The Health Information Trust Alliance (HITRUST) first introduced the Common Security Framework (CSF) in 2007. CSF protects sensitive data, while also managing the security risks global organizations often face, along with their third-party suppliers. CSF documents and compares HIPAA and HITECH requirements to the security and privacy regulations. When patients know that their information is secure, it can help build trust between them and their healthcare organization.
Since data is often outsourced to a third-party, the framework is designed to prevent security breaches that could put the organization at the risk of noncompliance. To ensure that healthcare companies dependent on HIPAA and any third-party associates meet the strict regulations, organizations are required to perform a risk management assessment. This is where the CSF maturity model comes in.
Understanding the HITRUST CSF Maturity Model
The CSF maturity model simplifies the process organizations use to ensure that they are in compliance. Without it, the task of making sure that all digital products meet standard regulations would be frustrating and time-consuming. The CSF maturity model scores organizations on self and validated assessments, both of which are important to ensure that the organization and third-party are in compliance.
The maturity model assesses the controls in five separate areas,
- Process and Procedures
To understand how HITRUST evaluates these areas, you need to know the criteria the framework uses to determine an organization’s compliance.
HITRUST evaluates the existing standards and policies, checking to see if they cover all major facilities and operations controlled by the organization. How effectively managers communicate policies and standards to their employees is also evaluated in this area, along with the language used. The up-to-date policies should contain “will” and “shall” for each required statement. For example, “ Employees shall… or Employees will”, instead of using terms that are considered open-ended.
HITRUST will analyze if the procedures necessary for individuals to implement every step of the requirements were adequately communicated. Basically, organizations are evaluated on how knowledgeable the people are performing the tasks. If the procedures aren’t implemented properly, it could be a security risk.
A CSF certified firm like RSI Security will evaluate if the organization’s policies and procedures are updated and followed at all locations. For uniform data protection across all devices, the same protocols must be followed everywhere. In addition, how ad hoc approaches are applied will also be scrutinized.
This area refers to how often the organization performs self-assessments and routine audits designed to evaluate how adequate and effective implementing the protocols are. It also looks at how rigorous the assessments were regarding different security threat levels. Even if the protocols are effective and implemented across the board if the assessment doesn’t probe harder at higher risk areas there could be a vulnerable spot.
This category looks at how effective any corrective actions were in response to a perceived threat or identified weakness in the system. The cost, risk level, and mission impact will also be assessed. This information can help organizations learn how threats could affect the system. From there security protocols can be put into place.
For each of these areas, organizations will receive a score based on their level of compliance. There are five possible scores, and the HITRUST CSF Maturity Model is specifically designed this way. It is a cyclical process – where each level builds on the next for constant improvement. This is how healthcare and other data-sensitive organizations build a strong security network.
CFS Maturity Model Scores
As previously mentioned there are five possible CFS maturity model scores, starting with 0% for non-compliant and 100 percent for compliant. 75 percent is still a good score, the organization only needs to do some work and any score lower is on the edge of being non-compliant.
Why does being compliant matter? HIPAA compliance ensures that all health data is protected and adequate security safeguards are in place. Organizations that aren’t compliant are not only at risk for data breaches, but it will also be difficult to get or retain the trust of patients. Legal proceedings can also be initiated depending on the type of security breach.
All organizations should perform self-assessments routinely. This will indicate any weaknesses that need to be addressed. It will also help ensure compliance with the Validated Assessment. Regardless of the type of assessment, you will be required to give each control and compliance a maturity level. This needs to be done for all five levels. The maturity level can be assigned in the MyCSF tool.
How HITRUST Control Scores are Calculated
Control scores are calculated differently than maturity scores. MyCSF tool does the calculations, but organizations should still know how it works. The control score relies heavily on the maturity level scores – the weight is multiplied by all maturity level scores on the level. For example, weight is 25 percent on Policy with a fully compliant maturity level on 1 protocol the HITRUST control score would be 25. The scores from each level are totaled for the total control score.
Organizations need to remember that 75 percent of their score is from Policy, Procedure, and Implementation. The CSF maturity model places importance on these levels since each one covers how protocols are documented and procedure communicated and implemented. An implemented procedure implies that it is ready for an assessment test. Including an assessment not communicated or implemented in the maturity level, controls will hurt your overall compliance score.
While emphasis should always be placed on policy, procedure, and implementation, 25 percent of the score comes from measured and managed levels combined. The reason that these levels have a lower weight is that they primarily apply to larger organizations that have systems available to measure performance. In most cases, health care organizations can receive certification by concentrating on the first three primary levels.
To meet HITRUST requirements for compliance, each domain (control) must receive a CSF maturity model rating of at least 3. The maturity ratings range from one to five, and anything lower than a three will need to create a Corrective Action Plan (CAP). Domains can still receive a CAP with a three or higher rating. In this case, the organization can still get certified.
