Looking at the HITRUST CSF vs. HIPAA isn’t an accurate comparison. Here’s how the security framework and the law are different, plus the ways in which they interact.
The United States represents an attractive market for many European companies, but international expansion can be fraught with risk because of a completely different regulatory landscape.
“How European Companies Can Accelerate International Expansion with SOC 2 Compliance”
This article is Part One of a Four-part Series on the HITRUST Framework
When you think of HITRUST, you probably think of healthcare. After all, HITRUST was originally created as the “Health Information Trust Alliance.” “7 HITRUST Regulatory Factors to Consider for Healthcare”
Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.
What is the HITRUST CSF?
The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.
Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.
Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.
CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.
Incorporation with the California Consumer Privacy Act
One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).
Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.
Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.
Other Important Updates to CSF v9.3
Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:
- The Federal Risk and Authorization Management Program (FedRAMP)
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
- Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- South Carolina’s Bill 4655, the Insurance Data Security Act
Who Should Migrate to CSF v9.3
If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.
By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.
The A-LIGN Difference
A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.
Cybersecurity examinations are an important undertaking for your organization, its health and projected future. With no shortage of firms and examination types to choose from, preparing to undergo an audit or assessment can feel like a massive undertaking. Is the firm cutting corners reliable? Is the accessor able to deliver on their lofty promises? And how can you tell if they’re providing quality work?
Organizations around the world, especially ones in the HITRUST XChange program, are moving to quickly implement the HITRUST Common Security Framework (CSF) for their organization. With the recent HITRUST CSF v9.2 update, organizations across all industries – not just healthcare – can benefit greatly from the HITRUST framework.
With HITRUST v9.2, the Common Security Framework (CSF) continues to be a very powerful and useful security framework for any organization – both inside and outside the healthcare industry.
On March 1, 2017, HITRUST announced its roadmap for 2017, which included improvements to the HITRUST CSF and a renewed focus on smaller healthcare organizations.
The roadmap focuses on combating cyber threats and information risks while advancing protection standards regarding healthcare data through CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and CSF Assurance Program v9.
CSF Basic Assurance and Simple Institution Cybersecurity, or CSFBASICs, makes it easier for smaller businesses to realistically meet regulatory demands, in addition to protecting against cyber threats. These requirements are streamlined and make it easier to understand, enabling smaller companies to provide regulatory assurance to regulators and third-parties.
This update is scheduled for availability in Q3 of 2017.
HITRUST CSF v8.1
HITRUST CSF v8.1 was made available February 6, 2017. Updates include support for PCI DSSv3.2 and MARS-E v2.
HITRUST CSF v9
The HITRSUST CSF v9 update includes OCR Audit Protocol v2, FedRAMP Support for Cloud and IaaS Service Providers, and FFIEC IT Examination Handbook for Information Security.
The controls for HITRUST CSF version 9 will increase from 66 to 75. Clients that wish to certify against version 8.0 or 8.1 will need an assessment object already in MyCSF before the release of version 9. Then, the assessment must be submitted for processing within six months. There will be no exceptions to this policy.
HITRUST is ensuring relevant CSF control requirements align with the language of the Office for Civil Rights Audit Protocol. In addition, FedRAMP requirements will be incorporated. Version 9 includes new authoritative sources such as the Federal Financial Institutions Examination Council’s IT Examination Handbook – Information Security requirements, and the Department of Homeland Security’s Cyber Resilience Review (CPR). The HITRUST Threat Catalogue will fully integrate with v10 in 2018.
HITRUST CSF v9 is scheduled to be available in July 2017.
CSF Assurance Program v9
The CSF Assurance Program v9 changes so that a HITRUST CSF Assessment also includes a NIST Cybersecurity Framework certification, which includes auditable documentation in addition to a HIPAA risk assessment.
This program is scheduled for availability in Q3 2017.
