HITRUST CSF Additional Frequently Asked Questions FAQs
Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?
The HITRUST CSF is designed with certain highly regulated industries in mind. However, it is a region- and industry-agnostic control framework that can be used globally by organizations across all industries. Furthermore, HITRUST is the only standards development organization with a framework, an assessment platform, and an independent assurance program. Other compelling benefits and considerations are presented in FAQs throughout this document.
The table below compares the HITRUST CSF with several other leading information security and risk frameworks:
Is the scope of the HITRUST CSF too large for most organizations?
Although HITRUST provides tailoring options for the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many organizations, the HITRUST CSF can (and should) be applied as broadly as necessary to scope to the specific types of information, systems, and/or business units requiring information asset protection.
Scope can be minimized by ensuring that workflows requiring the use of sensitive information are understood and such uses are restricted to the minimum necessary, as required by many legal and regulatory bodies, as well as best practices. In addition, information assets and data flows with sensitive information can be isolated from other assets and data flow types, e.g., through network segmentation.
For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.
Does the HITRUST CSF take a “one-size-fits-all” approach to information protection?
From its inception, HITRUST chose to use a risk-based rather than a compliance-based approach to information protection and help mature industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the CSF, which is in turn built upon the ISO 27001:2005 control framework, HITRUST leverages the comprehensive threat analyses employed by these frameworks to provide a robust set of prescriptive controls relevant to the healthcare environment. The CSF also goes beyond the three baselines for specific classes of information and provides multiple control baselines determined by specific organizational, system, and regulatory risk factors. These baselines can be further tailored through formal submission, review, and acceptance by HITRUST of alternative controls, what PCI-DSS refers to as compensating controls, to provide the industry with additional flexibility in the selection of reasonable and appropriate controls while also providing assurance for the adequate protection of sensitive information.
Traditional risk analysis guidance (e.g., from HHS) can subsequently be modified to support the use of a comprehensive control framework—built upon an analysis of common threats to specific classes of information and common technologies—as follows:
- Conduct a complete inventory of where ePHI lives
- Perform a BIA on all systems with ePHI (criticality)
- Categorize and evaluate these systems based on sensitivity and criticality
- Select an appropriate framework baseline set of controls
- Apply an overlay based on a targeted assessment of threats unique to the organization
- Rank risks and determine risk treatments
- Make contextual adjustments to likelihood and impact, if needed, as part of the corrective action planning process
- Evaluate residual risk: likelihood based on an assessment of control maturity and impact based on relative (non-contextual) ratings
Because the HITRUST CSF provides a risk-based approach to information protection and compliance, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of organizational, technical, and compliance risk factors.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.
What are the goals for the HITRUST CSF?
Through HITRUST, the CSF provides organizations with a controls framework that is:
- Relevant and supports the HITRUST threat-adaptive assessments through regular maintenance of supporting authoritative sources and changes in the threat environment;
- Scalable to various sizes and types of organizations or systems in a controlled manner;
- Tailorable in the r2 Assessment through managed approvals of alternative (compensating) controls;
- Based on compliance with control baselines intended to manage risk to an industry-accepted level;
- Capable of providing certifiable risk assurances to internal and external stakeholders, including regulators; and
- Supported by appropriate guidance and tools along with regular updates.
For more information on HITRUST and the CSF, refer to the How HITRUST Helps Organizations Manage Risk guide.
Why do organizations need a security and privacy framework?
Information security and privacy laws are passed to regulate many industries and require that organizations, operating in such industries, conduct thorough risk assessments to protect against threats to the security and privacy of sensitive information. Organizations in other industries — that are less-regulated (or even unregulated), may also want to protect valuable business information for many reasons, such as protecting patents and trademarks, gaining competitive advantage, and protecting customer data, and earning new business with partners concerned about information security. There is no “one-size-fits-all” approach to securing sensitive information, and oftentimes performing information security risk analyses is not something many organizations know how to do.
Fortunately, HITRUST provides an easy-to-adopt framework and methodologies to effectively manage data, information risk, and compliance by using the HITRUST Approach. Driven by the CSF, the HITRUST Approach is built around a risk management process that provides a consistent, managed methodology designed to meet the needs of organizations operating in various industries. The HITRUST Approach takes a holistic route to effectively analyze the potential risks to information protection. From this, an organization may establish one or more sets of security and privacy safeguards, also referred to as control baselines, which are intended to address similar threats to common classes of information using similar technologies. Organizations may then select an appropriate control baseline to help protect against any reasonably anticipated threats or hazards to the security and privacy of information.