Today, covered entities and business associates are addressing a wide-range of regulatory requirements necessary to solve the growing complexities in the healthcare industry. Evolving technologies, migration to the Cloud, and cyber threats like ransomware are just a few top-of-the-mind issues. Combine those with regulations under HIPAA, Meaningful Use, PCI, COBIT and ISO, and you will find that covered entities and business associates need a way to manage their security programs more effectively.
What is the HITRUST Common Security Framework (CSF)?
The HITRUST CSF is the leading information security framework for the healthcare industry. According to the Health Information Trust Alliance, the HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations through a comprehensive and flexible framework of prescriptive and scalable security controls.
The CSF includes federal and state regulations, standards, and frameworks, and incorporates a risk-based approach that provides specific criteria to assess the protection of confidentiality, integrity, and availability of information systems. What makes the CSF so unique is it is the only security framework designed specifically for healthcare.
“Gold Standard” of Healthcare Data Security. Healthcare payers, and an increasing number of health systems and hospitals, are requiring their business associates to become HITRUST certified because the certification demonstrates that the organization has made a dedicated commitment to maintain the greatest level of protection for their customer’s healthcare data.
Scalable and Cost-Effective. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address rapidly-evolving information security challenges affecting every healthcare organization no matter of size.
Because of its consolidated controls approach, an organization can generate multiple reports addressing legislative, regulatory or best practice frameworks with just one assessment, creating a well-established, robust, and documented security program to present whenever needed.
Though it is a rigorous process, once certified, the organization can respond more thoroughly and faster, using fewer resource hours in a repeatable manner. This can significantly reduce the burden of a continuous stream of arduous and lengthy security questionnaires that are a customary part of doing business as a healthcare technology or services company.
Competitive Advantage. Healthcare organizations,’ customers are aware and concerned about the ever-growing threat to their data security. They understand the importance of working with organizations who are educated on these threats and have taken the necessary steps to make sure they are protected according to the highest standards in the industry.
HITRUST Certification demonstrates that an organization is a leader in security, privacy, and compliance because they have the certification to back it up. This credibility and status in the healthcare industry sets an organization apart.
How to achieve HITRUST Certification?
The HITRUST Certification process consists of an initial baseline self-assessment, utilizing the MyCSF web application, a Corrective Action Plan(s) — based on responses and associated remediation needs — a validated self-assessment by a CSF Assessor (which Intraprise Health’s BluePrint Security Services have been since 2011), and a final submission to the HITRUST Alliance (who certifies the information provided).
For each assigned control in MyCSF, a submitter must score themselves on five evaluation criteria, which are then weighted differently by the HITRUST Alliance during submission:
For each evaluation criterion, under each control, submitters assign a compliance score for themselves based on their level of maturity, which is measured on a scale of 0-100 and in increments of 25.
HITRUST will provide a report of findings to the submitting organization, indicating that the security controls, as identified in the CSF, were of a sufficient or insufficient maturity level to be deemed adequate, both, objectively and in relation to peers in the healthcare industry.
Ultimately, the overall maturity level score determines whether you achieve HITRUST Certification.
Intraprise Health’s BluePrint Security Services are one of the longest tenured, 100% healthcare-focused, HITRUST Certified Assessors. Our executives hold two seats on the HITRUST Assessor Council, and have presented at HITRUST 2017 and 2018 Annual Conferences.
We have taken our clients — covered entities and business associates — through the certification process while helping them to simplify the complexities of HITRUST. Our deep and varied experience, proven methodology, client partnerships, and purpose-built tools make the journey to certification easier to navigate.