Addressing Your HITRUST Needs
Unsure of how these updates could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Please reach out today to discuss how CSFBASICs, HITRUST CSF v8.1, HITRUST CSF v9, and the CSF Assurance Program v9 could affect your organization in 2017 and beyond.
Author: Gene Geiger, CPA, CISSP, CCSK, QSA, PCIP, ISO 27k LA, and Partner at A-LIGN.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced Phase 2 of the HIPAA Audit Program.
Every covered entity and business associate will be eligible to be audited. Organizations will be identified by OCR across a broad criterion in order to assess compliance across the industry. Upon selection, an organization will be contacted by OCR and will have ten days to submit documentation via OCR’s secure online portal so that the OCR auditors can observe compliance with HIPAA Privacy, Security or Breach Notification Rules. There are three types of audits that will be conducted: desk and onsite audits, followed by a third set of onsite audits that will examine a broader scope of requirements from the HIPAA rules. All desk audits will be completed by the end of December 2016.
After the audit is completed, OCR will review and analyze all collected information and aggregate the results so that they can better understand the compliance efforts with regard to HIPAA Rules. During Phase 1 of this program, OCR found that nearly two-thirds of all covered entities had not performed a risk assessment, as is required by the HIPAA Security Rule.
In order to prepare for Phase 2, all organizations that have not previously performed a risk assessment as required by the HIPAA Security Rule should have one conducted. In addition, organizations should ensure policies and procedures are up to date, while also conducting periodic evaluations of the controls that are in place. This is essential in order to meet the ten-day submission window set by OCR.
Need help ensuring that your organization is able to adhere to the HIPAA/HITECH requirements? Contact us at 1-888-702-5446 or [email protected]
We are asked routinely “which controls will A-LIGN test as part of the HITRUST assessment?”. The answer to that question depends on the environment and the outcome of the scoping process. Scoping occurs in the initial phases of your HITRUST assessment process in order to determine which controls will be included in your assessment.
When determining the scope of an assessment, there are three major factors that affect the risk within an organization. These are the type and size of an organization, the system that is being utilized, and what external regulations affect the organization. In combination, these three factors determine the appropriate implementation requirements.
However, one of the first things an organization should determine before attempting to configure their scope is why they are seeking HITRUST compliance. Are they seeking to satisfy the requirements of business associates? Are they looking to utilize the certification to demonstrate their level of information security and increase marketability through differentiation? Is it a regulatory requirement?
By determining this information, it makes the scoping process much easier by developing a better understanding of the needs of your organization and those affected by its decision to receive a HITRUST assessment.
Type and Size of an Organization
The type and size of the organization affects the risk and complexity of the organization being assessed. The organizational factors impact the controls which are included in the scope. This is driven by the volume of business, which is determined by factors such as the number of transactions or number of records. It is also driven by the geographic location of the organization, whether in one state, multiple states or even global.
It may be helpful for large companies to break down the organization into the different business units. Because many healthcare organizations have many different functions within the entity, they should be broken down by their distinct operational differences. At times, it is also necessary to separate the organization by geographic segments in order to more appropriately comply with regional differences in regulation.
Systems in Use
Once the organizational size and type are clear, determining which systems are in use is the next step. When referring to the systems that are in use, focus on those that are used in the transmission, storage, or processing of electronic protected health information (ePHI) or other types of PHI.
Important factors include the accessibility of the systems:
- From the Internet or other remote access operation.
- Through a third-party of any kind.
- From any public location.
- From other systems.
Regulatory factors have also affect the scope of the assessment and can be dependent on geographic determinations, as well as the other compliance needs of an organization. For example, if the organization also processes payment card data, the PCI DSS standard may be included in scope, or a state specific data security standard may be included in the assessment.
Setting the proper scope is an important first step when pursuing HITRUST certification. The scope drives the subsequent steps in the process. If you have questions or would like additional information on HITRUST or how to establish the proper scope, please contact one of A-LIGN’s HITRUST CSF assessors to learn more.