November 11, 2019

What is the HITRUST Framework?

Grant Barrick

Vice President of Marketing

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF), commonly known as the HITRUST CSF or the HITRUST framework.

What is a common security framework?

A common security framework is a set of policies and procedures that guide the development, implementation, and management of an organization’s security. Common security frameworks are often used to improve an organization’s security posture and to aid organizations in meeting regulatory requirements and maintain compliance with various regulations and standards.

What is the HITRUST framework?

The CSF, currently in version nine, is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements. According to the HITRUST Alliance, an interim release of HITRUST CSF v9.1 will incorporate the EU General Data Protection Regulation (GDPR). This interim release will also map the CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy.

By utilizing this framework, HITRUST has constructed a system infrastructure roadmap so that any healthcare organization can certify that they securely create, access, store or transmit protected health information (PHI).

What are the HITRUST domains?

The CSF does not create broad buckets like Administrative and Security controls. The HITRUST framework is divided into 14 different control domains. The 14 HITRUST CSF domains include:

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Security
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Transmission Protection
  10. Password Management
  11. Access Control
  12. Audit Logging & Monitoring
  13. Education, Training and Awareness
  14. Third Party Assurance
  15. Incident Management
  16. Business Continuity & Disaster Recovery
  17. Risk Management
  18. Physical & Environmental Security
  19. Data Protection & Privacy

How many HITRUST controls are there?

The HITRUST framework includes 156 controls and 75 control objectives. Each HITRUST control has three implementation levels: level one, level two, and level three. The requirements for each level build on the requirements of the previous level. Level two includes all the requirements of level one plus additional requirements, and level three includes all the requirements of level two plus additional requirements. Level three has the most stringent set of requirements with the largest number of controls and compliance requirements.

Within each domain there are one or more security objectives, or groups of controls that have a common purpose. Each control includes a control specification as well as implementation requirements for each of the three implementation levels. Implementation requirements address policies, practices, procedures, guidelines, or organizational structures.

Implementation requirements for each level of implementation are integrated from various regulatory sources and practice frameworks, such as HIPAA, NIST, PCI-DSS, and others. The appropriate implementation level for each specification is based on the organization’s organizational, system, and regulatory risk factors.

What does it mean to be HITRUST certified?

Organizations that want to prove compliance with regulations such as HIPAA may choose to become HITRUST Certified. HITRUST certification indicates that an organization meets all requirements for the applicable HITRUST controls at the appropriate implementation level. It’s a several-step process that begins with a HITRUST CSF Self-Assessment which is then verified by a third-party CSF Assessor. The results of the self-assessment and third-party verification are then sent to HITRUST for certification. HITRUST certification is issued for two years. HITRUST certification is costly, but more organizations are pursuing certification as a growing number of providers and other organizations are requiring their business associates to be certified.

Why does HITRUST matter?

As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

Healthcare is complex and can seem overwhelming, but it doesn’t have to be. Whether you’re an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That’s where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

For more information on HITRUST, check out the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.

tag HITRUST Compliance Security

Related

HIPAA vs HITRUST

Grant Barrick

Vice President of Marketing

HITRUST and HIPAA are two critical topics in healthcare, but do you know how they differ? Let's break it down and explore additional resources to learn more.

event-note November 11, 2019

What is a HITRUST CSF Self-Assessment?

Grant Barrick

Vice President of Marketing

Here’s what you need to know about the HITRUST CSF Self-Assessment, how it works, and how to determine if the self-assessment option is sufficient for your organization.

event-note November 11, 2019

What Are HITRUST Requirements?

Grant Barrick

Vice President of Marketing

The healthcare regulatory landscape is complex. The HITRUST CSF is a framework designed and created to streamline regulatory compliance. Companies that implement HITRUST CSF controls and strive to meet HITRUST requirements are better equipped for audits and lower their regulatory risk, but what are those...

event-note November 11, 2019

Who is HITRUST CSF Certified?

Grant Barrick

Vice President of Marketing

The HITRUST certification is the highest Degree of Assurance a company can obtain. The HITRUST certification is increasingly required of business associates by some entities, such as health insurance providers, in order to ensure that business associates have the adequate security controls and protections in...

event-note November 11, 2019