Leaders of healthcare providers, payers and third party vendors have formed an alliance to regulate the interpretation of healthcare’s inconsistent view of standards. That alliance is called HITRUST and provides a common security framework (CSF). The HITRUST CSF is rapidly becoming the future of healthcare compliance validation.

What is HITRUST?

The Health Information Trust Alliance (HITRUST) is an organization who, in partnership with technology and information security leaders, created and maintains the HITRUST Common Security Framework (CSF).

The HITRUST CSF is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF, and varying state requirements. This framework serves as a system infrastructure roadmap for healthcare organizations to certify that they securely create, access, store, or transmit protected health information (PHI).

Why does HITRUST matter?

As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state and third party security mandates has become a feat that can quickly consume an organization’s resources.

If that isn’t enough, getting through all of the twists, turns, and pitfalls to achieve compliance are only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. In fact, many large hospitals and health systems are now highly recommending that business associates and partners pursue HITRUST certification. Already the most widely adopted assessment, the CSF Assurance Program is forcing business associates to assess and report on their data privacy and security position or risk losing their contracts and renewals with healthcare systems.

Many people ask how to prove HIPAA compliance and the answer to that question is with HITRUST CSF certification.

What is the HITRUST Common Security Framework (CSF)?

The HITRUST CSF is divided into nineteen different control domains and defines one hundred thirty five specific controls within those domains that can be implemented at three different levels.

19 Control Domains

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Protection
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Password Management
  10. Access Control
  11. Audit Logging & Monitoring
  12. Education, Training & Awareness
  13. Third Party Security
  14. Incident Management
  15. Business Continuity & Disaster Recovery
  16. Risk Management
  17. Physical & Environmental Security
  18. Data Protection & Privacy
  19. Transmission Protection

135 Specific Controls with 3 Implementation Levels

In addition to the above domains, HITRUST has defined one hundred thirty five specific controls. For each of those controls, three distinct implementation levels exist. Each implementation level builds on the one before it, with level three having the most stringent set of requirements.

Implementation levels in the CSF are determined for each organization based on their risk profile, accounting for aspects like the size of an organization and the number of stored health records.

The HITRUST CSF Assessment

The first thing that happens with a HITRUST assessment is information gathering on the entity being assessed. This information is used to gauge the organization, system, and regulatory requirements for the assessment to determine the risk and scope. In contrast to HIPAA, which subjectively states that controls should be implemented that are “reasonable and appropriate,” HITRUST is prescriptive in dynamically assigning implementation levels for each requirement.

3 Degrees of Assurance

The three Degrees of Assurance are essentially levels of assessment that align with cost, level of effort, amount of time, and rigor. Each level builds on the one before it: A Self Assessment results in a HITRUST issued CSF Self Assessment Report. CSF Validated means a third-party, HITRUST-approved CSF Assessor has verified the information gathered by the organization completing the assessment with an onsite visit. A Validated Report is the outcome. CSF Certified means the organization meets all of the certification requirements of the CSF. This builds on the CSF Validated assessment in that HITRUST reviews and certifies the entries of the organization and the validation of the third party assessor.

How Long Does CSF Certification Take?

It varies on the size and complexity of the organization but, in the case of Datica, it took three to four months.

How Much Does HITRUST Cost?

The total cost of the HITRUST Assessment is $60,000-$80,000, including estimated direct and indirect costs as appraised by Datica’s compliance experts. If you are considering HITRUST, cost is not the only consideration. Audits are time consuming and distracting, factors that are hard to quantify. Not only that, but the process needs to be repeated on an annual basis.

HITRUST isn’t easy, and it shouldn’t be. The experience Datica has gained as a company and the extensive testing of our technology brings great value to our customers. Our HITRUST Certification is helping our customers prove their applications and data are secure by being an even more compelling proof than our HIPAA audits. If you’re already a Datica customer, there’s nothing you need to do; the Datica Compliant Cloud infrastructure you’re hosting on is HITRUST CSF Certified.

Datica Academy articles on HITRUST

What is HITRUST?

HITRUST certification by the HITRUST Alliance enables vendors and covered entities to prove HIPAA compliance based on a standardized framework.

Blog posts on HITRUST

Discover Healthcare Technology Topics