HITRUST CSF v9.3 Incorporates New Frameworks, Legislation and Standards

Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.

What is the HITRUST CSF?

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.

Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.

Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.

CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.

Incorporation with the California Consumer Privacy Act

One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).

Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.

Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.

Other Important Updates to CSF v9.3

Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:

  • The Federal Risk and Authorization Management Program (FedRAMP)
  • The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
  • Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
  • IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
  • South Carolina’s Bill 4655, the Insurance Data Security Act

Who Should Migrate to CSF v9.3

If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.

By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.

The A-LIGN Difference

A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.

Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.

 

Using HITRUST for Industries Beyond Healthcare

Organizations around the world, especially ones in the HITRUST XChange program, are moving to quickly implement the HITRUST Common Security Framework (CSF) for their organization. With the recent HITRUST CSF v9.2 update, organizations across all industries – not just healthcare – can benefit greatly from the HITRUST framework.

Continue reading “Using HITRUST for Industries Beyond Healthcare”

HITRUST Assessment Scoping Guidelines

HITRUST-assessmentWe are asked routinely “which controls will A-LIGN test as part of the HITRUST assessment?”.  The answer to that question depends on the environment and the outcome of the scoping process.  Scoping occurs in the initial phases of your HITRUST assessment process in order to determine which controls will be included in your assessment.

When determining the scope of an assessment, there are three major factors that affect the risk within an organization. These are the type and size of an organization, the system that is being utilized, and what external regulations affect the organization. In combination, these three factors determine the appropriate implementation requirements.

However, one of the first things an organization should determine before attempting to configure their scope is why they are seeking HITRUST compliance. Are they seeking to satisfy the requirements of business associates? Are they looking to utilize the certification to demonstrate their level of information security and increase marketability through differentiation? Is it a regulatory requirement?

By determining this information, it makes the scoping process much easier by developing a better understanding of the needs of your organization and those affected by its decision to receive a HITRUST assessment.

Type and Size of an Organization

The type and size of the organization affects the risk and complexity of the organization being assessed.  The organizational factors impact the controls which are included in the scope.  This is driven by the volume of business, which is determined by factors such as the number of transactions or number of records.  It is also driven by the geographic location of the organization, whether in one state, multiple states or even global.

It may be helpful for large companies to break down the organization into the different business units. Because many healthcare organizations have many different functions within the entity, they should be broken down by their distinct operational differences. At times, it is also necessary to separate the organization by geographic segments in order to more appropriately comply with regional differences in regulation.

Systems in Use

Once the organizational size and type are clear, determining which systems are in use is the next step. When referring to the systems that are in use, focus on those that are used in the transmission, storage, or processing of electronic protected health information (ePHI) or other types of PHI.

Important factors include the accessibility of the systems:

  • From the Internet or other remote access operation.
  • Through a third-party of any kind.
  • From any public location.
  • From other systems.

Regulatory Factors

Regulatory factors have also affect the scope of the assessment and can be dependent on geographic determinations, as well as the other compliance needs of an organization.  For example, if the organization also processes payment card data, the PCI DSS standard may be included in scope, or a state specific data security standard may be included in the assessment.

Setting the proper scope is an important first step when pursuing HITRUST certification.  The scope drives the subsequent steps in the process.  If you have questions or would like additional information on HITRUST or how to establish the proper scope, please contact one of A-LIGN’s HITRUST CSF assessors to learn more.

Interested in learning more about HITRUST?

Contact one of our certified HITRUST practitioners at info@a-lign.com or 1-888-702-5446

An Overview of the HITRUST CSF and Related Frameworks

HITRUST-CSF
The HITRUST CSF is a comprehensive, certifiable security framework that pulls from HIPAA/HITECH, ISO 27001, NIST SP 800-53, COBIT, and PCI DSS, combining them to create a powerful framework.

The HITRUST CSF provides an integrated, prescriptive framework that works with the needs of the healthcare industry in order to comply with the necessary standards. This framework is able to be scaled for the various sizes and types of organizations and their control systems. It also allows for the tailoring and scaling of controls with HITRUST oversight to ensure that the integrity of the systems remain in-tact and application remains consistent.

The HITRUST CSF and ISO 27001

HITRUST recognizes the complex, global nature of healthcare industry and the need for an industry-specific approach to information protection. Because of this, ISO/IEC 27001 was chosen as the foundation from which the HITRUST CSF was built upon due to its place as an international standard for information security that could be modified and implemented for any organization.

ISO 27001 differs greatly from the HITRUST CSF, as ISO 27001 is not control-compliance based, but is instead a management/process model for the Information Management System that is assessed. One of the major benefits of the HITRUST CSF over ISO 27001 is the ability to select and create practical controls. While ISO 27001 does have the ability to tailor controls in order to better-fit organizations who cannot implement a specific control, but it is not as complete in its ability to be tailored or scaled.

The HITRUST CSF and NIST 800-53

The HITRUST CSF also pulls from NIST SP 800-53, which was designed for United States government agencies. However, the standards are applicable to many different types of organizations. One of the key differences between NIST 800-53 and the HITRUST CSF is that NIST 800-53 does not address the specific needs within the healthcare industry.

Both NIST 800-53 and HITRUST CSF are compliance solutions that assess a set of controls through gap analysis of any controls considered within the scope for the organization or system.

