Blog

Master the complexities of cloud compliance with expert resources and relevant insights.

What is the HITRUST Framework?

Most don't realize HITRUST is not a framework at all, but an organization comprised of healthcare industry leaders. Let's dive into the HITRUST CSF Framework, developed by the HITRUST organization, in partner with other technology and information security leaders.

What is a common security framework?

A common security framework is a set of policies and procedures that guide the development, implementation, and management of an organization's security. Common security frameworks are often used to improve an organization's security posture and to aid organizations in meeting regulatory requirements and maintain compliance with various regulations and standards.

What is the HITRUST framework?

The CSF, currently in version nine, is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements. Privacy controls were added to version seven of the HITRUST CSF. Version 9.1, released on March 1, 2018, incorporated the From the HITRUST Alliance, an interim release of HITRUST CSF v9.1 included the EU General Data Protection Regulation (GDPR) as well as New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). . This interim release also mapped There are also mappings of the CSF's privacy and security requirements (versions eight and nine) to the 2016 AICPA Trust Services Criteria for Privacy, and the HITRUST CSF version nine is mapped to the 2017 AICPA Trust Services Criteria.

The HITRUST CSF v9.4, released on June 22, 2020, incorporates the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v1.0 and NY DOH Office of Health Insurance Programs SSP v3.1. HITRUST CSF v9.4 also includes updated mappings of the NIST SP 800-171 r2 to ensure continued alignment.

By utilizing this framework, HITRUST constructed a system infrastructure roadmap so that any organization in a highly regulated industry can certify that they securely create, access, store or transmit in a compliant manner.

Who created the HITRUST Framework (and when was it created)?

The Health Information Trust Alliance (since rebranded as HITRUST) is a privately held company based in Texas that was founded in 2007. The company includes both a for-profit division, HITRUST Services Corp., and a not-for-profit division, the HITRUST Alliance. It’s governed by an Executive Council comprised of industry leaders from organizations such as Highmark, Anthem, Inc., Kaiser Permanente, UnitedHealth Group, and others. The current version of the HITRUST CSF is v9.4, with v10 expected to be released in 2022.

What are the HITRUST domains?

The CSF does not create broad buckets like Administrative and Security controls. The HITRUST framework is divided into 19 different control domains. The 19 HITRUST CSF domains include:

  1. Information Protection Program

  2. Endpoint Protection

  3. Portable Media Security

  4. Mobile Device Security

  5. Wireless Security

  6. Configuration Management

  7. Vulnerability Management

  8. Network Protection

  9. Transmission Protection

  10. Password Management

  11. Access Control

  12. Audit Logging & Monitoring

  13. Education, Training and Awareness

  14. Third Party Assurance

  15. Incident Management

  16. Business Continuity & Disaster Recovery

  17. Risk Management

  18. Physical & Environmental Security

  19. Data Protection & Privacy

How many HITRUST controls are there?

The HITRUST framework includes 156 controls and 75 control objectives. Each HITRUST control has three implementation levels: level one, level two, and level three. The requirements for each level build on the requirements of the previous level. Level two includes all the requirements of level one plus additional requirements, and level three includes all the requirements of level two plus additional requirements. Level three has the most stringent set of requirements with the largest number of controls and HITRUST compliance requirements.

Within each domain there are one or more security objectives, or groups of controls that have a common purpose. Each control includes a control specification as well as implementation requirements for each of the three implementation levels. Implementation requirements address policies, practices, procedures, guidelines, or organizational structures.

Implementation requirements for each level of implementation are integrated from various regulatory sources and practice frameworks, such as HIPAA, NIST, PCI-DSS, and others. The appropriate implementation level for each specification is based on the organization's organizational, system, and regulatory risk factors.

What does it mean to be HITRUST certified?

Organizations that want to prove compliance with regulations such as HIPAA may choose to become HITRUST CSF Certified. HITRUST CSF certification indicates that an organization meets all requirements for the applicable HITRUST controls at the appropriate implementation level. It's a several-step certification process that begins with a HITRUST CSF Self-Assessment which is then verified by a third-party CSF Assessor. The results of the self-assessment and third-party verification are then sent to HITRUST for certification. HITRUST certification is issued for two years. HITRUST certification is costly, but more organizations are pursuing certification as a growing number of providers and other organizations are requiring their business associates to be certified.

Why HITRUST matters?

As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization's resources. If that isn't enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn't it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that's exactly what HITRUST has established in order to put the trust in data security.

Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

For more information on HITRUST, check out the Datica Blog. Additional questions? Contact one of our experts today.