Importance of Cybersecurity and HIPAA Certification
Cybersecurity in the healthcare industry is a growing concern, even with assessment tools like the HITRUST CSF maturity model to help organizations learn how well their security protocols are working and if there are any issues that need attention. Even larger HIPAA certified organizations are worried about potential cyberattacks.
In 2015, there were more data breaches in the healthcare industry than in the six previous years combined. This included the records of patients and health plan members. In 1015, over 113 million files were stolen, over half in a single cyberattack. Security breaches increased in 2016, and security experts expect the trend to continue.
Even though the healthcare industry has been one of the slowest to respond to cyber threats, they have increased their security budget and are investing in new technology. This includes using the HITRUST CSF Maturity Model to assess systems and determine weaknesses. With more of the workforce using mobile devices, along with the organizations’ computers, there are even more chances of a hacker getting in.
Common Questions About HITRUST
Even healthcare organizations that are HITRUST certified have questions about the Health Information Trust Alliance. Here are some of the most commonly asked questions about the Common Security Framework and how it affects healthcare organizations.
Is HITRUST certification required for HIPAA compliance?
Organizations do not need to have a HITRUST certification to be compliant with HIPAA. However, it does signal to organizations that are required to be HIPAA compliant that you take security protocols seriously. The framework also allows healthcare organizations to run assessments before validation. The assessment can highlight areas that need improvement to avoid non-compliance penalties.
What type of businesses and organizations is HITRUST designed for?
HITRUST is intended for the healthcare industry and its third-party associates. It is designed to assess the security protocols organizations that deal with PHI, along with HITECH and HIPAA compliance. While HITRUST certification is not required, it can help demonstrate HIPAA compliance if the organization is ever investigated for a security breach.
Did HITRUST certification replace HIPAA compliance?
It is not uncommon for organizations to believe that their HITRUST certification is the same as being HIPAA compliant. HITRUST did not replace HIPAA. If an organization has a HITRUST certification but is not HIPAA compliant, there is the risk of penalties which can be as high as $1.5 million. The HITRUST CSF Maturity Model is meant to audit an organization’s security protocols and highlight any areas that need improvement. It does not replace HIPAA certification.
Do healthcare organizations get a HITRUST certificate?
In an age where wireless security is key to an organization’s success, especially one that handles protected health information, a certificate that shows they are validated can help improve the trust they have with their patients.
There are two steps organizations take with HITRUST. The first is to perform a self-assessment with the myCSF tool. This will address any security gaps in the organization’s protocols. Assessing these, with the help from a CSF assessor like RSI Security, will help ensure an organization’s HIPAA compliance.
The second step is to hire a CSF assessor to perform a validated assessment. This will involve onsite interviews with employees responsible for implementing and maintaining security protocols. The security system will be tested, along with all documentation being reviewed. The validation assessment is rigorous, but it is designed to detect any flaws in an organization’s security protocols.
If a third-party is HITRUST certified can they meet a healthcare organization’s HIPAA requirements?
As mentioned earlier, HITRUST certification is not the same as HIPAA compliance. HITECH rules require that an organization – and its’ third party associates- be HIPAA compliant. A HITRUST certification only signifies that the entity has security protocols in place to meet HIPAA standards.
How does a HITRUST assessment help with HIPAA compliance?
The HITRUST CSF Maturity Model is designed to help healthcare organizations become and stay compliant with HIPAA regulations. These standards regarding protected health information are stringent and the penalties for a security breach can be steep. Performing a self and validation assessment will expose areas where wireless security is lacking and provide certification when the issues are resolved. The HITRUST framework does this by,
- Providing a single approach across all of the organization’s facilities for managing and securing data.
- The security protocols are updated to address changing technology and employees are properly trained on implementation, usage, and maintenance on a routine and annual basis.
- If alternative controls are needed the system can adequately adapt. This allows for any changes to be quickly made if a security threat is detected.
- There are several levels required to implement a wireless security protocol, all tested for risk assessment.
- The controls are designed and assessed according to the size and type of healthcare organization. This allows the framework to only assess controls that apply to the healthcare organization.
- All standards and regulations for businesses – global and local- are met according to industry security stands.
Cybersecurity is an important issue that all healthcare organizations need to address. The number of data breaches is increasing, along with potential threats. To keep patients’ data safe from hackers, strong security measures need to be taken. HITRUST CSF Maturity Model can help organizations protect their online data. It also helps organizations meet compliance standards for HIPAA certification.
For all the information organizations need about the HITRUST CSF maturity Model, the experts at RSI Security are here to help. As a CSF certified firm they know what problem areas to look for during the assessment so organizations can become and stay HIPAA compliant.