HITRUST Certification Made Easier

You’ve seen the statistics and know that healthcare cybersecurity attacks are happening in record numbers. You know patients are increasingly anxious about the security of their personal data.

Now you’ve been told by one of your most valued clients that you have to obtain HITRUST certification. You don’t know what that means or how it’s going to affect your business. This is uncharted territory for you, and you’ve heard it’s a daunting task.

What if Sword & Shield’s healthcare security experts told you we can make fulfilling HITRUST compliance requirements easier and more positive?

It’s true: From getting started to achieving certification, Sword & Shield can help.

What is HITRUST?

The Health Information Trust Alliance (HITRUST) is a United States company that has partnered with leaders in the healthcare, technology, and information security sectors. It is governed by an executive council made up of members of organizations from across these industries.

HITRUST works in collaboration with healthcare, technology and information security leaders to establish the Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.

Its primary purpose is to promote and maintain the CSF.

What is the HITRUST CSF?

The HITRUST CSF is a set of security controls designed to help organizations that work with sensitive healthcare data to become more secure.

This is a standard built upon other standards and authoritative sources relevant to many industries, including the healthcare industry. These include the following:

  • HIPAA
  • ISO 27001
  • COBIT
  • NIST and
  • PCI DSS

HITRUST is designed to consolidate the guidance of many security standards into an actionable list of the requirements needed for compliance.

The HITRUST CSF is both risk and compliance based and allows organizations to tailor the applicable controls based on several factors including:

  • Organization type and size
  • In scope system(s) type
  • Traffic/data volume
  • Regulatory factors

The list of applicable regulations includes the following:

  • PCI Compliance
  • FISMA Compliance
  • FTC Red Flags Rule
  • Massachusetts Data Protection Act
  • Nevada Security of Personal Information Requirements
  • Texas Health & Safety Code
  • Joint Commission Accreditation
  • CMS Minimum Security Requirements (High-Level Baseline)
  • MARS-E Requirements
  • IRS Pub 1075 Compliance
  • State of California Civil Code § 1798.81.5
  • HITRUST De-ID Framework Requirements
  • EHNAC Accreditation
  • Banking Requirements
  • FedRAMP Certification
  • 21 CFR Part 11
  • EU GDPR
  • 23 NYCRR 500
  • CRR V2016

Organizations working within the healthcare industry will likely be under the jurisdiction of at least one of these regulations.  If so, earning and maintaining a HITRUST certification demonstrates that your organization’s security controls meet the healthcare industry requirements.

The HITRUST CSF is a certifiable framework. This means organizations can request an independent assessment of their security posture. The goal is to be validated as a prerequisite for HITRUST certification which states that they meet their applicable security requirements. Performing HITRUST validations is limited to organizations that HITRUST has approved as certified assessors.

Who Needs HITRUST?

The HITRUST CSF targets any and all organizations that “create, access, store, or exchange Protected Health Information (PHI)”. PHI is, by nature, highly sensitive data. HITRUST helps these organizations to address the following information security challenges:

  • Inconsistent implementation of minimum controls
  • Inefficiencies created by varying interpretations of objectives and safeguards
  • Pressure from regulators, auditors, underwriters, customers, and business partners
  • Increasing risk and liability including data breaches, regulatory violations, and extortion and the resulting public concern
  • Ever evolving business, technology, and regulatory environment

How to Become HITRUST Certified

Sword & Shield Enterprise Security partners with you to remove the mystery and uncertainty surrounding HITRUST to make achieving certification less “painful.” Our certified HITRUST practitioners show you how to make this a useful and productive tool.

Sword & Shield is one of a select number of HITRUST-authorized CSF assessor firms. We are one of only a few whose organization focuses entirely on information security and compliance.

We supplement your staff with our team of certified professionals to provide the following HITRUST compliance services:

  • Help you select and purchase the HITRUST portal.
  • Assist you with accurately scoping the relevant controls specific to your environment.
  • Either:
    1. Perform an assisted self-assessment in which we help you populate the portal and validate your entries, or
    2. Validate your entries after you populate the portal.

HITRUST Assisted Self-Assessment Service

Sword & Shield HITRUST experts assist you with populating the MyCSF tool with applicable scoping information, including organizational, system, and regulatory risk factors. Once scoping information is complete, the required CSF control specifications will be generated (hundreds of controls across 19 domains).

We provide guidance on the responses for each requirement statement to assess the level of compliance for each of the five maturity levels. For each maturity level (policy, procedure, implemented, measured & managed), Sword & Shield will recommend the customer’s level of compliance.

HITRUST CSF Assessment with Validated Report

After the MyCSF portal has been populated and the self-assessment is complete, as your Assessor organization, Sword & Shield provides HITRUST certification services through the performance and execution of a CSF Assessment.

Sword & Shield’s on-site assessment includes the following:

  • Review of all supporting documentation
  • Interviews with key personnel
  • Sampling and technical testing such as vulnerability scans and penetration testing
  • Paperwork submission to HITRUST including participation letter, representation letter and overview of scoping document

HITRUST reviews the assessment and conducts a quality assurance check. HITRUST then provides a Validated Report within 4-6 weeks after receiving Sword & Shield’s documentation. The validated report is required to achieve HITRUST certification.

Value to Your Business

Sword & Shield’s certified HITRUST assessors take the burden off you and your staff. We take a comprehensive, flexible, and consistent approach to regulatory healthcare compliance and risk management.

Our more than 20 years as security and compliance experts empowers us to do the following for our clients:

  • Provide insight into what you can expect throughout the HITRUST validation and certification process.
  • Simplify your experience.
  • Incorporate existing recognized security and compliance frameworks such as HIPAA, NIST, ISO, and PCI.
  • Assess how your controls program is or is not meeting requirements. Help you provide a clear and actionable plan to fulfill them.
  • Remove a considerable amount of burden from your staff, allowing them to concentrate on their jobs.

HITRUST, GDPR and New York State Cybersecurity Requirements

HITRUST now incorporates both GDPR and New York State Cybersecurity Requirements (NYDSF) compliance frameworks. This is part of an ongoing effort to make HITRUST more open and comprehensive.

Sword & Shield is a full-service information security and compliance consulting firm. We have teams of experts who specialize in HITRUST, HIPAAGDPRNYDSF, NIST and other compliance frameworks working together under one roof. This range of compliance expertise streamlines your experience, saves you time and money, and provides consistency of quality.

Download the Data Sheet

HITRUST Risk and Compliance

HITRUST Compliance Services

Fast Track Your HITRUST Certification

Request a Free Consultation for our HITRUST Compliance Services