HITRUST: Everything you need to know

HITRUST
INTRODUCTION

HITRUST was established in 2007 as a non-profit organization, initially to create and promote initiatives to secure sensitive data, such as electronically protected health information (ePHI). A gap left by laws like HIPAA is attempted to be filled by HITRUST. It’s still a common misconception that HITRUST is only for organizations in the healthcare sector. In reality, HITRUST has expanded its services and capabilities to support organizations as they manage information risk for global organizations across all industries and throughout the third-party supply chain.

WHAT IS HITRUST CSF?

The HITRUST Common Security Framework (HITRUST CSF) is a certifiable framework that gives enterprises a thorough, adaptable, and effective method for managing risk and complying with regulations. The HITRUST Alliance is a non-profit organization that was established in 2007 with the mission that “information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST also spearheads numerous initiatives in information protection advocacy, education, and awareness. Furthermore, the architecture for HITRUST has since been improved to be industry neutral.

CONNECTION BETWEEN HIPAA AND HITRUST

The healthcare sector is becoming more and more dependent on the safe transmission and preservation of electronic data. Data security and compliance with laws like HIPAA are extremely important, but they frequently overlap in ways that make them challenging to administer. Many HIPAA rules are complex and susceptible to interpretation, thus depending on the size and level of expertise of a business, they might not be understood or applied for the intended reasons. By offering an integrated security strategy and a means of proving compliance with HIPAA security criteria to an outside assessor, HITRUST seeks to address these problems. Many hospitals and health networks rely on the suggested and certifiable framework HITRUST to manage risk.

14 Control Categories, 19 Domains, 49 Control Objectives, 156 Control References, and 3 Implementation Levels make up the HITRUST CSF. The HITRUST CSF has grown to be in compliance with a wide range of laws, standards, and business needs. It was founded on the fundamental ideas of ISO 27001/27002. These cover regulations including HIPAA, PCI-DSS, NIST 800-53, COBIT, GDPR, and more. Although the modern application of HITRUST extends far beyond the health care sector, it has its roots in HIPAA compliance and has developed into a very useful mechanism for validating HIPAA compliance.

 

 

IMPORTANCE OF HITRUST

Due to its ability to provide certifiable assurance of information security program operational efficacy and maturity, HITRUST is significant as an organization. There are numerous information security frameworks and assessment techniques, but the majority don’t lead to a formal certification and also don’t use a maturity assessment model to let the recipients of the certification or report judge the maturity of the organization’s security processes.

HITRUST CERTIFICATION

HITRUST keeps improving its services to handle a wide range of risk situations in response to market demands. Other assessment products have been developed to support the needs of organizations that do not require the same high level of assurance as that provided by the r2, even though the legacy HITRUST CSF Validated Assessment (now the r2 Assessment and Certification) has been successfully supporting the needs of organizations in need of a strong level of assurance. The bC and i1 evaluations were consequently introduced.

bC – Basic, Current-state (bC) Assessment

The HITRUST Basic, Current-state (bC) Assessment offers the lowest degree of assurance (as well as the lowest amount of effort). The bC is a standardized self-assessment that emphasizes “excellent hygiene” and identifies mistakes and omissions by using the HITRUST Assurance Intelligence Engine to easy validation. Finally, there is no certification associated with the bC. To find out more about the bC evaluation, go to HITRUST website here.

1-Year (i1) Validated Assessment + Certification

The i1 assessment will be threat-adaptive, according to HITRUST, which means that requirements will be added and eliminated to reflect the constantly changing threat landscape. The i1 exam will differ from the traditional HITRUST assessment and certification technique by utilizing a static (non-tailored) set of controls. According to HITRUST, the i1 assessment requires a “moderate” amount of labor, although early results suggest that the i1 requires a lot more work than standard information security audits like SOC 2, ISO 27001, or PCI. The i1 can be carried out as a readiness assessment or through a third-party assessor organization, in which case HITRUST will validate the assessment and issue a certification that is good for a year. More information on i1 validated assessment and certification can be found here.

Risk-based, 2-Year (r2) Validated Assessment + Certification

The r2 assessment maintains its status as a customized assessment that determines the size of the assessment by taking scoping criteria into account. The r2 is best suited for situations with high risk and a high level of certainty. The r2 assessment, which is unmatched in the field and requires five times as much work as the i1 evaluation, is regarded as being difficult and intensive. Similar to the i1 assessment, the r2 can be conducted as a readiness assessment or a validated assessment with certification; however, the r2 is only valid for two years if an interim assessment is successfully completed at the one-year point.

CONCLUSION

Organizations are looking for a wider variety of assessments that balance the demands on their time, effort, and resources while yet offering a degree of accuracy consistent with the risk. HITRUST provides a broad variety of evaluation alternatives to satisfy organizational and vendor demands for various guarantees. HITRUST Assessment options meet every level of Assurance. Comparison of HITRUST Assessment options can be found here.

Visit our website https://graxoconsulting.com/ for more information. You can contact us at talktous@graxoconsulting.com  for your cybersecurity needs.