collect. California consumers now have the following privacy rights:
- The right to know what information is being collected and how it will be used
- The right to delete personal information collected (with a few exceptions)
- The right to opt-out of the sale of the personal information
- The right to non-discrimination for evoking these rights
The HITRUST certification includes comprehensive privacy controls and maps back to CCPA, similar to how the HISTRUT certification maps back to GDPR. The HITRUST certification will help organizations identify and mitigate gaps in their current compliance programs, allowing them to meet the growing regulatory requirements and customer expectations regarding their data usage.
While there are a variety of different audit options for any organization, the HITRUST CSF provides scalable, prescriptive solutions for organizations of any type. By pulling from major pre-existing frameworks and working with organizations to better understand their needs, the HITRUST CSF provides a complete, certifiable security and privacy standard. Are you ready to get started? The best way to set yourself up for success when it comes to a HITRUST assessment is to make the time and resource investment upfront. After all, proper planning equals HITRUST success. Before diving in, review our expert list of do’s and don’ts when getting started with your HITRUST certification.
If you have any questions or if you would like to learn more about undergoing a cybersecurity or compliance assessment, please reach out to one of A-LIGN’s experienced assessors today.