The HITRUST Alliance purposefully took the best parts of past frameworks to mold its “Common Security Framework” or CSF. The HITRUST CSF is then a list of more than seven hundred controls with the best parts of PCI, NIST, and more in mind. Let’s walk through the composite list.
The HITRUST list
In HITRUST’s official introduction, it lists out the sources of influence:
- American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria
- Catalog of Minimum Acceptable Risk Standards for Exchanges (MARS-E) – Exchange Reference Architecture (ERA) Supplement v2
- Center for Internet Security (CIS) Critical Security Controls v6
- Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule
- IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information (New)
- ISO/IEC 27001:2013, Information Technology—Security Techniques—Information Security Management Systems Requirements
- ISO/IEC 27002:2013, Information Technology—Security Techniques—Code of Practice for Information Security Controls
- ISO/IEC 27799:2008 Health Informatics (guidance for information security management for healthcare organizations using ISO/IEC 27002:2005)
- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
- NIST Framework for Improving Critical Infrastructure Cybersecurity v1
- Control Objectives for Information and related Technology (COBIT) v4.1
- Payment Card Industry (PCI) Data Security Standard v3.2
- Federal privacy requirements (e.g., HHS)
- State security requirements (e.g., Nevada, Massachusetts, and Texas)
- Experiences and best practices of HITRUST participants
The positives and negatives of HITRUST CSF certification
There are positives and negatives to thinking about HITRUST as a superset framework.
First, the main negative: If you become HITRUST CSF Certified, you are not certified or compliant with the above list. If you want to be SOC2 certified or PCI compliant, you must still conduct those assessments independently with your auditor. If your business is such where it’s mandatory you provide those defined assurances, it means you have other audits to manage and pay for. That can be frustrating.
But there are many positives to HITRUST’s superset nature. The biggest is the credibility and thoroughness attributed to a certification. Most compliance and security officers at covered entities are adopting HITRUST as the best and only required way to assess business associates because they know if someone is HITRUST CSF Certified, they have gone through a thorough process to prove assurances.
The other positive is the overall reduction in cost for your company to prove security and compliance. Again, within the framing that it’s not necessarily a hard requirement to show PCI compliance, et al, your organization can effectively demonstrate credibility within those 14 frameworks in a one-time shot. We’ve written a case study about our own HITRUST certification costs, which average somewhere around $20,000-$60,000 depending on scope.
If you are working on a project which requires compliance and are looking into HITRUST, consider us a resource. We’d be happy to chat more about the benefits of HITRUST on the cloud.