What is the HITRUST Framework?
Grant Barrick
Former Vice President of Marketing
Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF), commonly known as the HITRUST CSF or the HITRUST framework.
What is a common security framework?
A common security framework is a set of policies and procedures that guide the development, implementation, and management of an organization's security. Common security frameworks are often used to improve an organization's security posture and to aid organizations in meeting regulatory requirements and maintain compliance with various regulations and standards.
What is the HITRUST framework?
The CSF, currently in version nine, is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements. According to the HITRUST Alliance, an interim release of HITRUST CSF v9.1 will incorporate the EU General Data Protection Regulation (GDPR). This interim release will also map the CSF's privacy and security requirements to the AICPA Trust Services Criteria for Privacy.
By utilizing this framework, HITRUST has constructed a system infrastructure roadmap so that any healthcare organization can certify that they securely create, access, store or transmit protected health information (PHI).
What are the HITRUST domains?
The CSF does not create broad buckets like Administrative and Security controls. The HITRUST framework is divided into 14 different control domains. The 14 HITRUST CSF domains include:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training and Awareness
- Third Party Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
How many HITRUST controls are there?
The HITRUST framework includes 156 controls and 75 control objectives. Each HITRUST control has three implementation levels: level one, level two, and level three. The requirements for each level build on the requirements of the previous level. Level two includes all the requirements of level one plus additional requirements, and level three includes all the requirements of level two plus additional requirements. Level three has the most stringent set of requirements with the largest number of controls and compliance requirements.
Within each domain there are one or more security objectives, or groups of controls that have a common purpose. Each control includes a control specification as well as implementation requirements for each of the three implementation levels. Implementation requirements address policies, practices, procedures, guidelines, or organizational structures.
Implementation requirements for each level of implementation are integrated from various regulatory sources and practice frameworks, such as HIPAA, NIST, PCI-DSS, and others. The appropriate implementation level for each specification is based on the organization's organizational, system, and regulatory risk factors.
What does it mean to be HITRUST certified?
Organizations that want to prove compliance with regulations such as HIPAA may choose to become HITRUST Certified. HITRUST certification indicates that an organization meets all requirements for the applicable HITRUST controls at the appropriate implementation level. It's a several-step process that begins with a HITRUST CSF Self-Assessment which is then verified by a third-party CSF Assessor. The results of the self-assessment and third-party verification are then sent to HITRUST for certification. HITRUST certification is issued for two years. HITRUST certification is costly, but more organizations are pursuing certification as a growing number of providers and other organizations are requiring their business associates to be certified.
Why does HITRUST matter?
As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization's resources. If that isn't enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn't it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that's exactly what HITRUST has established in order to put the trust in data security.
Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?
For more information on HITRUST, check out the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.
