Organizations that are looking to expand their business by entering new industries or locations are faced with new regulatory challenges at every corner. The HITRUST CSF helps solve these problems with flexible implementation and assessment for most applicable laws and regulations.
Are you considering HITRUST certification? Schedule a consultation to learn more!
How HITRUST Certification Powers Expansion
Compliance is one of the most challenging aspects of expanding into new industries and locations. But HITRUST CSF is designed to help you meet all your compliance needs efficiently.
There are three pillars to using HITRUST to your advantage when scaling:
- What the HITRUST certification process entails, including assessments and controls
- Which industry-related certification and compliance needs HITRUST is apt to facilitate
- How HITRUST streamlines compliance with government-level regulatory frameworks
Working with a HITRUST advisor will help you reap the benefits of a comprehensive, unified compliance framework, cutting down on certification costs while maximizing your security.
Understanding HITRUST Certification
The HITRUST Alliance is an institution dedicated to broad and deep cybersecurity and risk management solutions across all industries. Founded in 2007, it publishes a wide variety of security guidance and framework documents that empower organizations and individuals to understand and improve their cyberdefense through targeted implementation and assessment.
The HITRUST CSF is the institution’s primary framework. It is a comprehensive document that organizes over 150 Controls and 1000 customizable requirements and configurations that can be adjusted to meet any regulatory context’s specific needs. And HITRUST CSF certification involves installing some or all of these controls then conducting a HITRUST assessment.
Organizations can opt for an Essentials (1-year, e1), Implemented (1-year, i1), or Risk-based (2-year, r2) assessment for low, moderate, or thorough amounts of security assurance. By leveraging the MyCSF tool, organizations can customize their assessments to meet the needs of several regulatory contexts by mixing and matching applicable HITRUST requirements.
An Overview of HITRUST Requirements
The most current version of the HITRUST CSF, v11.1.0, comprises 14 Control Categories, which break down into 49 Objectives and 156 individual Control References, as follows:
- 0. Information Security Management Program – One Objective:
- 0.01: Information Security Management Program (one Reference)
- 01. Access Control – Seven Objectives:
- 01.01: Business Requirement for Access Control (one Reference)
- 01.02: Authorized Access to Information Systems (four References)
- 01.03: User Responsibilities (three References)
- 01.04: Network Access Control (seven References)
- 01.05: Operating System Access Control (five References)
- 01.06: Application and Information Access Control (two References)
- 01.07: Mobile Computing and Teleworking (two References)
- 02. Human Resources Security –
- 02.01: Prior to Employment (two References)
- 02.02: During onboarding (one Reference)
- 02.03: During employment (three References)
- 02.04: Termination or Change of Employment (three References)
- 03. Risk Management –
- 03.01: Risk Management Program four References)
- 04. Security Policy –
- 04.01: Information Security Policy (two References)
- 05. Organization of Information Security –
- 05.01: Internal Organization (eight References)
- 05.02: External Parties (eight References)
- 06. Compliance –
- 06.01: Compliance with Legal Requirements (six References)
- 06.21: Compliance with Security Policies (two References)
- 06.03: Information System Audit Considerations (two References)
- 07. Asset Management –
- 07.01: Responsibility for Assets (thee References)
- 07.02: Information Classification (two References)
- 08. Physical and Environmental Security –
- 08.01: Secure Areas (six References)
- 08.02: Equipment Security (seven References)
- 09. Communications and Operations Management –
- 09.01: Documented Operating Procedures (four References)
- 09.02: Control Third Party Service Delivery (three References)
- 09.03: System Planning and Acceptance (two References)
- 09.04: Protection Against Malicious and Mobile Code (two References)
- 09.05: Information Backup (one Reference)
- 09.06: Network Security Management (two References)
- 09.07: Media Handling (four References)
- 09.08: Exchange of Information (five References)
- 09.09: Electronic Commerce Services (three References)
- 09.10: Monitoring (six References)
- 10. Information Systems Acquisition, Development, and Maintenance –
- 10.01: Security Requirements of Information Systems (one Reference)
- 10.02: Correct Processing in Applications (four References)
- 10.03: Cryptographic Controls (two References)
- 10.04: Security of System Files (three References)
- 10.05: Security in Development and Support Processes (two References)
- 10.06: Technical Vulnerability Management (one Reference)
- 11. Information Security Information Management –
- 11.01: Reporting Security Incidents and Weaknesses (two References)
- 11.02: Managing Security Incidents and Weaknesses (three References)
- 12. Business Continuity Management –
- 12:01: Information Security Aspects of Continuity (five References)
- 13. Privacy Practices –
- 13.01: Transparency (three References)
- 13.02: Individual Participation (three References)
- 13.03: Purpose Specification (two References)
- 13.04: Data Minimization (two References)
- 13.05: Use Limitation (two References)
- 13.06: Data Quality and Integrity (three References)
- 13.07: Accountability and Auditing (six References)
The CSF is updated frequently. However, most changes within a version (i.e., all v10s, all v11s) do not alter the Category, Objective, and Reference core. Instead, changes are predominantly to the Specifications within References, along with Implementation Levels and mapping guidance.
