Many healthcare providers (such as large integrated health networks, community hospitals, specialized mental health providers, substance abuse facilities, and other covered entities) still struggle with how to use the HITRUST CSF, especially when it comes to certification. Many wonder if providers need to be certified at all, and question if they’d benefit from switching their current Health Insurance Portability and Accountability Act (HIPAA) compliance efforts to the HITRUST CSF. We’ll discuss how providers can leverage the HITRUST CSF to satisfy HIPAA requirements and solidify their security posture.
HIPAA Compliance & HITRUST CSF
The HIPAA Security and Privacy Rule is a federal regulation that requires all entities that house electronic protected health information (ePHI) to enact reasonable measures to protect the security and privacy of patient records. HIPAA isn’t a security or privacy framework; rather, providers must choose a framework that will help them comply with HIPAA.
HIPAA is extremely vague and lacks detailed illustrative procedural guidance on how to comply. Many providers have chosen the National Institute of Standards and Technology (NIST) as their overarching security framework to evidence HIPAA compliance. Many also follow the full NIST 800-53 Framework or the NIST Cybersecurity Framework (CSF) to implement an organization-wide security framework to show HIPAA compliance and improve their overall security posture. It’s important to note that the Office of Civil Rights (OCR) doesn’t mandate which framework a provider must use to show compliance. Many providers that have used NIST for HIPAA compliance but are looking to increase their level of security control maturity are starting to ask, what’s next?
The HITRUST CSF is a much more prescriptive and measurable security framework than NIST. The HITRUST CSF spans 19 domains and is based on International Organization for Standardization (ISO) 27001. It also incorporates controls from NIST, Payment Card Industry Data Security Standards (PCI DSS), the Center for Internet Security Critical Security Controls (CIS CSC) Framework, and other authoritative sources. The prescriptive nature of the framework is valuable to providers, as it gives more granular guidance on what specific security controls should be implemented to show HIPAA compliance and take the next step towards enhancing overall security.
To gain perspective, in a typical HIPAA/NIST security risk analysis audit, there are 70-90 individual controls in scope. In comparison, a typical HITRUST audit has 400-600 controls in scope based on a provider’s organizational, system, and regulatory factors. Transitioning to HITRUST is a considerable effort that requires organization-wide and executive buy-in, and many providers are questioning whether to immediately seek HITRUST certification, or to create a risk-based multi-year plan to methodically move the organization towards HITRUST adoption.
Certification Vs. Adoption
For many providers, HITRUST certification shouldn’t be the short term goal. Since regulatory bodies don’t require providers choose a specific security framework, the pressure of certification is much different than if a provider requires (through contractual language) a business associate that houses ePHI to become HITRUST certified.
And since many providers have hundreds of applications that house ePHI, HITRUST certification can be expensive. The reality of scoping hundreds of applications into a HITRUST audit (with many applications having ad hoc controls) can create an overwhelming audit scope. This could also cause a large amount of policy, procedural, and implemented gaps, and creating a corrective action plan to remediate those gaps may not be practical for many providers.
The appropriate path for most providers is to create a multi-year plan for HITRUST adoption, and to first start with a manageable scope and increase it over time. Many providers choose their certified electronic health record (EHR) system first, and then increase the scope as they become familiar with both the HITRUST CSF and its governance risk management and compliance (GRC) tool, MyCSF.
Working with a HITRUST Assessor that has experience with providers is key to successful HITRUST implementation. Providers want a partner throughout the process that can provide guidance on the overall plan and perform independent audits to validate progress as they move towards HITRUST compliance. Moving a security framework to HITRUST can be daunting. However, it’s a necessary step for providers looking to implement a more nuanced, calculated framework that specifically addresses the challenges unique to healthcare security.