Founded in 2007, HITRUST initially provided a comprehensive framework for safeguarding protected health information (PHI) and electronic health records (EHR) in the medical industry. Since then, the HITRUST CSF has expanded to include the most widely applicable compliance requirements across numerous industries and organizational activities. Although there aren’t any specific HITRUST encryption requirements, some of the standards it includes—specifically, HIPAA—do require encryption.
Understanding the Benefits of HITRUST
HITRUST provides many benefits to any organization by incorporating the most common compliance frameworks and industry standards and providing a user-friendly pathway to achieving compliance.
This guide teaches you the basics of HITRUST, including the standards it encompasses, and how you can maintain compliance with the relevant HITRUST encryption requirements:
- What is HITRUST, and what does it include?
- Which professional standards are included in HITRUST?
- What are the encryption requirements for HITRUST?
The best path for achieving HITRUST certification with extensive advisory along the way is to partner with an Authorized External Assessor.
Download Our HITRUST Compliance Checklist
What is HITRUST?
HITRUST is a direct response to the numerous healthcare-oriented regulations introduced in the early 21st century. The organization publishes and maintains the HITRUST CSF, which encompasses many different policies, programs, and standards, including:
- HIPAA – The current industry standard in healthcare IT, the Health Insurance Portability and Accountability Act (HIPAA), provides a comprehensive set of governmental rules and regulations regarding the usage and storage of PHI and EHR.
- HITECH – The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2010 to provide additional protection over PHI and EHR.
- PCI-DSS – The Payment Card Industry Data Security Standard, or PCI-DSS, is a set of standards established by all the major credit card providers. It applies to any organization that stores or processes cardholder data.
- ISO / IEC – Established well before the digital age, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have made recommendations regarding implementing encryption when storing or transmitting sensitive data.
- NIST RMF – The National Institute for Standards and Technology, or NIST, maintains a detailed Risk Management Framework (RMF) that is similar to HITRUST’s CSF. It also outlines some rudimentary guidelines and recommendations for data encryption.
- Certain state-specific requirements – Both Massachusetts and Nevada have introduced requirements regarding data encryption.
HITRUST Encryption Requirements for HIPAA
HIPAA is a major component of HITRUST requirements, and while neither specifies explicit requirements, encrypting sensitive health data helps ensure your organization meets the data protection minimums for compliance.
Technically, encryption is left up to covered entities to determine appropriate and necessary use. HIPAA’s ultimate aim remains to protect individuals’ sensitive and identifiable health information; encryption should be used as a robust technical safeguard, but it isn’t necessary.
The primary reason encryption is so beneficial to maintaining HIPAA compliance is that it prevents situations that might be considered data breaches when implemented safeguards fail. If an unauthorized individual can’t use or read the encrypted data, it’s not a breach.
In other words, meeting the conditions of either automatically satisfies the current encryption requirements for the other, too.
PHI and EHR Encryption Requirements
Under HIPAA’s rules, any data that falls under the classification of PHI or EHR requires encryption when deemed necessary. This requirement includes data that is stored or transmitted. However, HIPAA does not mandate any specific form of encryption. They do, however, recommend the most common forms of encryption: AES 128, 192, or 256-bit.
Password Encryption Requirements
HIPAA also recommends password-level encryption for all end-users. Per the HITRUST CSF, any passwords that are stored or transmitted require encryption. Again, AES 128, 192, or 256-bit will suffice.
Current HITRUST encryption requirements state that organizations must have a comprehensive password management system in place. Policies like these help protect patients, end-users, and organizations. These requirements include:
- Storing and transmitting encrypted passwords – As a general rule of thumb, organizations should always encrypt sensitive data when storing it in their databases or transmitting it to another party. If the encrypted data happens to fall into the wrong hands, it’s still inaccessible without the associated decryption key.
- Separating passwords from system data – Never store important system or user passwords on the same system that includes all of your organization’s critical applications. If a hacker or malicious actor gains access to one, they’ll easily have access to the other—which could let them run rampant through your entire network.
- Requiring strong passwords – Since passwords are often viewed as little more than an inconvenience by many users, some pick a password that is as simple as possible. By requiring strong passwords, such as passwords containing a mix of letters and numbers, you make it much harder for hackers to penetrate your system.
- Requiring frequent password changes – According to the CSF, normal user passwords should expire every 90 days. Users with privileged accounts should have their passwords expire every 60 days. This voids any previous passwords users have had and renders older database breaches as moot.
- Preventing password re-usage – Some users have found a way around the need for periodic password changes by re-using their old credentials. Per the HITRUST CSF, your system should track previous user passwords and actively prevent them from re-using their prior passwords.
Additional Encryption Requirements
While HIPAA is the original cornerstone of HITRUST and the HITRUST CSF, it’s not the only component. These additional standards, policies, and programs all have nuances regarding the normal HITRUST requirements.
HITRUST Encryption for HITECH
Unlike HIPAA, which specifically mandates data encryption, the current iteration of the HITECH Act doesn’t require data encryption. However, since much of HIPAA and the HITECH Act go hand-in-hand, encryption is still recommended for HITECH compliance.
HITRUST Encryption for PCI-DSS
The PCI-DSS is a significant component of HITRUST and its CSF. Modern PCI-DSS standards require encryption for any data that is stored or transmitted. Currently, the PCI-DSS recommends AES encryption of 128 bits or higher. Some organizations opt for 256-bit encryption for greater protection. In either case, encryption of this level is considered unbreakable with today’s technology.
HITRUST Encryption for ISO / IEC
Current ISO / IEC standards do not require or mandate data encryption. Instead, they also recommend common forms of encryption for the protection of confidential data. Specifically, current ISO standards include:
- 64-bit encryption via TDEA, MISTY1, or CAST-128 algorithms
- 128-bit encryption via AES, Camellia, or SEED algorithms.
128-bit has become a benchmark in most industries and, as such, is acceptable by nearly all modern standards.
HITRUST Encryption for NIST
The NIST also has specific encryption requirements. When maintaining compliance with modern standards, the NIST recommends the AES or Triple-DES algorithms. Although the number of bits isn’t specified here either, 128 or higher is a great starting point.
State-Specific Encryption Requirements
In addition to the common HITRUST requirements, certain states within the U.S. also mandate encryption requirements of their own.
- Massachusetts – Chapter 93H of the Massachusetts General Law includes a provision that requires encryption for any personal information that is stored on a portable device, including laptop computers, and for any information that is transmitted wirelessly or through a public network.
- Nevada – The Nevada Revised Statutes (NRS) requires encryption of any personal information. Since they don’t provide a concrete definition of the term, so this requirement is left open to interpretation.
Maintaining HITRUST Compliance
For many, HITRUST makes it easier to deal with all of the applicable standards and regulations in the healthcare industry. But with so many moving parts, it requires a methodical and highly calculated approach.
If you still find it difficult to meet the current HITRUST encryption requirements, or if you want to learn more about HITRUST and the standards it includes, contact RSI Security today.