HITRUST and Industrial Regulations
The HITRUST Alliance and HITRUST CSF were born out of industry-specific cybersecurity concerns. Namely, the “HI” in “HITRUST” itself was initially an acronym for “Health Information.” That origin is apparent in HITRUST’s applicability to healthcare security and compliance. In particular, HITRUST is one of the best ways to meet the needs of the Health Information Portability and Accountability Act (HIPAA), applicable to organizations in and around healthcare.
But HITRUST is no longer an acronym; neither does it apply exclusively to that industry.
For organizations looking to expand into other fields, like government and military contracting, HITRUST is equally applicable. One of the most restrictive regulatory contexts is working with the Department of Defense (DoD), which requires achieving Cybersecurity Maturity Model Certification (CMMC) by implementing and assessing controls adapted from several National Institute of Standards and Technology (NIST) frameworks. HITRUST facilitates the process.
HITRUST for Healthcare Compliance
HIPAA is one the best-known and widely applicable regulations in the US. It applies to covered entities both within and adjacent to healthcare, along with their business associates. The US Department of Health and Human Services (HHS) oversees the regulation, which exists to safeguard medical treatment and payment records, or protected health information (PHI).
There are three prescriptive HIPAA rules all covered entities need to follow:
- The HIPAA Privacy Rule requires covered entities to make PHI available to patients it concerns and prevent all unauthorized access besides Permitted Uses and Disclosures.
- The HIPAA Security Rule requires covered entities to identify and mitigate threats to the confidentiality, integrity, and availability of PHI. It requires implementing targeted risk assessments and a set of administrative, physical, and technical safeguards for PHI.
- The HIPAA Breach Notification Rule requires covered entities to provide notice of and about data breaches to impacted parties, to the Secretary of the HHS, and to the media.
If organizations fail to meet any of these requirements, they may be subject to the HIPAA Enforcement Rule. The HHS’s Office of Civil Rights (OCR) investigates possible violations to determine civil money penalties and may involve the Department of Justice (DOJ) in criminal investigations for severe and chronic violations with no evidence of corrective actions taken.
However, Recent and upcoming changes to HIPAA have given covered entities more leniency with respect to establishing recognized security practices. Implementing HITRUST will make breaches and violations less likely—and minimize the regulatory impacts if they do occur.
HITRUST for Military Contractors
Organizations working with the DoD need to secure two kinds of data essential to the safety of all US citizens: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC standard is designed to streamline protections for these, adapted from NIST’s Special Publications (SP) 800-171 and 800-172—all of which are reflected in HITRUST.
What makes CMMC unique is its maturity Levels, which require greater implementation and assessments for organizations with CUi rather than just FCI, or greater exposure to threats.
The requirements for the CMMC certification levels break down as follows:
- CMMC Level 1: Foundational – Organizations implement 17 practices adapted from NIST SP 800-171 aimed primarily at protecting FCI, with annual self-assessments.
