HITRUST vs. NIST
With the passing of the Health Insurance Portability and Accountability Act (HIPAA) in 1996 came the need to update healthcare records onto electronic devices. Although, the adoption of these electronic health records (EHRs) primarily came later, when the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009. With the combined set of rules and regulations, being both HIPAA and HITECH compliant became a complex puzzle for healthcare organizations to piece together.
But data and data security issues weren’t going to wait. With the significant proliferation of computers, smartphones, and other electronic devices, data security and privacy regulations needed to be streamlined and enforced. Thus, frameworks for data security and security compliance were created.
NIST and HITRUST are both frameworks that help healthcare organizations stay HIPAA compliant to avoid penalties for data security breaches. Though the question then becomes: which framework should be used, and are the two compatible? To explore these questions and more, read ahead.
Comparing HITRUST vs NIST
When comparing HITRUST vs NIST, you’re comparing a specific part of these two organizations. What is truly being compared is the HITRUST common security framework (CSF) and the NIST cybersecurity framework (CSF). These outline security and privacy measures for federal organizations.
To compare the two, it’s necessary to understand each framework.
What is NIST
Let’s start with NIST. NIST stands for the National Institute of Standards and Technology(NIST). They’re a subsection of the US Commerce Department in charge of promoting and maintaining measurement standards. Their tendrils stretch across science, technology, engineering, information technology, and physical and material measurement.
“a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors.”
It goes on to say how the controls that are selected are customizable to fit federal organizations. Thus, with healthcare, NIST CSF provides a framework of how to understand and document data security and how to implement controlling factors. It does what HITRUST was created to do in healthcare, but across the broadest spectrum of organizations.
Before moving through the specifics, let’s get on the same page about what HITRUST is:
What is HITRUST
The Health Information Trust Alliance (HITRUST) is a private company that collaborates on an ongoing basis with healthcare, security, and information technology experts to create a working framework for organizations to store and exchange data. This framework is known as the common security framework, and it provides an accessible way of complying with HIPAA standards.
In theory, to be HITRUST certified means to be compliant with global security regulations including standards for:
One criticism of HITRUST is that it has overly complicated regulation standards for smaller healthcare organizations that are only operating within the US.
How The Two Systems Are Comparable
Because these are both frameworks that involve 1) protecting patient (or user) data and privacy and 2) how companies can effectively be compliant with federal and global regulations, there’s going to be a wide array of overlap. To nitpick a little — just because there’s overlap, doesn’t mean they’re similar in their implementation. In order to compare the two systems, let’s first identify common ground:
- What are the NIST security control baselines?
- How can a company ensure they are NIST compliant and does this mean HIPAA compliant?
- What is HITRUST certification and how is it relevant to NIST?
By answering these questions, you’ll have a fuller picture of what these frameworks provide and how they work together in data protection.
NIST Security Control Baselines
In order for an organization in the private sector to assess and improve their data security and regulations, they defer to NIST security control baselines. These are the methods by which companies can assess their ability to prevent and respond to cyber-attacks.
Outlined in the NIST SP 800-53 are standards of security and methods for how to apply the security control baselines. These constantly refer to Appendixes D, H, and J — diving into these will reveal a lot about why NIST can be applied to the healthcare industry.
- Appendix D – Security Control Baselines – Appendix D outlines three security priority codes (P1, P2, P3, or unspecified security code, P0). They act in sequential order, depending on what the security control is (e.g. “Information Sharing” or “Data Mining Protection”). If the priority is P2, all P1 security controls are applied first, then on top of them are applied P2 security controls. Appendix D also provides initial control baselines depending on whether the organization or information system falls under Low, Moderate, or High initial security regulations. Thus, with an industry like healthcare where information sharing is a key data security factor, this would be under the ‘High’ initial control baseline.
A few notes on Appendix D:
- Initial control baselines are further detailed in Appendix F
- Appendix D provides physical security provisions as well as data security
- Emergency power and shutoff
- Water damage protocol
- Fire protection
- Appendix H – International Information Security Standards – In Appendix H, there is a mapping between NIST and ISO’s IEC 27001, which is a third (international) standard of security management practice. If the healthcare organization is working both inside and outside of the continental US, it must adhere to ISO’s IEC restrictions. This is where standards are set on:
- Basic data exchange protocol
- Transmission of confidential information
- Integrity of data exchange
- Detection of data modification
- Notification of data breach
- Data breach protocols
- Reliable time stamping
Note: These are just a few points picked out to demonstrate the compatibility with HIPAA compliance. While they are instrumental in maintaining a functional data security operation, for a comprehensive view, you have to read through Appendix H of NIST SP 800-53.
- Appendix J – Privacy Control Catalog – Here is where the correlation between HIPAA compliance, HITRUST, and NIST all start coming together. Privacy and data privacy are part and parcel to being HIPAA compliant. In this appendix, it details the need for privacy regulations in an era of smartphones, cloud technology, and an ever-widening technological landscape with security holes. Thus, with respect to personally identifiable information (PII) — which translates to HIPAA’s and HITRUST’s electronic personal health information (ePHI) — protecting PII is a core tenant of privacy regulations. There are 26 privacy controls broken into the following 8 categories:
Becoming NIST Compliant and What That Means for HIPAA Compliance
Outlined in NIST SP 800-53 are the individual guidelines to follow to ensure your business or organization is secure from known data breaches. Because NIST does not have an enforcement protocol, there is no “compliance metric” except to say the company has provisions for all relevant guidelines.
