The HITRUST Common Security Framework (CSF) Assurance Program is a framework for compliance assessment and risk management that is the most widely adopted in the healthcare industry.
Various healthcare organizations experience struggles because of inconsistent and redundant compliance requirements. There is a lot to consider. There is the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA).
There’s so much jargon, abbreviations, and compliance requirements that it can confuse people in the healthcare industry! That’s not even including state laws such as the California Consumer Privacy Act.
The HITRUST CSF Assurance Program solves all compliance problems because it integrates, cross-references, and harmonizes all globally recognized standards for compliance. In addition, it acts as a guide that assists healthcare organizations in their pursuit of compliance.
Understanding the HITRUST CSF Assurance Program
The HITRUST CSF Assurance Program simplifies the reporting and assessing the state, business, and regulatory body requirements. It integrates all available frameworks so that there is a common approach to manage efficient security assessments.
Healthcare organizations use the HITRUST CSF Assurance Program to demonstrate their compliance and cybersecurity defense in a streamlined approach.
Organizations can either undertake a self-assessment using the HITRUST framework or enter into an external, third-party engagement with a HITRUST assessor. The HITRUST CSF Assurance Program ensures that compliance requirements are comprehensive yet aligned to support a healthcare organization’s objectives.
Methodologies and Mechanisms
The HITRUST CSF Assurance Program is possible with the help of a standard set of privacy and information security requirements that overlaps with existing frameworks. There is also a standard method to assess and report on these findings.
The belief is that the integration of frameworks can lead to cost efficiency instead of burdening healthcare organizations with cumbersome yet repetitive requirements.
The HITRUST CSF Assurance Program offers a practical solution to the confusion when it comes to compliance requirements. To wit, here is a list of existing conditions that the HITRUST CSF Assurance Program consolidates together:
- Federal and international laws (examples: HIPAA, General Data Protection Regulation)
- Government regulatory agencies (examples: NIST, Federal Trade Commission, Centers for Medicare and Medicaid Services)
- US state legislation (examples: Texas, Nevada, Massachusetts)
- Industry frameworks (examples: PCI, Control Objectives for Information and Related Technologies)
The HITRUST CSF Assurance Program allows organizations to proactively or reactively assess to see if it fulfills the provisions for compliance.
This same assessment can provide organizations with valuable insights if they have deficiencies or gaps that will fail third-party compliance.
HITRUST has oversight, governance, and vetting that can provide organizations with industry-wide security and assurances.
The HITRUST Common Security Framework
HITRUST refers to the Health Information Trust Alliance, which oversees data systems security within the healthcare industry.
Information security and business technology leaders collaborated with the HITRUST CSF or Common Security Framework to encourage teamwork within the industry.
The framework’s objective is to give healthcare companies all the security controls to use for full compliance.
Fulfilling the requirements of the HITRUST CSF can significantly help an organization to have passing marks during regulatory audits. In turn, compliance can help improve the reputation of a healthcare company and increase the confidence of clients and users about the safety of their personal health information.
The HITRUST CSF does not have broad and vague guidelines. Instead, they have specific and specialized controls and domains that can pinpoint problems more efficiently.
The HITRUST CSF Assurance Program also has an effective system that enables organizations of all complexities, contexts, and sizes. Companies can choose between self-assessments and HITRUST CSF Validated Assessments.
The HITRUST CSF Assurance Program provides organizations with the choice to do a self-assessment using standard methods and requirements.HITRUST or any third party will be hands-off during self-assessment.
The organization must complete a risk-based scoping questionnaire by utilizing the MyCSF tool of HITRUST. The questionnaire enables control selection and assessment scope based on numerous risk factors.
After the scoping questionnaire, the MyCSF tool generates customized HITRUST CSF requirement statements and control references.
The participating organization must enter responses for each requirement statement and input their level of compliance. The basis will be the five PRISMA-sourced maturity levels:
- Is a policy or standard already in effect?
- Is there a process or procedure to support this policy?
- Is there an implementation already?
- Is the management measuring and testing it to ensure that it works?
- Are the measured results undergoing management to ensure remediation actions will be carried out?
For each maturity level, the organization will rate its level of compliance with these options:
- Non-compliant (0%)
- Somewhat compliant (25%)
- Partially compliant (50%)
- Mostly compliant (75%)
- Fully compliant (100%)
After the organization determines the compliance scores for the PRISMA maturity level, it must submit the populated MyCSF object for report generation to HITRUST.
HITRUST CSF Validated Assessments
HITRUST CSF validated assessments are the domain of an Authorized External Assessor who will engage the organization with rigorous on-site testing.
This type of assessment is the industry preference to establish high-level trust between two organizations that exchange a high volume of sensitive information. In addition, the process establishes a higher level of assurance for both parties involved in which there is a significant risk.
Parties that successfully pass the HITRUST CSF validated assessment will receive a report with certification. It is a physical manifestation that the organization is using best practices to protect vital healthcare personal data.
Validated assessments also use the MyCSF tool from HITRUST. The organization starts by answering a risk-based scoping questionnaire. The MyCSF tool will then generate a comprehensive set of HITRUST CSF requirement statements and control references.
The organization will then respond to the requirement statements according to the PRISMA maturity model for accuracy.