- CMMC Level 2: Advanced – Organizations implement 110 practices, covering all of NIST SP 800-171, protecting FCI and CUI, with triennial third-party assessments.
- CMMC Level 3: Expert – Organizations implement all 110 practices from NIST and a subset of practices from NIST SP 800-172, with triennial government-led assessments.
The specific level an organization needs to reach will be specified on its DoD contract. At present, CMMC Level 2 may be attainable with a HITRUST i1 Assessment. When CMMC Level 3 Assessment criteria are finalized, it is likely that HITRUST r2 Assessments will satisfy them.
HITRUST and Government Regulations
HITRUST certification isn’t just for industry standards. It also helps organizations scale their operations across and into new locations and abide by laws that protect the local residents.
For example, within the US, many states have laws in place to protect the data privacy rights of their residents. One of the most impactful is the California Consumer Privacy Act (CCPA), which applies to organizations both within CA and outside of it if they process data concerning CA residents. CCPA compliance requires data protection and communications infrastructure.
On a global scale, one of the most impactful regulations in the world concerns the data privacy rights of European Union (EU) residents. The General Data Protection Regulation (GDPR) is a foundational data privacy law upon which most US states’ existing and proposed acts are based. It requires the utmost care and attention to ensure data subjects’ rights are upheld.
Meeting these requirements is high stakes and challenging—but easier through HITRUST.
HITRUST and State-Level Regulations
The CCPA went into effect in January of 2020. It applies to organizations that do business in the state, if they have a gross annual revenue over $25 million, process data from at least 100,000 CA residents, or derive at least 50% of their revenue from the processing of that personal data.
At a base level, these organizations need to protect four data privacy rights of CA residents:
- The right to know what data is collected from them and how (and by whom) it is used
- The right to delete personal information collected from them, with some exceptions
- The right to opt-out from specific or all sales and sharing of their personal information
- The right to non-discrimination from organizations for exercising their CCPA rights
Upholding these rights means having visibility and control over the ways personal information is being used or could be used. It also means having communications and control channels open so that complaints or requests regarding personal data can be addressed as soon as possible.
And, as of January 2023, organizations also need to provide CA residents with the ability to correct personal info and use of their data, as per the California Privacy Rights Act (CRPA).
HITRUST anticipated CCPA compliance needs in version 9.3 back in 2019, before it went into effect. As more US states implement similar legislation, HITRUST will help you stay compliant.
HITRUST for GDPR Compliance
Finally, the GDPR is one of the most widely applicable and high-stakes data privacy regulations in the world. It applies to any organization, irrespective of its location, as long as it processes the personal data of EU residents. It treats data privacy rights for data subjects as human rights, with tremendous consequences for organizations that do not protect them. Beyond the visibility and communications infrastructure required by the CCPA and other regulations, the GDPR also calls for a dedicated data protection officer (DPO) to ensure personal data privacy and security.
Most state regulations in the US (including CCPA) are based explicitly or implicitly on the GDPR.
One of the reasons the GDPR is seen as a gold standard worldwide is the zeal and ferocity with which individual EU Member States enforce GDPR penalties. In 2023 alone, a record €1.6 billion in GDPR fines had been assessed by May, including about €2.8 million per violation.
HITRUST certification has been one of the best ways to avoid GDPR penalties since at least 2018, when one of the top priorities in HITRUST CSF v9.1 was facilitating GDPR compliance.
Comprehensive Compliance Support
The HITRUST CSF is a revolutionary approach to cybersecurity and compliance across a wide variety of contexts. It helps organizations meet the varying regulations they’re already subject to, and it’s one of the most effective ways to anticipate and proactively comply with new ones.
RSI Security is a certified HITRUST advisor dedicated to serving organizations of all sizes as they diversify their offerings and expand into new markets. We believe that discipline creates freedom, and optimizing your security now empowers greater flexibility for long-term growth.
To learn more about how HITRUST certification powers scaling, contact RSI Security today!