For those working in the healthcare industry, it is not uncommon to hear the often-unsubstantiated claim from a potential vendor or business partner that they are HIPAA-compliant. That claim, however, is difficult to validate as there is no official HIPAA accreditation agency that delineates that an organization is or is not within compliance; retrospectively, an organization may be deemed as out of compliance and be penalized accordingly. Such a process is not assistive to organizations seeking to demonstrate to potential partners their commitment to protected PHI (protected health information). The Health Information Trust or HITRUST organization is a private non-profit that sought to fill that gap in the healthcare industry by developing the CSK or Common Security Framework. This framework not only provides a comprehensive assessment of security/data protection controls, it is also a powerful tool that crosswalks various regulatory requirements such as NIST and HIPAA. With the CSF, organizations put the pertinent controls ones into place and produce documentation to defend their assertion that a control is in place.

The CSF provides three degrees of assurance that procedures are in place. The first, self-assessment, involves the organization essentially using the CSF as an internal tool to guide security and compliance efforts. It results in a self-assessment report that can be used as an internal guide to security improvement. Building on that first step, is the second degree of assurance – the CSF validated level. With this degree of assurance, a third-party, HITRUST accredited, assessor comes onsite and validates the self-assessment. Finally, the CSF certified level involves the HITRUST organization’s auditors validating the assessor’s assertions. At this stage, there may be a back-and-forth between the parties involved while HITRUST’s auditors determine the veracity of the claims made by the third-party assessor. This level can take an extended period of time; nevertheless, for many organizations, it is the primary aim of comparing one’s current state to the CSF. A CSF certification is good for two years.

To assist organizations in better controlling their data protection efforts, HITRUST has organized their requirements into nineteen different domain. While this may seem daunting to some, it is designed to help organizations narrow down specific areas of improvement and to concentrate their efforts in remediating such concerns. These domains are:

  • Information Protection Program
  • Mobile Device Security
  • Endpoint Protection
  • Wireless Protection
  • Portable Media Security
  • Password Management
  • Transmission Management
  • Configuration Management
  • Network Protection
  • Vulnerability Management
  • Data Protection and Privacy
  • Risk Management
  • Third Party Security
  • Access Control
  • Incident Management
  • Education, Training and Awareness
  • Assessment Logging and Monitoring
  • Business Continuity and Data Recovery
  • Physical and Environmental Security

The CSF measures controls using a five-level scale. Does the organization have a policy that demonstrates that they know what they need to do? Then, does it have a process that shows that they know how to operationalize the policy? Have the policy and process been implemented? Finally, the last two are measured and managed: does the organization measure the effectiveness of the first three items, and does it remediate defects discovered as measurement occurs? During the assessment, the organization is required to put corrective action plans into place for areas that have a deficient score (based on the scoring using the five categories previously described).

HITRUST certification is considered a time and cost-intensive process that provides organizations with a framework to demonstrate compliance across regulatory frameworks and to affirmatively show a strong commitment to data protection. Organizations seeking certification must be prepared to invest the time and resources to successfully complete the project. It can, however, results in a market differentiating designation for an organization.