Learning about the 19 HITRUST domains is essential to mastering data protection. It may sound technical and complex, but we will walk you through the HITRUST Common Security Framework (CSF).
Understanding the HITRUST CSF
By itself, HITRUST refers to the organization that manages data systems security for the healthcare industry. HITRUST refers to the Health Information Trust Alliance.
This alliance strongly indicates the need for teamwork. Thus, spearheaded by business technology and information security leaders, a collaboration led to creating the HITRUST CSF or the Common Security Framework.
This framework combines numerous standards such as NIST, HITECH, and HIPAA to help organizations comply with security controls.
Keeping up with HITRUST CSF requirements can yield positive results for audits and minimize regulatory risks. They can strengthen the confidence of stakeholders regarding the protection and processing of private information.
The HITRUST CSF Structure
Instead of creating guidelines that are broad in coverage, the HITRUST CSF created specialized domains and controls. By being specific, it becomes easier to identify and pinpoint problems. It is essential to quickly correct an information security system when problems and incidents happen. Let’s take a look at these CSF domains:
The 19 HITRUST Domains
Overall, the HITRUST CSF comprises 19 domains that rely on precision when targeting data protection. These domains have 135 security controls. They are specific and quantitative to facilitate better tracking, monitoring, and documentation.
Information Protection Program
The network must have processes to protect the integrity, confidentiality, and privacy of sensitive data. The information security management system (ISMS) should reflect this.
Endpoint protection is the umbrella term for systems that combat viruses and malware. It encompasses intrusion detection systems, patches, firewalls, and software updates. This domain also lists the requirements that must be common among network laptops, workstations, servers, and storage facilities.
Portable Media Security
Portable media opens a door of vulnerabilities because they can be transported easily in and out of workplaces. This control domain oversees mobile storage devices such as compact discs, USB drives, DVD-ROMs, and backup tapes.
Mobile Device Security
Separate domain control is set aside for network devices such as tablets, smartphones, and laptops. These devices have more functionalities but similar to mobile storage devices; they can easily be transported in and out of workplaces.
Most office headquarters and workplaces have a wireless network in place. This may either be an internal or a guest network. A control domain is set in place to cover all aspects of wireless security. But it does not cross over to the protection of the device that connects to these networks.
Domain control covers everything about configuration management, including the following:
- change control
- configuration audit
- configuration item identification
- configuration status accounting
- environments for testing and development
Vulnerability issues in this domain control include the following key topics:
- vulnerability scanning and patching
- antivirus software
- network/host-based penetration detection systems
Internal network security and perimeters detailed in this domain control include the following aspects:
- network-based application-level firewalls
- intrusion detection systems
- DDOS protection
- IP reputation filtering.
Here is a separate domain control for network and web connections, namely, email, VPN, email, and chat messaging. This can be easily accessed by intruders if left unchecked.
Traditional passwords are still a common practice for many office employees. But there must be a domain control in place to protect the integrity of traditional passwords.
Any other means of access control in a network that does not use traditional passwords fall under this domain control. We explore fewer forms of access here.
Audit Logging and Monitoring
Audit logging and monitoring are vital for documentation. This domain control focuses on all aspects relating to these processes.
Education, Training, and Awareness
Awareness campaigns are essential within workplaces to help improve the resistance against vulnerabilities. This domain control is in charge of awareness campaigns and the empowerment and training of security personnel and standard users.
Third-party partners and vendors are becoming essential additions to the environment of a workplace. But they also introduce vulnerabilities and risks within the system that are addressed in this domain control.
When there are incidents or breaches within a working system, managing these scenarios is essential. This control domain focuses on incident monitoring and detection as well as response and reporting protocols.
Business Continuity and Disaster Recovery
Disasters and catastrophes come when least expected. When these occur, the business must have a plan to continue operations and recover from losses. This control domain takes on contingency, planning, testing, and implementation.
Risk management is an essential aspect of maintaining the longevity and data security of a company. This control domain is in charge of risk analysis and risk assessment.
Physical and Environmental Security
Even with robust digital information security in place, this information will still have a physical storage location. This control domain is tasked with handling the environmental security requirements for data centers and other storage facilities that dispose of and destroy sensitive information.
Data Protection and Privacy
The final control domain encompasses the compliance of an organization with privacy protocols. It is essential because there are laws that penalize the gross mishandling of critical digital information.
Maturity Levels and Acquiring HITRUST Certification
To accomplish HITRUST CSF certification, passing scores in all of the 19 HITRUST domains are necessary. Five Maturity Levels measure the performance of an organization for every domain. They include:
It is essential to identify policies within the organization that focuses on the requirements needed by the controls.
This is the step-by-step documentation for non-automated controls. It contains pertinent information about the flow of the process — what it can do, who will be involved in it, where it is implemented, and why it is essential. It is necessary to identify the correct steps to not subject the company to unnecessary risks and vulnerabilities.
