From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the CSF, which is in-turn built upon the ISO 27001:2005 control framework, HITRUST leverages the comprehensive threat analyses employed by these frameworks to provide a robust set of prescriptive controls relevant to the healthcare environment. The CSF also goes beyond the three baselines for specific classes of information and provides multiple control baselines determined by specific organizational, system and regulatory risk factors. These baselines can be further tailored through formal submission, review and acceptance by HITRUST of alternative controls, what PCI-DSS refers to as compensating controls, to provide industry with additional flexibility in the selection of reasonable and appropriate controls while also providing assurance for the adequate protection of sensitive information.
Traditional risk analysis guidance (e.g., from HHS) can subsequently be modified to support the use of a comprehensive control framework—built upon an analysis of common threats to specific classes of information and common technologies—as follows:
- Conduct a complete inventory of where ePHI lives
- Perform a BIA on all systems with ePHI (criticality)
- Categorize and evaluate these systems based on sensitivity and criticality
- Select an appropriate framework baseline set of controls
- Apply an overlay based on a targeted assessment of threats unique to the organization
- Evaluate residual risk: likelihood based on an assessment of control maturity and impact based on relative (non-contextual) ratings
- Rank risks and determine risk treatments
- Make contextual adjustments to likelihood and impact, if needed, as part of the corrective action planning process
Because the HITRUST CSF provides a risk-based approach to information protection and compliance, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of organizational, technical, and compliance risk factors.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.