The HITRUST Organization And Divisions
The Health Information Trust Alliance (HITRUST) is a private organization that maintains divisions in both for-profit (HITRUST Services Corp) and not-for-profit (HITRUST Alliance).
The HITRUST governing board, its Executive Council, is comprised of representatives from a number of major healthcare and insurance organizations who share a common interest in ensuring that organizations throughout their supply chains maintain robust security and privacy controls.
The HITRUST Common Security Framework (CSF)
The CSF outlines a set of specific, or “prescriptive”, controls designed to help you meet requirements across numerous frameworks. HITRUST pulls together requirements from a number of other security and privacy standards, attempting to offer a more unified approach to meeting compliance across multiple frameworks at one time. Existing frameworks from which HITRUST draws include HIPAA, NIST, ISO, PCI, FTC, Red Flag, and ISACA COBIT.
Benefits of HITRUST Compliance
Best Practices for Your Organization
Meeting HITRUST compliance includes key organizational steps associated with Risk and Vulnerability Management that are foundational to building a strong cybersecurity program based on best practices:
- Identify and define your organization’s cyber risks.
- Specify which controls are needed to address these risks.
- Implement the specified controls to address your organization’s risks.
- Assess the efficacy of the controls you have implemented.
- Report the measured efficacy of your security controls.
Accomplishing these milestones will assist you beyond simply meeting compliance, such as preparing you to meet compliance in other frameworks. The NIST Cybersecurity Framework (NIST CSF), PCI DSS, HIPAA, HITECH, and ISACA COBIT, for example, contain overlapping requirements with HITRUST, so meeting one assists you in preparedness to meet compliance in another framework.
Optional Compliance Demonstrates Due Diligence as a Differentiator
Some cybersecurity or privacy frameworks are non-optional if your business model includes collecting, handling, or storing certain protected datasets, such as the HIPAA (PHI data) or PCI (payment card data) frameworks. Others, however, such as HITRUST; SOC 1,2,3; or NIST, are optional and are designed to provide assurances to people with whom you do business that you have taken key steps to protect sensitive data from unauthorized access. The more cybersecurity validations you can provide to prospective clients, partners, or investors, the more trust you establish with them that their investments and supply chains will be secure.
Broad Scope Of Cybersecurity Protections
When evaluating additional, optional frameworks with which your organization wishes to comply, one of your key criteria may be that it benefits you more overall.
In other words, you won’t be only focused on solving problems around a single dataset, but across all of your systems, practices, and policies. The HITRUST CSF will assist you with:
- IT Governance
- Risk Management
- Access Control Management
- Information Security
- Human Resources Security
- Dataflow Documentation for Information Security Schema
- IT Asset Management
- Physical Security Around Your Digital Assets
- Communications Management
- Business Continuity
- Incident Response
- Privacy Practices
Prescriptive Versus General Requirements
When it comes to implementing cybersecurity controls, the first thing you will need to do is justify your efforts with business logic. This is made simpler when you can point to security validations as a differentiator (see #2 above) in the course of sales or investment conversations. However, you still need to demonstrate to your boards that the methods you have chosen to invest in to meet specific requirements are, indeed, the best course of action. In the case of very general requirements that simply ask you to implement “appropriate measures”, you are left with a subjective judgment call. What one subject matter expert believes is the best way to protect certain datasets, or meet a given requirement, may be different from how the next professional will approach the same issue. In the case of what compliance experts call a “prescriptive” framework, you will know exactly what you need to do in order to comply. Whether that means network segmentation, air gapping, encryption, tokenization, or simply training teams in best practices, you will not have to guess. This enables you to discuss specifics with your leadership and board members, pointing to certain requirements that you will need to meet with very specific initiatives or technologies.
We want to hear from you!
To start a conversation with one of our experts, give us a call or Request a Consultation.
We look forward to speaking with you about your goals and unique needs.