Compliance in healthcare: The HITRUST framework

In our ever-expanding digital world, healthcare organizations have become increasingly dependent on technology to keep up with evolving consumer needs. Just one example is the heightened reliance on telehealth solutions prompted by the pandemic. This trend has changed the future of our healthcare infrastructure, requiring leaders to make new investments and consider all the risks of scaling mission-critical systems.

Of course, one of the biggest risks exacerbated by this increase in digital investment over the past few years is cyberattacks, specifically those focused on patient data. There have been more than 350 cyberattacks on healthcare organizations since June 2020, according to the CyberPeace Institute. Each attack exposed an average of 165,000 patient records and impacted the organization’s operations for nearly 20 days. The most common types of data exposed included patient names, addresses, social security numbers, patient health information and health insurance information.

With the rise in cyberattacks, healthcare leaders have explored various solutions to protect their institutions from digital disruption, including the Health Information Trust Alliance (HITRUST). HITRUST is an organization that created the HITRUST-Common Security Framework (CSF), which combines the rules of other existing industry frameworks, including HIPAA, NIST, ISO 27001 and more. HITRUST-CSF was created with the intent of consolidating these frameworks to address the number of security, privacy and regulatory challenges that healthcare organizations are facing.

How to become HITRUST-CSF certified

Any healthcare organization that manages sensitive information can look to HITRUST-CSF as a way to assess their security and compliance approaches. HITRUST-CSF certification is not mandated by any government entity. Rather, it covers various frameworks that are required by governments and thus has become a reliable framework by many healthcare organizations.

HITRUST-CSF is not structured around broad buckets like other security frameworks. Rather, it is divided into 19 different security domains focused on helping organizations achieve compliance. The framework is continually updated and scalable depending on the organization’s needs and size.

Organizations must reach a passing score in each of the 19 domains in order to achieve HITRUST certification. An organization’s scores are also evaluated against five maturity levels by measuring each control requirement and then scoring each level based on how well each control is executed.

There are three degrees of assurance or assessment levels that organizations need to complete to become HITRUST-CSF certified. This helps to determine the level of confidence that a healthcare organization meets in regard to the HITRUST-CSF requirements. Each level builds on one another; organizations with the highest level meet all the requirements to be HITRUST-CSF certified.

Why it’s important to become HITRUST-CSF certified

In healthcare, developing trust and a strong relationship between providers and patients is essential. HITRUST-certified organizations can assure their patients that their information and data are safeguarded against potential cyberattacks. In addition to establishing the trust of patients, there are several other reasons an organization should look to become HITRUST certified, including:

Reduced risk: HITRUST gives organizations a holistic understanding of their data integrity posture, which enables them to address any risks and vulnerabilities — ultimately reducing the potential for future problems.
Industry-leading benchmark: Because HITRUST-CSF is the leading standard for data security in the healthcare industry, completing certification will help further demonstrate that an organization is using best practices and effectively addressing requirements across many regulatory standards.
Enhanced partnership opportunities: In many cases, healthcare organizations are required by their third-party partners to have robust cybersecurity programs in place. Because HITRUST-CSF is the most streamlined and all-encompassing framework, this helps to prove that an organization is focused on compliance, therefore helping to attract third-party partners and vendors.
Competitive advantage: Being able to assure patients, providers, payers, vendors, commercial insurance brokers and other stakeholders that patient data is secure and protected can help better position almost any healthcare organization against its competitors.

The security of patient data has become of utmost importance for healthcare organizations. Although the HITRUST certification process is not easy, the benefits of receiving certification are significant. Your organization will be able to assess IT risk and adjust as needed in order to protect both the enterprise and patient data. Being able to demonstrate compliance adds a layer of assurance for every member of the healthcare value chain that knows patient data is protected by an organization that meets all recommended security requirements.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

Philip Jones, is a Privacy Leader, Director of Security, Chief Security Architect, and Data Privacy Officer (DPO) with a Master Level Security and in the process of achieving his Fellowship in Privacy (FIP) certification. Phil has built multiple privacy programs ranging from startups to major international organizations. He has guided multiple board of directors through tough and complex compliance of security and privacy regulations. Prior to joining Mazars USA, Phil held several leadership roles in Privacy/GDPR, U.S. regulatory compliance, and Cybersecurity of both prestigious consulting firms and technology organizations, including U.S. Navy Intelligence, IBM and Booz Allen & Hamilton.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.