HITRUST Introduction: Getting Started
Sword & Shield offers this HITRUST introduction to take some of the mystery out of this comprehensive compliance tool and to explain what you need to know in order to get started with HITRUST compliance. Let’s start with the basics:
What is HITRUST?
The Health Information Trust Alliance (HITRUST) is a United States company that has partnered with leaders in the healthcare, technology, and information security sectors to form the HITRUST Alliance. It is governed by an Executive Council made up of members of organizations from across these industries and its primary purpose is to promote and maintain the HITRUST Common Security Framework (CSF).
The HITRUST CSF is a set of security controls designed to assist organizations that work with sensitive healthcare data. It includes a collection of security controls designed to outline the necessary steps for an organization to be compliant with frameworks, standards, and regulations in the healthcare sector.
The HITRUST CSF is a certifiable framework, meaning that organizations can request an independent assessment of their security controls and receive a certification stating that they meet the security requirements mandated by the HITRUST CSF. The ability to perform HITRUST certifications is limited to organizations approved by HITRUST.
Who Should Care About HITRUST?
The HITRUST CSF is targeted toward organizations of all sizes that “create, access, store, or exchange Protected Health Information (PHI)”. Due to the high level of sensitivity of PHI, numerous state, federal and international standards and regulations have been developed to control how PHI can be processed, stored or communicated.
The HITRUST CSF is a standard built upon other standards and authoritative sources relevant to the healthcare industry. The HITRUST CSF is designed to consolidate the guidance of all these standards into an actionable list of the requirements necessary for regulatory compliance. The list of applicable regulations includes the following:
- PCI Compliance
- FISMA Compliance
- FTC Red Flags Rule
- State of Massachusetts Data Protection Act
- State of Nevada Security of Personal Information Requirements
- State of Texas Health & Safety Code
- Joint Commission Accreditation
- CMS Minimum Security Requirements (High-Level Baseline)
- MARS-E Requirements
- IRS Pub 1075 Compliance
- State of California Civil Code § 1798.81.5(a)(1) HITRUST De-ID Framework Requirements
- EHNAC Accreditation
- Banking Requirements
- FedRAMP Certification
- 21 CFR Part 11
Organizations working within the healthcare industry will likely be under the jurisdiction of at least one of these regulations. If so, earning and maintaining a HITRUST certification demonstrates that your organization’s security controls meet the requirements set forth for the healthcare industry. If you are unsure if a HITRUST certification is the right fit for you, contact Sword & Shield for a consultation.
What Does the HITRUST CSF Cover?
The HITRUST certification is designed to cover the security requirements set forth by all healthcare-related regulations. As shown in the previous section, there are a great number of healthcare-related regulations, creating a large amount of overlap.
HITRUST divides the space of healthcare regulatory requirements into 19 Assessment Domains.
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education Training & Awareness
- Third Party Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
The HITRUST certification is designed to be flexible to meet the specific situation of an organization. Certain areas of the HITRUST certification apply only to particular segments of the industry and organizations outside of this segment can become HITRUST-certified without implementing these controls. HITRUST has also developed alternate controls that allow organizations without the capability to implement the original control to still become HITRUST certified.
How Do I Become HITRUST Certified?
If your organization handles Personal Health Information (PHI), implementing the HITRUST security controls may be a logical step toward establishing a security baseline. Since HITRUST is a certifiable framework, organizations can request an assessment by a HITRUST-authorized organization and receive a certification that their security meets minimal security requirements.
Sword & Shield is an authorized HITRUST assessor organization with skilled, experienced certified HITRUST practitioners.
We hope this HITRUST introduction has been helpful. If you have questions about the HITRUST certification or wish to start the process of becoming HITRUST-certified, schedule a consultation with a Sword & Shield representative today.