HITRUST CSF = A Prescription for HIPAA Compliance
<< All Blogs

Date: July 5, 2017

Written by Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CCSFP Member (FBI) InfraGard & HITRUST CSF Assessor Council

Every business, every organization, across the United States and globally, regardless of vertical industries, is faced with two executive-level challenges:

  1. Compliance with state and federal (national) regulatory compliance mandates
  2. Establishing a credible cyber defense to reduce disruptive risks to business

This article describes how the HITRUST CSF delivers a prescriptive cybersecurity standard.

HITRUST CSF Prescriptions Across Domains

The HITRUST CSF is a prescriptive framework. It is a credible framework for organizations to establish a mature cybersecurity and compliance program. The HITRUST CSF provides a comprehensive, scalable, and a technology-neutral framework to address HIPAA mandates.

HITRUST CSF is prescriptive – it is very specific on the minimal capabilities organizations must implement continually to address mandates such as HIPAA, and manage their cybersecurity program.

In Figure 1 we examine a sampling of some key prescriptive requirements from HITRUST CSF. Note that Figure 1 is a sampling only, and not a complete list of all prescriptive requirements.



0.0 Information Security Management Policies
1 Review ISMP at regular intervals, but at least once annually. (00.a) (Level 3)
01.0 Access Control
2 Automatically remove or disable accounts that have been inactive for a period of sixty (60) days or more. (01.b) (Level 1)
3 Passwords changed at least every ninety (90) days or based on the number of accesses. (01.d) (Level 1)
4 Users are made aware of the organization’s password policies and requirements to:

  • Change passwords whenever there is any indication of possible system or password compromise. (01.f) (Level 1)
02.0 Human Resource Security
5 Assign risk designations to all organizational positions as appropriate, establish screening criteria, and review and revise designations every 365 days. (02.a) (Level 2)
6 The organization provides incident response and contingency training to information system users consistent with assigned roles and responsibilities:

  • Within ninety (90) days of assuming an incident response role or responsibility;
  • When required by information system changes; and
  • Within every three hundred sixty-five (365) days thereafter. (02.e) (Level 1)
7 The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures and notifies defined personnel (e.g., supervisors) within a defined time frame (e.g., 24 hours) when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. (02.f) (Level 1)
03.0 Risk Management
8 Repeating the risk management process prior to any significant change, after a serious incident, whenever a new significant risk factor is identified, or at a minimum annually. (03.a) (Level 1)
9 The organization shall update existing remediation or corrective action plans monthly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (03.c) (Level 1)
10 The risk management program include the requirement that risk assessments be re-evaluated at least annually, or when there are significant changes in the environment. (03.d) (Level 1)
04.0 Security Policy
11 Information security policy documents are reviewed at planned intervals, at a minimum every 365 days. (04.b) (Level 2)
12 Significant changes occur in the operating or business environment to ensure its continuing adequacy and effectiveness and that the totality of the policy has been addressed at least every three hundred sixty-five (365) days. (04.b) (Level 2)
05.0 Organization of Information Security
13 Periodically, at a minimum annually, review and assess the effectiveness of the implementation of the information security policy. (05.a) (Level 1)
14 Requirements for confidentiality and non-disclosure agreements shall be reviewed at least annually and when changes occur that influence these requirements. (05.e) (Level 1)
15 Designate a point of contact to review the list at least annually to keep it current. (05.f) (Level 1)
06.0 Compliance
16 The organization’s formal policies and procedures, other critical records (e.g., results from a risk assessment) and disclosures of individuals’ protected health information made shall be retained for a minimum of six (6) years. (06.c) (Level 1)
17 The covered entity shall document restrictions in writing and formally maintain such writing, or an electronic copy of such writing, as an organizational record for a period of six (6) years. (06.c) (Level 1)
18 Information systems and network components (e.g., firewalls, routers and switches). Checking shall be performed either manually, by an individual with experience with the systems, and/or with the assistance of automated software tools. These compliance checks shall be performed annually. (06.h) (Level 1)
07.0 Asset Management
19 The organization shall maintain inventory logs of all media and conduct media inventories at least annually. (07.a) (Level 2)
20 When a person(s) designated as information owner no longer has the responsibility due to departure, transfer or reassignment, the organization shall appoint a new information owner(s) in a timely manner to ensure no lapse in accountability and responsibility for information assets. (07.b) (Level 2)
21 Create and document a process and procedure to affix an organization identification tag to:

