By Dr. Bryan Cline, VP of Standards and Analytics at HITRUST.
Although the HIPAA Security Rule has been in effect for a decade — and the HITRUST CSF has been around for almost as long — I’m still surprised by the misconceptions and confusion about both that persist in the industry. Adding to the confusion is the recent introduction of the NIST Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the NIST Cybersecurity Framework (NIST CsF).
From my perspective, much of this confusion stems from an “either-or” proposition on which one to implement: the HIPAA Security Rule, the HITRUST CSF, or the NIST CsF. However, this is a “red herring” argument. The HITRUST CSF was designed to be used by healthcare organizations to fully address the standards and implementation specifications of the HIPAA Security Rule — including the risk analysis requirement — and the objectives specified by the NIST CsF Core Subcategories.
There also seems to be an inaccurate perception by some in the industry that implementing the HITRUST CSF is much more difficult than merely implementing the HIPAA Security Rule. They see the HIPAA Security as a “hill” and the HITRUST CSF as a “mountain,” due to its comprehensive treatment of the risks to ePHI. This couldn’t be further from the truth.
Compliance with the HIPAA Security Rule requires addressing its standards and implementation specifications — which involves determining an organization’s requirements, performing a risk assessment, and evaluating and addressing the gaps in the required controls. This is why HIPAA compliance is not quick or easy; if it was, you’d see a lot fewer breaches in the industry.
Fortunately, HITRUST does much of the hard work for you in making compliance with the HIPAA Security rule easier. In fact, there are many benefits in adopting the HITRUST CSF to support HIPAA compliance and information risk management — plus, you get the additional bonus of leveraging an industry-accepted level of due care and due diligence for the protection of ePHI. That’s a “win-win” from anyone’s perspective.
The same is true for the NIST CsF. Like the HIPAA Security Rule’s standards and implementation specifications, the NIST CsF Core Subcategories provide high-level objectives for cyber security and organizational resilience. And while the NIST CsF provides examples of specific security controls needed to achieve these objectives, the HITRUST CSF provides a complete set of security controls — tailored specifically for the healthcare industry — that addresses all of the NIST CsF objectives.
In fact, the HITRUST CSF actually provides the foundation for health- and public health industry-specific guidance on its implementation, available on the US-CERT Cybersecurity Framework website.
These misconceptions (and several others) are addressed in more detail in HITRUST’s RMF FAQ whitepaper. I encourage anyone that has questions about the HITRUST CSF — and its relationship to regulations like HIPAA and other frameworks like the NIST CsF — to check it out. It will also point you to other helpful resources that further explain the HITRUST approach to cybersecurity and risk management, and how all these seemingly disparate pieces fit together. You’ll be glad you did!
You can always reach out to HITRUST if you have any questions.
By Dr. Bryan Cline, is Vice President of Standards and Analytics at HITRUST