WOLF & CO Insights How a vCISO Can Help Your HITRUST Efforts

How a vCISO Can Help Your HITRUST Efforts

As healthcare providers and business associates (BAs) move to newer technologies and outsourced data models to house and transmit electronic Protected Health Information (ePHI), both the regulatory compliance landscape and the protection of ePHI become far more complex. With the proliferation of ePHI across the enterprise and no sound security framework protecting the cloud, it can be nearly impossible to comply with administrative, technical, and physical safeguards in the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164).

Healthcare organizations that house or transmit ePHI should choose prescriptive common data security frameworks that act as an overall governance model, such as HITRUST. This will give the business a clear and concise path to base adherence to the HIPAA security rule, and can move the entire organization to a stronger overall security posture.

But how do you go about creating and implementing the right controls? How do you know if the path you’ve chosen is the best one? Usually, a company can rely on its Chief Information Security Officer (CISO) to guide the organization to optimized security. For businesses that don’t have a designated security official, a virtual CISO (vCISO) can be a great option for strengthening your cybersecurity and helping an organization reliably adhere to HITRUST CSF.


HITRUST CSF was created by healthcare IT security professionals to ensure information security controls become a core tenet of the technology environment protecting healthcare organizations. The HITRUST CSF is based on ISO 27001, but also adds other authoritative sources such as NIST, PCI, and COBIT, and can be used by healthcare organizations to meet a diverse set of regulatory requirements. The prescriptive nature of the HITRUST CSF gives healthcare organizations the requirements and best practices needed to implement a true healthcare IT security governance framework throughout the enterprise.

With a vCISO, you get top advisors with great depth of experience in the field, at a lower cost. A vCISO can help you define and implement your strategic plan, while giving you the ability as the client to control the cost. In addition, our vCISOs are HITRUST Certified, which makes them uniquely qualified to help you with your HITRUST certification.

As adherence to the HITRUST CSF gains traction, the industry as a whole becomes able to “speak the same language.” With providers, insurers, pharmacies, and health IT organizations following a common framework, the task of vendor management becomes considerably less burdensome and complex. The HITRUST CSF is also validated by a third-party HITRUST assessor, so the need to produce multiple costly assurance reports is no longer necessary.

The HITRUST CSF provides a flexible, scalable, and unified approach to meeting HIPAA security rule requirements through prescriptive controls. Through the CSF, providers and business associates receive a trusted benchmark created by industry experts to meet the unique challenges of healthcare security.

This is an extremely thorough review that can highlight a number of gaps present in your current controls, including gaps in policies and procedures, patch management, access control, third-party risk, security awareness training, and business continuity planning (BCP). Creating a remediation plan can be overwhelming. The key to remediation and implementation is having a designed security official to help drive the process. However, many organizations don’t have a designated security official to guide the effort, leading to delays in the process.

In our experience, after completing the readiness assessment, a majority of clients have significant gaps around policies and procedures. Given the 19 domains required by HITRUST, ensuring that all your policies and procedures are in place and implemented is critical. We’ve developed a proven and repeatable model around this process that can take your deficiencies and quickly amend them.

Our vCISOs manage cybersecurity risk, identify exposures, and prioritize activities to continually optimize the program and align it with your business needs. We manage and mature your program until you’re HITRUST Certified. Once certification is obtained, we remain part of your management team, helping you navigate the remainder of your HITRUST challenges and addressing additional security needs.