It is one thing to chart and identify the processes and procedures of HITRUST certification. It is another to implement it properly. This Maturity Level ensures that the outlined functions will be accomplished and carried out well.
Measured and Managed
The last two Maturity Levels intertwine because of their high interrelation. Thus there must be continuous monitoring for these Maturity Levels. To show that a domain is measured and managed well, there must be sufficient documentation. Fortunately, these last two Maturity Levels are not strictly needed in HITRUST certifications and are usually left out.
The company must evaluate the controls against these Maturity Levels to determine the grade. This score is determined by the degree of implementation and the weight of the Maturity Level. Passing the assessment is crucial to ensuring the operation of the company.
The Maturity Levels of Policy, Procedure, and Implementation Maturity weight 25% each. Companies can secure 75 out of 100 points for these maturity levels.
The Measured and Managed Maturity Level, on the other hand, are weighted at 15% and 10%.
Many organizations secure their HITRUST certification by passing the Maturity Levels that tackle Policy, Procedure, and Implementation by seeing the Measured and Managed Maturity Levels considerably lower weight.
Experts recommend that organizations new to HITRUST certification avoid the Measured and Managed Maturity Levels and focus on the more critical Policy, Procedure, and Implementation.
Integrating Updates of the HITRUST CSF
The HITRUST CSF is not a static framework. It incorporates changes in technology, policies, and digital trends. The latest version (v 9.3) took effect last January 1, 2020. There are vital additions to the framework that helps make it a robust reference for compliance.
Requirements and revisions that were integrated came from various laws that have innovations regarding data protection. They include the following:
- California Consumer Privacy Act
- Insurance Data Security Act of South Carolina
- NIST SP 800-171 R2 (DFARS)
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- CMS ARS 3.1
- IRS Publication 1075: Safeguards for Protecting Federal Tax Returns and Return Information
- CIS CSC v7.1
- ISO 27799:2016 Health informatics
Benefits of Meeting the Requirements of HITRUST Domains
Cybersecurity concerns are the primary focus of the HITRUST CSF — whether the involved industry involves healthcare, finances, banking, technology, and many more. When there is critical and vital digital information involved, there must be an effective protection program.
Meeting the requirements of the HITRUST CSF domain controls will provide this protection.
A single and encompassing framework can help all stakeholders to be more efficient in devoting resources towards compliance. There is less confusion, and everyone can be on the same page.
Here are some of the inherent benefits of full compliance:
- Cost Efficiency. There are no conflicting regulations because all control domains are standardized. There is no repetition of effort or unnecessary use of resources to comply with redundant guidelines.
- Improved Security in Sharing of Sensitive Data. There are fewer fears when processing sensitive information because of the high-quality standards put in place by the 19 HITRUST CSF domains.
- Flexibility to Accommodate Various Organizations. The HITRUST CSF maintains an overall scope when it comes to handling sensitive data. This can be adopted by organizations and companies regardless of their size, complexity, and industry.
- Scalable for More Growth. While the HITRUST CSF can adjust to companies who are just starting to comply with the control domains, it is also scalable enough to grow with the company as they evolve to more mature levels. Essential because threats and trends continually evolve in cybersecurity. New versions of the HITRUST CSF also reflect these changes.
- Risk Management. One of the strengths of the HITRUST CSF is that it is not vague. It has highly specialized control domains that allow easier troubleshooting of specific problems in a system.
Compliance with Professional Guidance
RSI Security is a leading expert when it comes to compliance with the 19 HITRUST domains. We are a full-service security service provider with years of experience in data security compliance.
The HITRUST CSF can be a complicated and complex undertaking for organizations without professional guidance. RSI Security is an authorized HITRUST CSF Assessor to help an organization complete a HITRUST CSF Validation or Certification.
We can get your organization started on finding the successful scope of coverage for compliance. Our priority is the cost-efficient use of time and resources. We can help streamline the security of the company as part of the implementation process.
The healthcare industry primarily manages the HITRUST CSF enforcement. There is now a faster adoption of HITRUST among hospitals, and we can assist in improving the company’s security and compliance.
Here are services relating to HITRUST CSF compliance that we can comprehensively offer to your company:
- Gap Assessment
- Facilitated Self-Assessment
- Interim Assessment
- Continuous Monitoring
- Bridge Assessments
- HITRUST-SOC Coordinated Assessments
- Third-Party Risk Management Program
- HITRUST CSF Certification Marketing Support
- Healthcare Risk Analysis and Advisory
Have peace of mind when it comes to HITRUST CSF implementation. We can help bolster the security and risk management of the organization. An adequately maintained company with full compliance with laws will have a better reputational advantage among service providers.
Some customers require HITRUST CSF certification before doing any transaction. Preparing this compliance document beforehand can help you secure more business opportunities.
With RSI Security, you can be sure to receive top industry inputs and guidance on matters of HITRUST CSF compliance. We will provide expert assistance every step of the way.