Frequently Asked Questions About the HITRUST Risk Management Framework
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis and resilience.
The original HITRUST Board of Directors, which included Chief Information, Security and Privacy Officers from leading healthcare providers, insurers, and vendors understood that information security was critical to the broad adoption of healthcare technologies and systems necessary to provide a greater quality of care.
With the advent of the HITRUST CSF (CSF), organizations were given a consensus-driven solution to address problems with security in the industry. The CSF not only provides the prescriptiveness needed for healthcare organizations to effectively implement controls to meet regulatory, third-party and business requirements, it also did it in a way that was scalable based on key organizational, system and regulatory risk factors. These factors, which were developed through industry working groups representing a variety of healthcare sectors, allow large, highly complex healthcare insurers as well as smaller, resource-constrained providers to adopt an approach to security that may be tailored to their risk and compliance needs.
Today, the CSF is the most widely adopted information security and compliance risk management framework in the healthcare industry. Through annual updates and significant community engagement, the CSF has evolved to effectively align the requirements and controls of over 15 standards, regulations, and leading practice frameworks. Organizations are also proactively seeking certification and validation of their CSF-based information protection programs through the HITRUST Assurance Program due to the value it provides, especially with regard to third-party assurances for regulators and other external stakeholders.
However, the HITRUST approach is not always well understood by healthcare organizations, including some advisory and consulting firms. This is because the HITRUST approach has some unique aspects that are not always understood by those commenting or offering their opinion. Unlike others, HITRUST takes a rigorous approach to the selection and assessment of controls by leveraging federal and industry leading practices that fully support the type of robust and comprehensive information protection program required under the HIPAA Security Rule. HITRUST also looks at underlying risk exposures to ensure the CSF, HITRUST Assurance Program, and supporting methodologies and tools align with industry requirements.
Recent improvements to the CSF include the alignment of cyber threat intelligence to CSF control requirements, which helps ensure controls remain effective despite an evolving cyber threat environment. HITRUST has also mapped the CSF controls to the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, which allows Assurance Program assessments to be leveraged for Service Organization Control (SOC) 2® reports.
The following Frequently Asked Questions (FAQs) are provided to address common misconceptions about the CSF, HITRUST Assurance Program, and supporting methods and tools that constitute the HITRUST Risk Management Framework (RMF).