The HITRUST CSF was created to provide a prescriptive, integrated and certifiable approach to securing protected health information (PHI).

In response to emerging requirements from customers within the healthcare industry, thousands of third-party service providers are now tasked with obtaining a HITRUST CSF certification. Any organization that handles PHI on behalf of their customers may now be required to certify.

Streamlining third-party assurance

Organizations with PHI have increasingly become a primary target of cybersecurity attacks – in 2016, there was a 320 percent increase in the number of PHI breaches, and those breaches affected over 9.5 million patient records (Redspin Annual Report on the State of Cybersecurity in Healthcare, Feb 2017). 

Even where organizations are not being required to become HITRUST certified by their customers, the HITRUST CSF should be considered to effectively manage cybersecurity risks.  HITRUST’s objective in creating the HITRUST CSF was two-fold:

  1. Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements; and
  2. Establish a common, certifiable framework to reduce the costs and inefficiencies of existing regulatory requirements.

The HITRUST CSF contains a minimum set of control requirements that all organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

  • Organizational: size and complexity of operations
  • System: technology environment characteristics
  • Regulatory: applicable compliance requirements

As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001:2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining HITRUST CSF certification, including:

  • Developing an overall certification project plan
  • Scoping your HITRUST CSF assessment
  • Understanding potential certification challenges and success factors
  • Selecting the right report deliverable