Since the inception of HITRUST® over 11 years ago, there have been a number of legends and myths surrounding HITRUST, the HITRUST CSF® and CSF Assurance Program. This ten-week series will share our most frequently asked questions and expose the most common myths surrounding HITRUST.
FACT 1: YOU DON’T HAVE TO CHOOSE BETWEEN HITRUST, NIST OR ISO AS YOUR RISK MANAGEMENT FRAMEWORK
The HITRUST CSF enables organizations to leverage ISO and NIST control standards, obtain the benefits of many other US and international standards, regulations and best practices and successfully address the objectives specified by the NIST Cybersecurity Framework.
Also, the CSF Assurance methodology ensures the accuracy, integrity, consistency and transparency of the assessment and enables a single assessment to be leveraged to demonstrate compliance across multiple standards and regulations (HITRUST refers to this as “assess once, report many”).
MYTH 1: ADOPTING AND COMPLYING WITH THE HITRUST CSF IS MORE COMPLICATED COMPARED TO OTHER FRAMEWORKS
FALSE. In fact, by harmonizing the relevant US and international standards, regulations and best practices into a single privacy and security framework that is tailorable based on risk and regulatory factors, gives it many advantages over others.
The design ensures organizations select the requirements relevant to their environment which means organizations can minimize the need to address irrelevant requirements. It also allows organizations to implement controls that satisfy multiple requirements, unlike other governance frameworks. Making it more efficient and certainly no more complicated while reducing waste and costs compared to the adoption of other frameworks.
To learn more, click here to download our latest whitepaper.
FACT 2: THE HITRUST CSF IS A RISK-BASED FRAMEWORK
To understand why, one must understand the intent of selecting and implementing any specified set of controls, whether it’s a custom set developed from a traditional risk analysis or one tailored from a pre-defined control baseline developed from such a risk analysis (e.g., ISO/IEC 27001 or NIST SP 800-53, both of which HITRUST leverages in the CSF). This risk analysis, tailored to specific risk factors and updated regularly, is part of the unique elements of the HITRUST CSF.
To learn more, click here to view our “Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection” whitepaper.
MYTH 2: YOU CAN ADOPT THE NIST CYBERSECURITY FRAMEWORK BY ITSELF
FALSE. If you adopt the NIST Cybersecurity Framework, you must either design your own controls or select controls from a suitable Risk Management Framework (RMF) to achieve the objectives specified by the framework. The HITRUST CSF is an integral part of the HITRUST RMF, which fully supports an organization’s implementation of the NIST Cybersecurity Framework’s Core Subcategories. The HITRUST CSF Assurance Program helps organizations provide reliable assurances to internal and external stakeholders (e.g., executive management and government regulators) about its information protection program through the lens of the NIST Cybersecurity Framework.
For more information on how you can leverage the HITRUST approach, read the Healthcare Sector Cybersecurity Framework Implementation Guide available from the U.S. CERT Website.
FACT 3: NIST DOESN’T PROVIDE A CERTIFICATION AGAINST THE NIST CYBERSECURITY FRAMEWORK
While NIST doesn’t provide a certification, HITRUST provides a viable alternative by mapping the NIST Cybersecurity Framework Core Subcategories into the HITRUST CSF. Also, HITRUST has added an addendum to the HITRUST CSF Assessment report to provide a scorecard of the HITRUST controls by NIST Subcategory for use as a management reporting tool. So, while NIST does not provide for certification, HITRUST gives organizations a level of assurance they are meeting the objectives specified by the NIST Cybersecurity Framework.
To learn more, click here to listen to our past webinar recording.
MYTH 3: GETTING ASSESSED AGAINST THE HITRUST CSF IS MORE EXPENSIVE THAN OTHER ASSESSMENTS
FALSE. By designing the HITRUST CSF Assurance program to allow a single CSF Assessment report to support multiple objectives, organizations can ‘assess once, report many.’ One assessment can be used to produce a HITRUST CSF Certification, AICPA SOC 2 and NIST Cybersecurity Scorecard. One assessment can also support attestations of compliance with other standards and regulations such as ISO 27001, NIST SP 800-53 and HIPAA. HITRUST provides the most cost-effective approach to providing assurances to customers, business partners and regulators in the industry.
For more information on how you can leverage the HITRUST approach, click here.
FACT 4: A SOC 2® BY ITSELF IS NOT A VALID MEANS FOR A THIRD PARTY TO UNDERSTAND THE INFORMATION SECURITY CONTROLS IN PLACE AT AN ASSESSED ENTITY OR TO DETERMINE THE ASSESSED ENTITY’S ADEQUACY IN PROTECTING ITS DATA
The SOC 2 itself does not provide the full context for the controls needed to achieve the objectives specified by the AICPA® Trust Criteria for Security, Confidentiality and Availability versus being based on a comprehensive set of prescriptive yet tailorable controls such as those provided by the HITRUST CSF information protection framework.
Without this context, it would be difficult for an organization to determine if the controls presented in the SOC 2 report are appropriate for the organization. A SOC 2 report leveraging the HITRUST CSF ensures organizations address the AICPA Trust Criteria with a reasonable and appropriate set of security and privacy controls. Also, it ensures organizations provide an industry-acceptable level of residual risk and satisfy their contractual and regulatory compliance requirements.
You can find more information on the benefits of the SOC 2 + HITRUST approach here. A discussion of the HITRUST approach can also be found on the AICPA website, which also provides a link to the original mapping between the HITRUST CSF v7 controls and the AICIPA Trust Services Criteria.
MYTH 4: A HITRUST CSF ASSESSMENT WON’T MEET THE REQUIREMENT FOR A HIPAA RISK ASSESSMENT
FALSE, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats. HITRUST addresses this requirement by completing a control framework-based risk analysis and creating a new industry-level security control baseline, which organizations can then tailor to address their specific clinical and business needs.
And since HITRUST provides an extensive mapping of the CSF controls to the HIPAA Security Rule’s standards and implementation specifications, it’s easy to see how the control requirements address each and every standard and implementation specification in the Security Rule. In fact, OCR has previously accepted an organization’s implementation of the HITRUST CSF its subsequent use of CSF validated assessments as evidence of its compliance with the HIPAA Security Rule, including the risk analysis requirement.
FACT 5: HITRUST EXPANDED CSF V9.1 TO ADDRESS GDPR AND NEW YORK STATE CYBERSECURITY REGULATIONS
In March of 2018, HITRUST made the HITRUST CSF – a widely used information privacy and security framework for organizations – more open and comprehensive, so that it could be applied more effectively across a variety of global industries.
HITRUST CSF Version 9.1 incorporates both the EU General Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). Incorporation of the EU General Data Protection Regulation (GDPR) is part of HITRUST’s initiative towards internationalization of the CSF and increased support for global organizational privacy programs. The updated framework allows organizations to easily manage and report on the controls intended to address GDPR requirements.
Integrating the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) into the HITRUST CSF enables the financial industry to leverage the framework to achieve better cybersecurity resilience and protection. The requirements for Financial Services Companies not only affects financial institutions but also healthcare organizations such as health insurers and their business associates, including those outside of New York.
MYTH 5: HITRUST IS NOT A STANDARDS ORGANIZATION
FALSE, HITRUST is and has been widely recognized as a standards organization and developer of the HITRUST CSF, an information security and privacy controls framework used by a variety of industry sectors. We operate similarly to ISACA, ISO and NIST, are governed by a Board of Directors, and receive guidance from multiple industry councils. The work of the HITRUST standards organization is also supported by multiple industry working groups to ensure the HITRUST CSF continues to address a constantly changing risk environment and meet the needs of industry.