HITRUST CSF BLOG PART 1

By Fairuz Rafique 

The Healthcare Information Trust Alliance (HITRUST)™ was formed in 2007 with the goal to provide a means for organizations to protect healthcare information in a streamlined and systematic method that was conducive of a successful cybersecurity program. As a result, HITRUST developed the Common Security Framework (CSF)®, for organizations to incorporate a comprehensive risk management framework in environments with complex business and regulatory considerations. It allows organizations that create, access, store, or exchange Protected Health Information (PHI) a means to systematically protect the PHI per multiple industry guidance, directives, laws, regulations, frameworks and standards.

HITRUST CSF has a highly successful track record in relevance in the healthcare vertical. The framework is dynamic and has been designed for adoption across multiple industry verticals. To date, the HITRUST CSF has been successfully adopted by numerous industries outside of healthcare and continues to be adopted by diverse organizations. Further, HITRUST continues to scale globally as a major cybersecurity framework, particularly in the Asia Pacific region. (Source)
 
How does it compare to other frameworks?
In order for HITRUST CSF to have global applicability, the framework leveraged the well-known ISO/IEC 27001: 2005 and ISO/IEC 27002:2005 standards. In addition, the HITRUST CSF provides comprehensive coverage by incorporating multiple healthcare information security-related regulations, standards, and frameworks such as:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH)
• ISO/IEC 27799:2008 Health Informatics (guidance for information security management for healthcare organizations using ISO/IEC 27002:2005)
• National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
• Control Objectives for Information and related Technology (COBIT)
• Payment Card Industry (PCI) Data Security Standard
• State requirements (e.g., Nevada, Massachusetts, and Texas)
• Experiences and best practices of HITRUST participants (Source)

 
The Department of Homeland Security identifies Healthcare and Public Health as a critical infrastructure sector of the United States, and the United States Department of Health and Human Services (HHS) is tasked by DHS to coordinate critical infrastructure security and resilience activities for the sector. To help provide guidance to agencies, regulators and the private sector, the DHS published the Healthcare Security Cybersecurity Framework Implementation Guidance in which HITRUST CSF is cited as a ‘model’ implementation of the NIST Cyber Security Framework (CSF) (Source). 
 
The following diagram provides an overview of the various frameworks, regulations and directives pertinent to the healthcare sector and how the HITRUST CSF attempts to provide a comprehensive risk management framework that addresses the numerous authoritative sources.
 

Source – Healthcare Sector Cybersecurity Implementation Guide, DHS

Who needs HITRUST CSF certification?
In any industry vertical, business relies on a list of critical players forming a supply chain. Vendors, contractors, distributors, hospitals, clinics, service providers, and insurance providers are just a few of the players that form a healthcare supply chain. These businesses have numerous needs and business functions that require them to handle sensitive data such as:

• Protected healthcare information (PHI)
• Electronic medical records (EMR)
• Cardholder data
• PII
• Trade secrets

 
If your organization handles any of these types of information, the HITRUST CSF can be leveraged as a means to protect it. Oftentimes, organizations will elect to undergo a HITRUST CSF assessment in hopes of achieving the HITRUST CSF certification. Keep in mind, the HITRUST CSF is a comprehensive framework and the certification process is arduous – organizations with serious needs and serious business implications chooses to undergo the HITRUST CSF certification.
 
A total of four HITRUST CSF assessments are offered, each with its own objective. They are:

• Readiness Assessment
• Validated Assessment
• Targeted Assessment
• Customized Assessment.

 
Organizations that do not have a mature cybersecurity program are recommended to first perform a readiness assessment. The readiness assessment can be completed by your internal security personnel or trusted cybersecurity partner. The results of the assessment will provide you critical insight into all the gaps you will need to remediate prior to being ready to undergo a validated assessment.
 
How to Prepare
Organizations that may be contemplating the HITRUST CSF certification will need to focus on developing and implementing the basic cybersecurity requirements found across frameworks. At a high level, these practices include:

• Establishing policies and procedures
• Maintaining an automatically updated asset inventory
• Monitoring ingress and egress network traffic
• Maintaining and analyzing system and security logs
• Access controls and account management
• Developing a comprehensive incident response plan
• Performing system backups and testing restorations
• Establishing a change control process and performing patch management
• Establishing clearly defining roles & responsibilities of management and security personnel

This list above is not all inclusive and readers are advised to seek guidance from previously established frameworks and supporting guidance. A total of 19 control domains establishes the foundation for the HITRUST CSF, and they are illustrated below:

During the certification process, auditors/assessors(?) will attempt to uncover deficiencies in control domains, or “control gaps”. In the event that control gaps are identified during the assessment process, your organization will fail to achieve the HITRUST CSF certification as a HITRUST CSF certification is only awarded when controls have deficiencies considered to be “acceptable”. These deficiencies are recorded and categorized into corrective action plans that must have evidence of ongoing improvement.. More about corrective action plans tolerated for awarding a certification will be covered in Part 2 of this blog. Keep in mind that the validated assessment is the only assessment type offered by HITRUST that generates the following:

• A HITRUST CSF validated report
• A NIST CSF report
• HITRUST CSF Certification

 
About EmberSec
EmberSec (A By Light Company) is an accredited HITRUST CSF 3PAO and has a track record in being uniquely familiar with the HITRUST CSF process. Our past projects allow us to have an unique perspective with the HITRUST CSF assessment process. We have proven leadership in successfully partnering with clients as their HITRUST CSF 3PAO in performing their validated assessment and annual interim assessment.
 
In each case, our clients were able to successfully:

• Achieve their HITRUST CSF certification following a validated assessment; and
• Maintain their HITRUST CSF certification following an annual interim assessment.

 
We will be happy to extend this insightful leadership to your HITRUST CSF certification objectives as you seriously consider on taking your cybersecurity program to the next level.