Should I Go Through HITRUST Certification Even If It’s Not Required?
The HITRUST CSF is a set of security controls designed to help organizations that work with sensitive healthcare data to become more secure. Since HITRUST is gaining traction, many organization decision makers are asking the question, “Should my company go through HITRUST certification even though we’re not required to do so?”. This article explores what it means to be HITRUST certified and the benefits of HITRUST certification.
What is the HITRUST CSF?
The HITRUST CSF is the most commonly-used regulatory framework in the United States healthcare industry. It is designed to provide a flexible and configurable standard that organizations can use to develop cybersecurity strategies compliant with the HIPAA, ISO, NIST, and PCI-DSS data protection regulations. While HITRUST compliance is not mandatory for an organization, it has several associated benefits, and may be worth pursuing even if not required.
Benefits of HITRUST Certification
A HITRUST certification demonstrates that an organization complies with the HITRUST CSF. Achieving compliance with HITRUST is not mandatory under any regulation; however, the HITRUST CSF and certification have multiple benefits for an organization.
Some privacy and data protection regulations require the data to be protected “appropriately” and according to “best practice” without specifying what this means. The burden is left on the organization seeking compliance to determine what controls should be implemented and then to execute them. This creates the possibility that an organization could be unintentionally non-compliant due to controls being overlooked or incorrectly applied, or by developing or applying controls that are ineffective or hurt the organization’s security posture.
The HITRUST CSF is designed to give organizations concrete guidance on controls to be put into practice and how to modify requirements to fit the needs of the organization based on size, function, and organization layout.
Certifying against a framework helps to ease the burden on organizations and ensures that steps taken help to meaningfully increase organizational cyber resilience.
Many organizations are not solely liable for compliance with one regulation. For example, if a healthcare provider accepts credit or debit cards as payment for services, they are required to protect this information under the PCI-DSS. Trying to meet requirements for multiple regulations and standards can cause confusion and the potential for non-compliance if regulatory requirements are implemented, tested, and updated individually rather than as part of a comprehensive system.
Seeking HITRUST certification can help an organization design their security strategy to minimize the probability of oversights or errors and ensure compliance. The HITRUST CSF is designed to be configurable and allow organizations to demonstrate compliance with HIPAA, ISO, PCI-DSS, and NIST standards.
One of the major issues with proving compliance with HIPAA is that HIPAA does not provide concrete requirements for what constitutes a “compliant” system and no official system for testing compliance. As a result, vendors have developed their own testing methods and certifications that organizations can seek.
Without clear, concrete requirements, it is impossible for organizations to prove that they are truly compliant under HIPAA regulations. An advantage of the HITRUST certification is that it provides organizations a way to prove compliance with a reputable certification framework that can cover a variety of regulations (HIPAA, ISO, PCI-DSS, and NIST) and can be tailored to meet the needs of the organization.
Third-Party Verification of Compliance
The large number of recent data breaches in the healthcare industry and in business as a whole have underscored the importance of properly protecting users’ personal data. Achieving a third-party certification and attestation of an organization’s cybersecurity can be beneficial both internally and externally.
By achieving a third-party attestation of regulatory compliance, an organization can demonstrate appropriate due diligence for a legal investigation in the event of a breach. Organizations can also take advantage of this proactively by advertising the fact that they are compliant in order to attract customers who are concerned about the appropriate protection of their personal data.
How Do I Prepare for HITRUST Certification?
In order to become HITRUST certified, it is necessary to have your organization’s security controls assessed by a HITRUST CSF security assessor. Only a few organizations are registered assessors that are permitted to perform HITRUST audits and issue certificates.
Sword & Shield is an information security organization that is a registered HITRUST assessor. With more than 20 years as compliance experts, Sword & Shield simplifies the HITRUST experience to remove a considerable amount of burden from your staff. We provide insight into what you can expect throughout the HITRUST validation and certification process, incorporate existing recognized security and compliance frameworks such as HIPAA, NIST, ISO, and PCI; assess how your controls program is or is not meeting requirements and help you provide a clear and actionable plan to fulfill them.
If you are interested in pursuing a HITRUST certification or have questions about the process and its potential benefits for your organization, contact us for a consultation.