By Ray Biondo, CISO, BEYOND LLC.
How It All Began
I am a working CISO, and for 15 years I was the CISO at one of the largest healthcare payer organizations in the US. It seemed that all I heard was “you have to get HITRUST certified!” However, in my mind, HITRUST was just another certification, and we already had certifications…actually I was thinking “too many certifications!” But then I started asking why this certification is so important, and why we should spend additional resources to attain HITRUST certification. Why would we / should we do this?
As we know, the healthcare sector is behind other business sectors such as finance and retail when it comes to Information Security. And, within the healthcare sector, each organization runs its information security programs differently. We all have different requirements based on varying budgets and different levels of security maturity, which can result in inconsistent ways of protecting ePHI data. We CISOs even tend to believe that our own organizations operate a top-notch security program – which usually is not the case.
The solution to our industry’s Information Security and protecting ePHI data is the HITRUST CSF. This certification is designed specifically for the healthcare sector. HITRUST sets a de facto standard and approaches healthcare as one eco-system driven by HIPAA, HITECH, NIST and MARS-E to name a few…but all using the same framework – the HITRUST CSF.
The Advantages of HITRUST
The HITRUST CSF creates a “Culture of Compliance” within an organization. This “Culture” is one that every CISO should expect from his/her team and organization. In addition, the HITRUST CSF framework is well written and easy to understand.
HITRUST is an organization that is well established, and represents the healthcare sector. HITRUST lobbies for our interests, creating a stronger healthcare community – one built for the protections and developments that are deserving to our organizations.
From a CISO perspective, the biggest advantage HITRUST CSF certification brings is that it identifies the security control maturity levels across your enterprise – to gain a certification, you must have proven the findings. In my case, having the HITRUST CSF Certification made reporting to my Board of Directors easy.
Now I’m looking through a different lens. I’m, once again, a CISO, this time for BEYOND LLC, a HITRUST Assessor Organization. I have a new perspective on the HITRUST CSF. The HITRUST CSF is a viable, quality solution to developing a framework for a strong Information Security program. Many organizations have very little or no security around their computer information, which is shocking, but true. Often, there are few policies, fewer official procedures and very little monitoring of the systems.
Having seen some of the diverse situations that many organizations find themselves in has reinforced my belief in the importance of becoming HITRUST CSF certified. HITRUST CSF Certification will provide a comfort level toward your organization’s due diligence. With the HITRUST CSF Certification, you will be secure in your knowledge of your internal operations; you will be comfortable monitoring your systems; ready and able to recover from any situation; and you will have peace of mind. Having worked with BEYOND LLC clients, through their strengths and weaknesses, I can now see the high levels of competence and consistency within their Information Security programs after they have successfully completed the HITRUST CSF process and attained their HITRUST CSF certification.
Ray Biondo is CISO for BEYOND LLC.