In regards to HIPAA compliance, NIST released an informational publication SP 800-66 that provided guidelines specifically catered to the healthcare industry. However, this does not necessarily mean following NIST’s provisions will ensure HIPAA compliance:
“The preamble of the Security Rule states that HHS does not rate or endorse the use of industry-developed guidelines and/or models. Organizations that are not required to use this NIST special publication (by other regulation, law, or requirement) yet choose to use it, must determine the value of its content for implementing the Security Rule standards in their environments. The use of this publication or any other NIST publication does not ensure or guarantee that an organization will be compliant with the Security Rule.”
All this to say, in order to be HIPAA compliant, one must follow the five titles detailed out in the Health Insurance Portability and Accountability Act. At least that’s according to NIST; HITRUST has its own process of dealing with HIPAA.
HITRUST Certification and Its Benefits
As of 2017, audits that find healthcare organizations not HIPAA compliant are being fined in 7-figure penalties, and these can easily increase. What HITRUST CSF provides is a comprehensive framework that enables HIPAA mandates and HITECH regulations to be incorporated, so as to avoid these penalties entirely. The language from HIPAA is directly mapped onto HITRUST’s framework ensuring that if a company is HITRUST certified, that also means they are HIPAA compliant.
When going through a certification process, the framework defines five different levels of maturity with each of HIPAA’s rules and regulations. Those maturity levels are based on the following:
- Policy – Are policies in place to cover the compliance requirement?
- Procedure – Are the policies developed in procedures and are the procedures practiced?
- Implementation – Have security controls been implemented?
- Measurement – How are the security controls measured to ensure proper enforcement?
- Management – How are the security controls managed?
Breaking each of these maturity levels down even further. HITRUST places each one on a scale from:
- Level 1 – Non-Compliant
- Level 2 – Somewhat Compliant
- Level 3 – Partially Compliant
- Level 4 – Mostly Compliant
- Level 5 – Fully Compliant
What HITRUST Certification Means for HIPAA Compliance and NIST
Because HITRUST can be built around whatever healthcare compliance is necessary (HIPAA, HITECH, etc.), it can include HIPAA and HITECH compliance. The same goes for NIST regulations; they can be mapped onto the CSF to ensure all NIST regulations are met and up-to-date.
How the Two Systems Measure Up
If you wanted to put two frameworks side by side: NIST vs HITRUST, then the two could be compared using a set of variables:
- Scaling of security operations
- Controlled tailoring to organization
- Certification for assurance
- Guided assessment
- Tech support
Why is the HITRUST Better for Healthcare?
There are two security systems and methods of regulation at the fingertips of healthcare providers and subsidiaries. By “better for healthcare,” organizations must identify which framework:
- Provides more security overall to the patient
- Makes streamlining security operations easier
- Ensures HIPAA compliance
- Regulates data security operations more effectively
And that is HITRUST CSF.
Ensuring Your Business is HITRUST Certified
One obvious way to ensure your business is HITRUST certified is to survive an audit. But waiting until you’re audited seems like the wrong way to go about it. Thing is, being HIPAA compliant and actually proving that to an auditor are two wildly different beasts.
This is why when a company wants to become HITRUST certified, they can work backward through an auditor’s process and check off each box.
- Part 1: Self Assess any Issues – Before going through any third-party HITRUST evaluation or assessment, the first step is run through a self-assessment report. This is offered by HITRUST, it’s known as MyCSF, and it’s a way to understand the underlying processes.
- Great for catching large gaps in security that can be addressed before going through certified third-party assessment
- Cheaper assessment option but more time consuming
- Part 2: CSF Validation – A third-party CSF assessor that is approved by HITRUST will conduct an onsite visit to assess the organization and read through provided evidence.
- This will ensure that, if audited, there are no glaring gaps in HIPAA compliance that could lead to serious penalties and fees
- Not as comprehensive as CSF certification
- Part 3: CSF Certification – The main difference between validation and certification is that for certification, the organization must meet all in-scope CSF specific controls. The degrees of certification are scored and reviewed.
- Ensures that an organization is audit-protected
How can RSI Security Help?
Because RSI Security is a full security service provider, they are experts in everything data security and compliance. They support organizations and businesses with HIPAA compliance, HITECH compliance, and they are an authorized HITRUST CSF assessor. To walk an organization through the certification process, RSI Security can offer:
- Security gap assessment
- Guided self-assessment reports
- Both HITRUST validation and certification processes
- Continuous security monitoring
- Healthcare risk analysis and advisory
- Risk management
Protect Your Data
With the number of major data security breaches in the hundreds each year, it’s important to understand the risks associated with your organization. Every smartphone, tablet, and computer provides an access point for cyber attacks. And to protect patient data means to comply with all HIPAA and HITECH regulations.
Utilizing the HITRUST CSF framework for data and data security allows your organization to build in all security mandates into your system. Being HITRUST certified means that you are compliant with all data security protocols. And choosing RSI Security ensures that your organization is HITRUST certified. Simple as that.
NIST. Special Publication 800-53. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
ISO. ISO/IEC 27001 Information security management. https://www.iso.org/isoiec-27001-information-security.html
NIST. Special Publication 800-66. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
HIPAA Journal. What are the Penalties for HIPAA Violations? https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
HITRUST Alliance. Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53. http://hitrustalliance.net/content/uploads/2013/12/Comparing-the-CSF-ISOIEC-27001-and-NIST-SP-800-53.pdf