When all compliance scores are in for each PRISMA maturity level across all requirement statements, the organization will submit the MyCSF object to the external assessor for validation.
When looking for a partner organization that can conduct HITRUST CSF assessments, check if they fall under the Qualified Resources of HITRUST:
1. Authorized External Assessor Organization
These are professional services or business units with the core business of providing security, risk, and consulting services.
2. Authorized Internal Assessor Function
These are departments within the organization itself that have the authorization to perform HITRUST CSF assessment procedures.
3. HITRUST Certified CSF Practitioner (CCSFP)
The CCSFP is a designation for individuals who finished the CCSFP training course and passed the certification exam. This professional has the required background and experience to work for a HITRUST External Assessor organization or a firm that provides HITRUST CSF consulting services.
4. Certified HITRUST Quality Professional (CHQP)
The CHQP is a Certified CSF HITRUST professional who conducts quality assurance work for CSF assessment engagements. This practitioner completed the CHQP training course and certification exam. Typical work areas include HITRUST External Assessor organizations.
External Assessors are essential to provide on-site testing and walkthroughs of control documentation to confirm the organization’s self-assessment and address compliance gaps.
The CSF requirements statements will also undergo verification before an organization is eligible for HITRUST CSF certification. There are various testing strategies to accomplish this objective as per HITRUST:
- On-site walkthroughs with personnel interviews to confirm documented policies
- Inspection of documentation that guarantees the performance of a relevant control
- Check of written procedures that are relevant to HITRUST CSF requirements
- Observation of how appropriate controls and processes perform
- Technical testing to double-check the implementation of suitable controls
- A search of independent measures or metrics by the organization
- Assessment of evidence from mechanisms to manage appropriate controls.
These testing strategies are consistent with the National Institute of Standards and Technology (NIST) guidance as outlined in their Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.
Testing may be a matter of judgment, but External Assessors must also comply with the guidance of HITRUST as included in the MyCSF tool.
All testing must also fulfill its deadline within 90 days after submitting the validated assessment to HITRUST.
Similarly, all system configurations, implemented tools, documentation, and control processes must be under operation for 90 days also to be part of the scope of the validated assessment effort.
If there will be testing requiring reliance beyond the 90-day deadline, there must be prior approval from HITRUST. This testing also covers controls, documentation, and procedures for less than 90 days.
External assessors should also conduct interviews and walkthroughs directly with the owners of the security controls and not through a proxy such as a compliance analyst, consultant, or internal auditor.
The HITRUST CSF Assessment Methodology document provides additional guidance on how to conduct the validated assessment and testing.
A healthcare organization that meets all the assessment requirements will earn the recognition as “HITRUST CSF Certified.”
The certification proves that the organization demonstrated the implementation and performance of its controls during the validated assessment. The assessment also leveraged the MyCSF tool, the embedded HITRUST CSF control requirement statements, and the PRISMA maturity model.
CSF certification is a vote of confidence that the organization has proper protocols to manage risk, especially regarding sensitive personal information. It removes variability in acceptable privacy and security requirements by creating an industry-defined baseline and eliminating expensive and unnecessary negotiations for risk acceptance.
A HITRUST CSF Certified organization communicates to its partners and regulatory bodies that they are serious about protecting sensitive information. There are essential security and privacy controls in place for information security and privacy.
The Reason Behind HITRUST
HITRUST, or the Health Information Trust Alliance, began in 2007 as a not-for-profit organization to manage information risk and protect sensitive personal information. The group supports third-party supply chains as well.
The origin of the HITRUST Common Security Framework (CSF) emanated from the struggle of the healthcare industry to manage the various healthcare-specific controls, including HIPAA. The following situations led to the creation of the framework:
- The advances and surge in cybercriminal exploitations because of system gaps
- Inconsistent interpretation of control objectives from various frameworks
- The unproductive focus of issues from regulatory bodies and auditors
Organizations that deal with electronically protected health information or ePHI benefited greatly from the consolidation efforts of the HITRUST CSF. Certification is essential, but it need not become confusing.
The HITRUST CSF is always looking for the following parameters in healthcare organizations:
- The capability of the healthcare company to manage security controls
- Clear policies and procedures
Expert Guidance for the HITRUST CSF Assurance Program
Protecting sensitive personal data is already a tall task for the healthcare industry, with so many malicious entities and cybercriminals intent on exploiting all this digital information for monetary gain. As a result, numerous cybersecurity and operational frameworks emerged to protect digital information. There’s too much of them, and healthcare organizations have struggled to keep up with all the compliance requirements.
The HITRUST CSF Assurance Program will integrate all overlapping frameworks to make it easier for healthcare organizations to achieve compliance. However, whether the organization will choose to perform a self-questionnaire or a HITRUST CSF validated assessment, it is still best to proceed with the guidance of an industry expert to not leave anything to chance.
RSI Security is an authorized HITRUST CSF Assessor with a team of HITRUST Practitioners and advisors to provide knowledge to your organization throughout the HITRUST CSF Validation or Certification.
Partner with RSI Security to get comprehensive compliance for the HITRUST CSF Assurance Program. We are a full-service managed security service provider organization with years of expertise in data security compliance, information security program implementation, and penetration testing services.
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.