  • Existing non-capital assets (tagging required within one year); and
  • Existing capital assets (tagging required within one year) (07.d) (Level 2)
08.0 Physical & Environmental Security
22 The organization maintain visitor access logs for facilities where information systems reside for at least two (2) years and review visitor records periodically but no less than monthly. (08.b) (Level 1)
23 Access rights to secure areas are regularly reviewed, at a minimum every ninety (90) days, and updated or revoked when necessary. (08.b) (Level 2)
24 Intruder detection systems shall be installed to national, regional or international standards and regularly tested, at a minimum annually, to cover all external doors and accessible windows. (08.b) (Level 3)
09.0 Communications and Operations Management
25 The organization shall develop, disseminate, and review/update annually a list of current service providers, which includes a description of the services provided. (09.e) (Level 2)
26 A periodic review of service level agreements (SLAs) conducted at least annually and compared against the monitoring records. (09.f) (Level 1)
27 Perform critical system file scans during system boot and every 12 hours. (09.j) (Level 2)
10.0 Information Systems Acquisition, Development, and Maintenance
28 The inclusion of input validation checks in the testing methodology shall be in place, and performed at least annually. Input validation testing can be manually performed. (10.b) (Level 1)
29 Applications shall undergo application vulnerability testing annually by a qualified party, focusing on the use of add, modify, and delete functions to implement changes to data, and attacks using buffer overruns/overflows. (10.c) (Level 2)
30 Automated updates not be used on critical systems, as some updates may cause critical applications to fail. (10.k) (Level 2)
11.0 Information Security Incident Management
31 Where there are 10 or more individuals for whom there is insufficient or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication), a conspicuous posting will be placed on the home page of the organization’s web site for a period of 90 days. (11.a) (Level 1)
32 The organization tests and/or exercises the incident response capability for the information system within every three hundred sixty-five (365) days. (11.c) (Level 2)
33 A log of any occurring incident is maintained, and this log is to be submitted annually to the federal government. (11.c) (Level 2)
12.01 Information Security Aspects of Business Continuity Management
34 Business continuity risk assessments shall be carried out annually with full involvement from owners of business resources and processes. (12.b) (Level 2)
35 A formal, documented contingency planning policy and formal, documented procedures are developed, disseminated, and reviewed annually. (12.c) (Level 1)
36 Responsibilities are assigned for regular reviews of at least a part of the business continuity plan, at a minimum, annually. (12.e) (Level 1)
13.0 Privacy Practices
37 The covered entity provides notice or notices relevant to the individual (other than an inmate) no later than the compliance date or upon enrollment thereafter, within sixty (60) days of a material revision, and no less than every three (3) years. (13.a) (Level 1)
38 With limited exceptions, the covered entity provides individuals the right of access to review and obtain a copy of certain PHI contained in a Designated Record Set for as long as that record set is maintained, and provides such access in a timely manner (thirty (30) days with no more than one (1) thirty (30) day extension), for no more than a reasonable, cost-based fee (if any), or, if the covered entity does not maintain the PHI but knows where it’s located, the covered entity informs the individual where to direct the request. (13.f) (Level 1)
39 The covered entity acts upon an individual’s request for an accounting no later than sixty (60) days after receipt of the request (with a one-time thirty (30) day extension with proper notice to the requestor), free of charge for the first request within any twelve (12) month period and, if informed in advance, for a reasonable cost-based fee for subsequent requests within the period. (13.g) (Level 1)

Figure 1: Sampling of Prescriptive Requirements in the HITRUST CSF.

HITRUST CSF is a formal and formidable framework, developed specifically for the healthcare industry, to address privacy and security regulatory requirements.

Closing Remarks for Senior Executives

Probably, the most important strategic security decision that the organization can make is the framework that the organization adopts for its cybersecurity and compliance program.

The bottom-line for senior executives is to select a framework that is robust, scalable, and mature. The HITRUST CSF is all that, and prescriptive in its requirements. This is important so the enterprise cybersecurity program can be actively measured and monitored on a continual basis.

HITRUST CSF = Prescriptive Cybersecurity Standard

Get started with its application, and the path to HITRUST CSF certification.

<< All Blogs

Chat Now

This is where you can start a live chat with a member of our team