One of the issues with NIST 800-53 that the HITRUST CSF takes care of is the ability to scale controls to the specific organization. NIST 800-53 has no formal mechanism for an organization to do so. NIST 800-53 does have the ability to tailor controls in certain situations when an organization is unable to implement a specific control, though it is more limited than the HITRUST CSF.  However, this is limited because NIST 800-53 defines control parameters based on the highest potential impact, regardless of the size or type of organization.

The HITRUST CSF and PCI DSS

PCI DSS is a payment card industry standard used to protect payment card data. Founded by the five major card brands, Visa, MasterCard, American Express, Discover and JCB, PCI DSS defines controls to enhance credit and debit card security.

In many ways, HITRUST has used this type of methodology in the creation of the HITRUST healthcare standard. HITRUST receives input from their board of directors, who are industry experts from major healthcare organizations, to tailor the framework to the industry’s needs.

Overview

While there are a variety of different audit options for any organization, the HITRUST CSF provides scalable, prescriptive solutions for organizations of any type. By pulling from major pre-existing frameworks and working with healthcare organizations to better-understand their needs, the HITRUST CSF provides a complete, certifiable security standard.

Looking for the right healthcare compliance solution for your organization?

Talk to one of our HITRUST professionals now by emailing info@a-lign.com or call 1-888-702-5446

HITRUST Assessment Types & HITRUST Integration with SOC 2

Don’t make the climb to compliance more difficult than it has to be. With a comprehensive framework for organizations of any size, system or regulatory requirement, the HITRUST CSF allows for organizations to easily assess their current compliance while providing implementation requirements based on an organization’s risk factors.

Types of HITRUST Assessments

HITRUST has two methods to approach complying with the HITRUST CSF with each providing their own unique benefits, depending on the needs of an organization. They include the Self-Assessment, and a Validated Assessment, which leads to HITRUST certification. They each function on varying degrees of assurance based on the cost, effort-level, and time required. The benefits of any type of HITRUST CSF Assessment include:

  • Scalability for organizations of any size
  • Allows for organizations to understand their current level of compliance with the CSF and areas of general risk

HITRUST Self-Assessment

The HITRUST MyCSF is designed to be completed by an organization in order to minimize time and resources when demonstrating compliance with the CSF. The self-assessment can also be used as a stepping stone to a validated assessment. The benefits include:

  • Low to medium level of effort needed to complete
  • Can be quickly completed

However, one of the disadvantages of completing a self-assessment report is that it provides the lowest level of assurance, as no validation comes from the self-assessment: it simply results in a HITRUST issued CSF Self-Assessment report.

Validated Assessment

A Validated Assessment is a more rigorous assessment process, with an increase in assurance level performed by a CSF assessor firm to validate the information gathered by the organization. One of the benefits of receiving a CSF validated assessment includes providing an increased assurance level to the relying entity.

The process is more rigorous due to on site testing at the entity to be performed by an authorized CSF assessor. A validated assessment requires a medium to high level of effort for completion, due to the on-site time and rigorous testing procedures. Upon completion, HITRUST reviews the complete assessment and issues a Validated Report as the outcome if the organization has failed to receive a rating of 3 or higher on any of the controls.

Certified Assessment

While an organization goes through the same audit-process when receiving either a validated assessment or a certified assessment, becoming HITRUST certified means that the organization received at least a 3 on HITRUST’s scale and has shown a high-level of maturity.

The benefits of receiving a CSF certified assessment include:

  • The report is good for 2 years, with an interim assessment completed at the one-year mark.
  • Provides the most complete assurance level certified by HITRUST. The organization that receives a certified assessment must meet all of the certification requirements of the CSF.

A certified assessment is only earned once an organization successfully demonstrates that they are able to meet all of the controls in the CSF required for certification at the appropriate level based on organizational needs.

Integration with SOC 2

What is SOC 2?

SOC 2 reports describe the internal controls at a service organization, based on the AICPA’s Trust Principles:

  • Common Criteria (Security)
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

SOC 2 reports provide users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report.  The SOC 2 is widely used by service organizations that provide services to other business entities.

HITRUST and the American Institute of Certified Public Accountants (AICPA) have developed a collaborative approach that aligns the AICPA’s Trust Principles with the HITRUST CSF criteria.  This allows licensed CPA firms, who are also CSF assessor firms to issue a SOC 2 plus HITRUST report that includes both the SOC 2 criteria and HITRUST CSF.  This makes HITRUST and SOC 2 complementary services through this converged reporting model. The benefits for your organization include:

  • Save time
  • Save on costs
  • Gain efficiency
  • Increase your client satisfaction

This streamlining process allows organizations to simplify the process of leveraging their HITRUST CSF for SOC 2 reporting.

Is HITRUST implementation right for your organization?

Contact us today at info@a-lign.com or call 1-888-702-5446 to find out your options for data protection and compliance.

Impact of the HITECH Act on HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) introduced Privacy and Security regulations to protect protected health information (“PHI”). HIPAA was primarily directed at healthcare providers, health care clearinghouses or health plans (such as an insurance company), which are referred to as covered entities (“CE”). As part of the American Recovery and Reinvestment Act of 2009 the Health Information Technology for Economic and Clinical Health Act (“HITECH”) expanded the reach and penalties related to HIPAA compliance. Two of the key areas where HITECH impacts companies’ HIPAA compliance relate to the requirements of Business Associate (“BA”) and the requirement for federal breach reporting requirements for HIPAA CE’s and BA’s. Continue reading “Impact of the HITECH Act on HIPAA Compliance”