The HITRUST RMF, which consists of the HITRUST CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the NIST Cybersecurity Framework) for industry.
The NIST framework is intended to provide guidance to critical infrastructure industries on the development of industry, sector or organization-specific cyber security programs and help ensure a minimum level of consistency and rigor. The HITRUST RMF maps completely to the sub-categories in the NIST framework and is further supported by an implementation maturity model that also maps to the NIST model. However, HITRUST goes beyond the NIST framework recommendations by providing a fully functional cyber threat intelligence and response program to enable the U.S. healthcare industry to protect itself from disruption by these attacks. The HITRUST Cyber Threat XChange (CTX) is the single best source of intelligence on threats targeted at healthcare organizations and medical devices, providing actionable information for strategic planning and tactical preparedness and coordinated response for both large and small organizations.
HITRUST CTX also facilitates critical intelligence sharing between the healthcare industry, the U.S. Department of Homeland Security (DHS) and the U.S. Department of Health and Human Services (HHS), while supporting monthly threat briefings and alerts. In addition, HITRUST and DHS evaluates the industry’s preparedness and HITRUST CTX effectiveness through industry-wide cyber-attack and response exercises in which participating organizations examine both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the healthcare industry.
HITRUST and the Office of the National Coordinator (ONC) Office of the Chief Privacy Officer (OCPO) also co-chaired the Risk Management Task Group (RMTG) of the Joint Healthcare and Public Health (HPH) Cybersecurity Working Group (WG), part of the Critical Infrastructure Protection (CIP) Public and Private Partnership. The RMTG was tasked to coordinate the development of (1) a tailored, Sector-wide HPH Cybersecurity Framework Implementation Guide, leveraging existing documents and efforts, and (2) supplemental guides tailored to different levels of users and different types of technology, as needed, which may include but is not limited to small organization implementation and medical device security. The guidance developed by the RMTG for HPH Sector-wide use is based on the HITRUST RMF, of which the HITRUST CSF and CSF Assurance Program are a part, and is available as a 508-compliant PDF from the US-CERT Cybersecurity Framework Webpage or downloaded directly here.
For more information, refer to the NIST and HITRUST CSF Webinar presentation and the Healthcare Sector Cybersecurity Framework Implementation Guide.