Understanding the HITRUST Inheritance Program

What is HITRUST?

Because of the number of patients seeing medical professionals every day and the nature of their visits, the healthcare industry faces unique security challenges that no other industry sees. To help mitigate and manage risk, the Health Information Trust Alliance (HITRUST) was created. HITRUST establishes a Common Security Framework (CSF) that allows for the consistent implementation of HIPPA requirements.

What Is the HITRUST Inheritance Program?

The HITRUST Inheritance Program allows for cloud hosting and service providers to easily and automatically apply their assessment scores into any organization’s assessment. Additionally, the HITRUST Inheritance Program allows organizations to inherit controls from one of their vendor’s assessments and apply it to their own assessments easily, saving time and resources.

By working with a participating managed service provider, organizations can leverage the inheritance program to simplify and streamline the assessment process.

How to Sign up for the HITRUST Inheritance Program

Looking to take advantage of the HITRUST Inheritance Program? Here’s how:

  1. Identify if the service provider has been previously approved as an organization with a HITRUST validated assessment.
  2. Note which specific controls should be inherited.
  3. Choose the service provider to transfer these controls to using a list of participating host and service providers.
  4. Once the information is selected and entered, the verification request for the relationship will be reviewed by the system and approved if it matches the HITRUST Inheritance Program criteria.

Note that although your organization may have signed up for these managed services, it does not mean that all the specifications will be met by the provider. Meeting specifications is dependent on the organization’s full scope and the services they have engaged the provider to perform.

Benefits of the HITRUST Inheritance Program

By seamlessly lifting and applying assessment scores to other assessments across the board, organizations can reduce the time, effort and associated costs required for testing inherited controls.

Other key benefits include:

  • Reducing the testing required
  • Reducing the data entry associated with applications
  • Simplifying the assessments for the task of securing sensitive data
  • Completing the process in a fully automated matter
  • Providing detailed inheritance of control requirement scores
  • Proving the service provider’s focus on security

Common Issues Faced With the HITRUST Inheritance Program

The most common roadblock organizations encounter when deciding to leverage the HITRUST Inheritance Program is the division of responsibilities. This is an ongoing issue when any organization across any industry uses a third-party service provider to manage a part of their service. It is paramount for the organization to have a Service Level Agreement that has a well-defined responsibility matrix. Also, the organization should review the responsibility matrix and perform a third-party independent risk assessment on a periodic basis to ensure the third-party is meeting its defined responsibilities.

List of most common domains leveraged by an Organization as part of the HITRUST Inheritance Program:

Type of Service Provider Applicable Domains
Co-location Data Center Services 18 Physical & Environmental Security
Managed Services 02 Endpoint Protection

03 Portable Media Security

04 Mobile Device Security

05 Wireless Security

06 Configuration Management

07 Vulnerability Management

08 Network Protection

09 Transmission Protection

10 Password Management

11 Access Control

12 Audit Logging & Monitoring

15 Incident Management

16 Business Continuity & Disaster Recovery

Cloud Services/Hosting Services 06 Configuration Management

07 Vulnerability Management

08 Network Protection

09 Transmission Protection

12 Audit Logging & Monitoring

16 Business Continuity & Disaster Recovery

18 Physical & Environmental Security

How A-LIGN Can Help

Ready to take the next step for your organization with the HITRUST Inheritance Program? A-LIGN is ready to help. Our team of professionals has years of experience with the healthcare industry, its organizations and its business associates. Together, we can determine and discuss the benefits of the HITRUST program for your organization.

Are you ready to strengthen your organization’s defenses? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity professionals.