What’s your organization’s priority when it comes to managing cybersecurity risk and demonstrating compliance? For many healthcare CISOs, the most urgent need is focusing on managing cyber threats and improving their own cyber resilience while also communicating the effectiveness of their information security program to various audiences—processes for which are significantly aided by the HITRUST CSF and CSF Assurance program.
The HITRUST CSF helps provide organizations the requirements and practices necessary to help ensure information and cybersecurity-related risks are managed smartly and consistent with their many business, risk and compliance objectives. It also helps organizations ensure risks are addressed comprehensively and with an industry-acceptable level of due care.
The HITRUST CSF is supported by the HITRUST CSF Assurance program, an assessment model that provides transparency, accuracy, consistency, and scalability to ensure reliability, i.e., the ability of a third party to rely on the assurances provided by the organization. The entire framework, including the assessment approach, should be publicly available to ensure transparency and openness, ensure accuracy and consistency in the evaluation and reporting of implemented controls, regardless of the specific assessor used, and should be scalable across the industry, both in the number and the types of entities that may be assessed.
Given the number and varied types of relying parties (e.g., management, Board of Directors, customers, business partners, and regulators), this can be a complex if not difficult proposition to achieve. By implementing a single comprehensive information protection program that integrates and harmonizes requirements from the multiple legislative, regulatory and best practice requirements to which it may be subject, an organization can realize significant efficiencies, reduce the number of resources it devotes to demonstrating compliance and providing third-party assurance, and lower the overall costs of both. HITRUST has designed and continues to enhance its framework and assurance methodology to support these benefits by allowing one assessment to report out control maturity scores, a HIPAA risk assessment, and a SOC 2® report.
The HITRUST CSF also supports reporting against the NIST Cybersecurity Framework. The NIST Cybersecurity Framework was designed as an overarching, industry-agnostic framework to help organizations apply risk management principles and best practices to help improve the security and resilience of critical infrastructure, but did not provide the details on how to establish the requirements or assure they are implemented effectively. Instead of providing a controls framework, the NIST Cybersecurity Framework provides ‘informative references’ to external control frameworks, which may help an organization achieve its objectives.
The HITRUST CSF is the controls framework that provides the basis for NIST Cybersecurity Framework implementation in the healthcare industry. The Healthcare Sector Cybersecurity Framework Implementation Guide—available on the Department of Homeland Security’s US-CERT Cybersecurity Framework Website—leverages the HITRUST CSF’s comprehensive coverage of, and focus on, healthcare cybersecurity to provide the prescriptive requirements that aren’t included in the NIST Cybersecurity Framework. It’s a perfect fit, because the NIST Cybersecurity Framework was designed to provide high-level security objectives that apply across multiple industries, whereas the HITRUST CSF was designed to address the specific protection and compliance requirements of health information.
Exciting news for healthcare organizations is that HITRUST is expanding the controls required for HITRUST CSF certification to enhance reporting against the NIST Cybersecurity Framework. Although already fully integrated with the HITRUST framework, HITRUST CSF-certified organizations will now be able to conduct a single CSF security assessment and, based on that assessment, be able to provide both HIPAA and NIST Cybersecurity Framework reporting and assurances. This “Assess Once, Report Many” approach can be a tremendous savings of time and effort for every organization that must demonstrate NIST Cybersecurity Framework compliance.
Adding NIST Cybersecurity Framework certification and reporting as part of a HITRUST CSF Assessment is core to the value proposition of HITRUST: the ability to map information security-related standards or regulations to the HITRUST CSF. It can help any organization that requires alignment to NIST Cybersecurity Framework.
By ensuring a targeted security assessment covers each HIPAA standard and implementation specification, and each NIST subcategory, organizations can address multiple reporting requirements with a single assessment against a single set of information security controls.
In other words, using the common risk assessment framework provided by the HITRUST CSF and HITRUST CSF Assurance Program for cybersecurity self-assessment is a win-win. Who benefits? Nearly every healthcare organization or vendor with access to PHI that needs to:
- Communicate the status of its information protection program from multiple viewpoints or via benchmarking (i.e., HITRUST CSF maturity scores and NIST Cybersecurity Framework implementation tiers),
- Report across multiple industries (i.e., HIPAA for PII/PHI, PCI DSS for payments, FFIEC for financial services, and FedRAMP for federal and Cloud), or
- Simply address an internal or external stakeholder’s request for reporting against various, multiple regulations, standards, and best practice frameworks.
For example, a health insurer might want to demonstrate HIPAA compliance based on a HITRUST CSF security assessment, but may also need to provide assurances to non-healthcare third-party organizations about how it protects member information through an AICPA SOC 2 report, or through the lens of the NIST Cybersecurity Framework.
In the meantime, here is a list of various resources such as white papers, guidance documents, and FAQs that may help clarify some of the important points we’ve covered here:
- Health Industry Implementation of the NIST Cybersecurity Framework
- The HITRUST CSF Assurance and Third Party Assurance Programs
- HITRUST FAQs
- Leveraging the HITRUST CSF to Support SOC 2® Reporting
- Selecting a Healthcare Information Security Risk Management Framework in a Cyber World
- Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection
- The Healthcare Cyber Shift