How HITRUST supports an efficient and effective information protection program tailored to the needs of healthcare

Note: All HITRUST documents referenced in this article are included as attachments at the end of the blog post.

The HITRUST CSF was first published in early 2009 and has since become the de facto security standard in the healthcare industry; however, some healthcare information protection professionals do not completely understand how the CSF compares to other security frameworks (see “Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53”) or how the CSF can be utilized to demonstrate their level of compliance with the Health Insurance Portability and Accountability Act (HIPAA) (see “CSF-HIPAA Matrix v2 “).

Applying NIST through the CSF

A common misperception is that an organization must choose between the HITRUST CSF or another framework, such as the one provided by the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST). However, the HITRUST CSF is actually founded on ISO 27001, Information technology – Security techniques – Information security management systems – Requirements, and complements the NIST framework, while providing a flexible yet prescriptive set of controls tailored to a healthcare organization’s specific needs.  It’s simply not an “either, or” proposition, as in reality the HITRUST CSF simplifies the implementation and streamlines compliance.

HITRUST integrates the moderate-baseline controls contained in NIST Special Publication (SP) 800-53 revision 4, Security and Privacy Controls for Federal Information Systems and Organizations-along with similarly relevant controls from other frameworks and best practice standards-directly into the CSF.  In addition, the CSF provides additional implementation guidance and audit requirements. As a result, organizations adopting the CSF are essentially adopting the ISO and NIST standards, among others (see “HITRUST CSF Standards and Regulations_Cross-Reference 2013 v6”).

The HITRUST CSF was designed for healthcare organizations of all types and sizes, as such not all the controls contained in the framework are applicable to all organizations, since some may be exposed to more risk from their use of electronic protected health information (ePHI) than others.  For example, a large multi-state health system with a shared electronic health record (EHR) service may routinely process thousands, if not tens of thousands, of patient records per day, whereas a very small clinic may only process a few hundred at best.  The larger system simply has greater exposure than the smaller clinic.

As a result, a basic set of controls may be appropriate for all organizations, whether large or small, whereas greater, more robust safeguards may be needed to manage risks faced by organizations that manage more information, more types of information, or are subject to additional regulatory and legislative requirements.  Refer to the CSF Assessment Methodology for more information on the various types of risk factors and how controls are assigned (see “HITRUST RMF Whitepaper”).

Subsequently, each CSF control has up to three levels of requirements.  Level 1 requirements essentially apply to all organizations, and level 2 and 3 requirements are assigned based on organizational, system and regulatory risk factors specific to the organization implementing the framework.  NIST controls – as well as other controls derived from applicable frameworks and best practice standards – are integrated into relevant CSF controls (see “CSF-NIST Matrix v2 “) and then parsed across the levels (see “HITRUST CSF Standards and Regulations_Cross-Reference 2013 v6”)  to ensure organizations apply “reasonable and appropriate” safeguards to provide “adequate” protection of ePHI, as required by HIPAA.

For example, CSF control 02.e, Information Security Awareness, Education and Training, parses five controls from NIST SP 800-53 r4 across all three levels, as shown in the following table.

Table 1: NIST Controls Mapped to CSF Control 02.e, Information Security Awareness, Education and Training

02.e Information Security Awareness, Education, and Training

Level 1 CP-3, Contingency Training
Level 2 AT-2, Security Awareness Training*
Level 3 AT-3, Role-based Security TrainingAT-4, Security Training RecordsIR-2, Incident Response Training

*Note: Basic awareness training requirements are described in level 1 based on ISO requirements

Demonstrating HIPAA Compliance with the CSF

The required and addressable implementation specifications from the HIPAA Security Rule are also mapped into the CSF, but unlike NIST are all mapped in at a basic level  since the requirements are generally high-level and applicable to all organizations regardless of any additional risk factors (see “CSF-HIPAA Matrix v2 “). However, organizations required to implement additional control requirements due to their specific risk factors provide more robust support for the HIPAA implementation specifications.

By integrating and harmonizing controls from applicable frameworks and best practice standards like NIST and then tailoring the requirements to the specific needs of healthcare organizations, HITRUST does most of the heavy lifting for an organization’s risk analysis, which is one of the principle requirements of HIPAA and one of the most often cited issues in audits conducted by the Office for Civil Rights (OCR).  Additional risk analysis would only be required to periodically reassess the organization’s unique risks and document any changes to the control requirements specified in the CSF, including any additional requirements based on these unique risks.

In addition, the standardization of these requirements across the industry for different types of organizations based on their specific risk factors allows organizations to benchmark themselves against other, similar organizations and provide standardized assurances to business partners, regulators, patients/clients, their families and other stakeholders.

Choosing a Framework – What Value Does the CSF Provide over other Frameworks like NIST?

With the CSF, one can choose them all: HIPAA, NIST, ISO and other frameworks relevant to the industry.  In addition, the CSF and supporting CSF Assurance Program provides a risk management framework tailored to the unique needs of the healthcare industry:

  • Harmonized and maintained set of requirements derived from multiple regulatory (federal and state) and best practice standards,
  • Better guidance on the controls organizations should implement based on their specific risk factors,
  • Consistency in the application and assessment of controls across the industry,
  • Standardized reporting of compliance with applicable legislation, regulations and best practices, Support for robust assertions of HIPAA compliance and Meaningful Use of an Electronic Health Record, and
  • Resources available to address questions or provide assistance.

Healthcare professionals can also leverage HITRUST as a source for guidance on relevant security and privacy issues facing the industry in addition to specific information on how to implement and assess an organizational information protection program.  For more information on the CSF and the CSF Assurance Program, refer to HITRUSTAlliance.net.

Downloads: