When getting a start in the cybersecurity/data privacy space it’s completely normal to be intimidated by the sheer number of rules and regulations to learn about and abide by – it’d be stranger if you weren’t! But once you get acclimated to them in generality I’ve found that there’s a certain assurance granted by definite criteria that one can meet to be deemed “secure”, and that leads to a flipping point where a lack of explicit requirements or rules in regulations creates enough uncertainty to form anxieties. One such case that often is indicative of this is with HIPAA compliance. If you’re unfamiliar, HIPAA is the Health Insurance Portability and Accountability Act of 1996, which sets standards in the US for legally handling PHI (Protected Health Information). And don’t get me wrong, the act lays out plenty of rules throughout, but as far as data security and privacy requirements go it gets somewhat vague. Organizations handling PHI are required to have reasonable data security and privacy measures in place, but what exactly is “reasonable” in this context? Of course we always want to do our best to protect data but realistically there are limits to what controls are affordable and necessary for certain businesses, but then again HIPAA non-compliance penalties are far too expensive to be risked, especially as businesses scale in terms of systems size and complexity. Wouldn’t it be nice if there were some definite guidelines to measure against?
It’s to the effect of providing these guidelines that HITRUST’s CSF derives much of its purpose. HITRUST stands for the Health Information Trust Alliance, and it’s a group that sees healthcare and IT professionals collaborate to help better organize and define compliance with HIPAA and other related standards. They’re well known for their CSF (Common Security Framework) documentation, which is a framework of combined controls from HIPAA, ISO, NIST, PCI, GDPR and others that aims to provide comprehensive and scalable security and privacy coverage, and is by-and-large considered reasonable for HIPAA’s standards if you’re concerned. Organizations can prove this by getting certified for the standard at various assessment levels, which can be of massive benefit in building out your organization’s security/privacy posture and in proving your compliance to any interested customers, partners, or regulatory agencies. As nice as this sounds, however, it can be a significant undertaking to meet these standards, and there are a few different routes to approaching it – so it’s wise to take a moment to look at some of the considerations in a little more depth.
First, it’s worth considering which type of assessment and certification you’d like to pursue with HITRUST, as there are multiple options available:
HITRUST Essentials
The first and most approachable assessment is the (relatively new) HITRUST Essentials 1-Year (or e1) assessment, which aims to provide something of an entry-level assessment that proves that basic cybersecurity and privacy is being practiced in the organization. The requirement list is comparatively small compared to other assessments at 44 controls, and those requirements often have a low impact on existing company policy/practice, making it a great option for smaller organizations that border into the healthcare space without holding/processing too much sensitive information.
HITRUST Implemented
Past the essentials of E1 is the HITRUST Implemented 1-Year (i1) assessment, which represents the “standard” HITRUST certification process. It’s of moderate complexity, possessing around 182 controls that cover a much broader range of practices, and it’s at this range that you can be assured that you’d be tightly aligned with HIPAA’s security requirements (as well as a good way into compliance with other major security standards). A benefit of this standard above the essentials is that you may rapidly re-certify in year 2 of HITRUST audits, only auditing against ~60 controls rather than a full listing. This makes for a strong option for mid to large sized organizations concerned with HIPAA compliance and wishing to maintain it thoroughly on a long-term basis.
HITRUST Risk-Based
At the high end of assessments is the HITRUST Risk-based 2-Year (r2) assessment, which expands on the strong foundation in i1 to build specific, increased coverage against specific standards or risk. This assessment encompasses the full range of HITRUST controls and takes 2 full years of practicing them to become certified: around ~375 in a year 1 audit, and ~40 in a mid-term interim assessment. You can expect this process to be relatively intensive on your information security posture and resources, but will, above all other assessments, guarantee the highest level of assurance against HIPAA and many related standard non-compliance. This option might be best for large organizations or those that require highly mature controls to manage exceptionally sensitive information and assets.
It’s worth considering which assessment type fits your organization best with some care – the decision can be borderline for some organizations, and major factors to consider will be your organization’s size, information/privacy posture objectives, and your general exposure/responsibility for healthcare data. In some cases it may make sense to begin with a lower scope such as that in e1 and work your way up, and in others it may be sensible to make major efforts to become strongly certified ASAP – the decision is yours. Once that decision is made, the assessment process itself follows a similar general path that varies some depending on the assessment type pursued. It begins with scoping out the systems relevant to HITRUST and the assessment type desired, and moves to conducting a self-gap assessment via the MyCSF portal or consultant assistance to help determine any areas your organization may be lacking in the chosen standard. Once the gaps are filled you will be audited by a HITRUST-approved external assessor, who will review your organization’s compliance against the standard and provide a report to determine the certification decision. Upon passing the initial audit you may receive certification, though for i1 or r2 assessments you will require a follow-up confirmation assessment the following year. Finally, certifications generally will last 2 years before requiring a re-audit, so it’s worth maintaining the controls you put in place to pass and build upon them as you can!
With that all down, the basics of HITRUST are covered, and you should be ready to start asking the big questions on how it fits with your organization. If you’re finding yourself with additional questions or looking for help with scoping, please feel free to contact us! We can help you scope out the project fitted for your organization and perform gap-assessments to get companies where they need to be. And remember, for as uncertain as these rules and standards can be now, exposure and some legwork can employ them as a comfort to you and your customers.