Written by HITRUST Independent Security Journalist Sean Martin.

The HITRUST CSF is designed to benefit everyone, from healthcare providers to the third-party organizations providing products and services to those healthcare providers. By agreeing to use the CSF to help ensure that third parties have the right security and privacy processes, procedures, technologies, and personnel in place, all parties benefit because security vetting becomes vastly simpler, faster and less expensive – for everyone. That means more business, faster response times, and reduced costs in an era of tight margins.

Why are there misconceptions? For many, it can be summarized in four words, fear of the unknown.

The HITRUST CSF lives at the intersection of two industries filled with acronyms, policies, processes and overwork: Healthcare and Cybersecurity. Some organizations –including healthcare and third-party providers – are not as familiar with the HITRUST CSF, and it can look daunting at first glance, or even at second glance.

When a team is overwhelmed, everything that has a learning curve can seem like something to be avoided, even if it’s clear that there will be benefits down the road. In our rush to handle today’s deadlines today, anything with benefits sitting out on the horizon may look like an unaffordable luxury.

Another reason for the misconceptions: The CSF, by its very nature, is a framework that is designed to be reused by everyone in the healthcare industry – which means that it can look like an inflexible skeleton that can’t comfortably fit a particular organization’s style and culture. As a system designed to standardize the process of addressing compliance to the multitude of security, privacy and regulatory standards, it necessarily requires common security categories, risk categories, skills, competencies, resources and even a vocabulary. It can seem difficult, if not impossible, to map your own organization’s processes and vocabulary to the CSF. It’s not… but that appearance of difficulty can lead to a misunderstanding about the framework.

Four Top Misconceptions About the HITRUST CSF

“After HIPAA was passed into law in 1996, the following decade or so was a confusing, disorganized morass in which the HIPAA Security Rule did not provide prescriptive measures for covered entities (CE) and business associates (BA),” explains Dr. Travis Good, Co-founder, CEO & Privacy Officer of Catalyze, in his blog post, “The Truth About HITRUST — and Why It Should Become the Industry Standard.”

The response to that confusion? “In 2007, leaders within the healthcare field — including CIOs, security and privacy officers from leading healthcare providers, insurers and vendors — came together to solve this problem,” Dr. Good continues. “HITRUST initially developed an information security framework with the intention of creating an industry standard, including control baselines so an organization could make their own choice based on their unique needs. Originally referred to as the HITRUST Common Security Framework (CSF), the CSF was developed specifically for healthcare — designed to be scalable, customizable and capable of providing certifiable risk assurances.”

In his post, Dr. Good identifies a few misconceptions about the HTRUST CSF — and then explains in detail why those misconceptions are indeed erroneous. In brief, the following three misconceptions stand out:

1. The HITRUST approach is too expensive — costing excessive money, time and resources.
2. It’s unnecessarily burdensome to implement the HITRUST methodology.
3. The results and efficacy of the HITRUST approach are questionable.

Overcoming the Fear of the Unknown

Is it a unique approach? Yes. Is there a learning curve? Yes, of course. Still, the learning curve is nothing compared to applying other frameworks or controls such as ISO, NIST SP 800-53, or NIST RMF: rather, the HITRUST CSF was designed to be used by healthcare organizations to fully (not partially) address the standards and implementation specifications of the HIPAA Security Rule — including the risk analysis requirement — and the objectives specified by the NIST CsF Core Subcategories.

Despite the perceived complexity and learning curve, and no matter what your role in the healthcare industry, the HITRUST CSF was designed to make your life easier, especially when it comes to compliance with regulations like the HIPAA Security Rule.

With HITRUST you can leverage an industry-accepted level of due care and due diligence for the protection of electronically protected health information – and a complete set of security controls — tailored specifically for the healthcare industry — that addresses all of the NIST CsF objectives. Furthermore, the HITRUST CSF provides the basis of sector guidance for implementing the NIST CsF. There is no misconception about that.

Dr. Good concludes his post: “The truth is that we’re all in this together, and our common goal is the common good — protecting individually identifiable healthcare information. At every level, our industry has to embrace the shift to digital management of healthcare information, understand the risks involved in this change, and take appropriate steps to manage them. By working together, we can all focus on creating practical, reliable ways to improve security and minimize risk. In my view, HITRUST has taken a leading role in improving the state of information protection in the healthcare industry and is doing so efficiently and effectively.”

Look beyond the fact that the HITRUST CSF may not be understood by your organization. Take the time to take the first few steps to move beyond the learning curve, and you’ll see, there are no misconceptions at all. It’s a win-win for everyone.