Introduction
Healthcare is a top industry targeted by cyber thieves due to a wealth of patient data and an exorbitant number of integrated technologies. One wouldn't have to look far to read about ransomware attacks on hospital systems - in 2018 alone there was at least one healthcare breach per day and 15 million patient records lost.
Then came the Health Insurance Portability and Accountability Act's (HIPAA) Security and Privacy Rules, which mandated "reasonable and appropriate" protections for healthcare data but didn't necessarily specify a way for organizations to prove compliance. Even still, the Office for Civil Rights (OCR) conducted their first audits in 2011 by "covered entities" and their "business associates."
80% of hospitals 81% of health plans adopted the HITRUST CSF in 2019.
The HITRUST CSF is now the most widely adopted framework in the US healthcare industry - more than 80% of hospitals and health plans have adopted the CSF as a resource or as the basis for their overall program.
23,000 CSF Assessments were conducted in 2019, and that number grows significantly every year.
What is HITRUST?
Lacking a framework and certifying body, HIPAA compliance quickly became an obstacle for healthcare companies. In 2007, a committee of security professionals from various healthcare organizations came together to form an organization called the Health Information Trust Alliance (HITRUST). The organization had a single goal in mind: to standardize security controls around electronic protected health information (ePHI) to create a verifiable path to HIPAA compliance.
Since 2007, HITRUST has carefully selected and assessed controls from federal and industry best practices that support the information protection requirements of HIPAA, funneling them into a certifiable control framework now known as the HITRUST CSF.
If you want to have something that people can trust, it needs to address new threats and risks when they come up and adapt to the regulations that come from the oversight bodies.
The HITRUST CSF
HITRUST sought to provide healthcare organizations guidance on how to apply security controls with regard to HIPAA. But going further, HITRUST recognized a need for one unified and consistent approach on how to apply security in a global marketplace with varying data protection standards.
HITRUST turned to ISO/IEC 27001 as the foundation for the HITRUST CSF, as its high-level controls are designed to suit almost any organization, in any industry, and in any country. The CSF builds on this foundation with each new release, moving towards its promise of "One Framework, One Assessment" by encompassing requirements from multiple standards and regulations (e.g. HIPAA, HITECH, PCI, ISO/IEC, COBIT, SOC, NIST, and GDPR).
Breaking Down the HITRUST CSF Certification
With the HITRUST CSF, organizations of all industries gain an integrated, all-encompassing set of comprehensive security safeguards. The HITRUST CSF Assessment is broken down into nineteen (19) different domains across 159 control specifications.
Five (5) distinct implementation categories exist for each control: policy, process, implemented, measured, and managed. Each category builds on the one before it and is based on your organization's risk profile, size and amount of sensitive data stored.
The 5 Steps to HITRUST CSF
There are essentially five steps to the HITRUST CSF Certification process. NCC Group works with organizations through each of the five steps, which can take, on average, between 6 months to a year to complete depending on your organization's level of readiness and measures needed to implement the applicable controls. Note, not all controls will be applicable to every organization.
1) Scope
Download the HITRUST CSF to learn more about the framework and its controls. From there, you will want to decide on the type of HITRUST assessment best suited for your business. The benefit here is to avoid taking on too many requirements, or conversely not enough requirements, needed for your organization.
Accurately defining scope is the single best way to reduce time and financial burden in your journey to HITRSUT CSF Certification.
2) Access MyCSF
Contact HITRUST to gain access to the HITRUST MyCSF tool. From there, you'll be able to create an assessment based on your previously defined scope and upload your existing policies and procedures to assess them against the assessment's HITRUST CSF control requirement statements.
Purchasing an annual subscription to the HITRUST MyCSF has numerous benefits, including reducing duplicative efforts between the self and validated assessments.
3) Self Assessment
This step can be completely internal, but selecting an assessor allows for a facilitated self-assessment to take place. This assessment provides reviews of documents, scoring, control descriptions, and of course, identifying gaps along with providing recommendations.
HITRUST also offers a HITRUST CSF Self-Assessment Report, which will document findings in an official report which can be used to give assurances to customers.
4) Validated Assessment
When you're ready to begin your HITRUST CSF Validated Assessment, your organization will either be able to utilize the previously scoped and generated assessment or will need to create a new assessment, depending upon your HITRUST MyCSF access level. NCC Group won't be able to vlaidate until all safeguards are in place and effective for at least 90 days.
From there, it will take approximately 90 days to complete testing, sampling, and validation of the controls prior to submitting to HITRUST. In addition, HITRUST requires a thorough QA of all validated assessments prior to submission to be performed by NCC Group.
We've generally seen control sets of our clients starting around 300 requirements on the low end and on up to over 600 for more extensive projects. Please note that HITRUST CSF Validated Assessments that do not meet the scoring requirements for HITRUST Certification will be issued a HITRUST CSF Validated Report.
5) Ongoing Testing
HITRUST CSF Certification is good for two years, after whihc a full re-validation will be needed. An interim review is required after year one of validation.
The NCC Group SMARTS Process
HITRUST has quickly become the gold standard for information security risk management and compliance in healthcare and other industries.
If you're pursuing HITRUST CSF Validation with Certification or just want to implement a respected security control framework within your organization, our HITRST CSF assessment team navigates organizations of every industry, size, and complexity via a process called SMARTS.
SMARTS is an acronym standing for scope, map, analyze, review, test, and submit. We breakdown what each piece means.
Scope - Properly scope and identify all sensitive information.
Map - Ensure proper determination of organizational, system, and regulatory risk factors, and obtain a set of controls for environment.
Analyze - Determine proper documentation/evidence. Client assigns ratings and develops control descriptions.
Review - NCC Group reviews all documentation, evidence, control descriptions, and ratings.
Test - NCC Group performs testing, sampling, and validation of controls following E-A-T (examine, analyze, test) process for validation.
S ubmit - Assessment undergoes internal QA and is then submitted to HITRUST.
Starting Your HITRUST Journey
HITRUST is one of the most highly regarded certifications in cyber security, but validation and certification bring about a number of challenges. Understanding and aligning with applicable HITRUST requirements, having a well-defined strategy, and gaining top-down support ahead of time will help ensure your success.
1) Align With HITRUST's Many Requirements
HITRUST, on average, has between 320 to 380 controls, and a general set of policies won't cover them. You will need a working set of policies, procedures, and supporting documentation to prove that HITRUST's required controls get implemented.
2) Assign a Dedicated Point Person
More often than not, assessments get delayed for extensive periods of time while company stakeholders work on documents, process or attempt to identify who is in charge of specific systems.
Assign someone internally that understands what systems are in place, how policies and processes are supported, and what systems your organization is trying to certify. This is someone that can pull knowledgeable people in order to get the required tasks accomplished.
3) Secure and Leverage Top-Down Support
More than any other security initiative, HITRUST needs support and alignment from executive management down to the individual security professional.
This will help you secure your budget and fast track and tasks required for assessment, such as policy writing, defining technical requirement and system configurations, and getting staff to pull the required information.
Learn more about achieving HITRUST Certification.
Reach out to one of NCC Group's compliance experts.