HITRUST and Data Regulations (Part 5 of 6)

Travis Good
December 2, 2021

One of the most daunting challenges for technology companies today is the myriad of data protection regulations. Some regulations are geographic like GDPR and CCPA. Some are industry specific like PCI and HIPAA. Some are just industry accepted frameworks like SOC 2, ISO, and NIST. Technology companies, by their nature, can easily cross both geographic and industry boundaries. The result is that many technology companies now need to comply with multiple data protection regulations. Go to any large, global technology company website and there is a good chance you'll find a page full of badges for different regulations to which the company has been audited.

HITRUST, as a meta framework that normalizes and maps to various regulations, has tried to solve this. The general idea is that you can use the CSF to be audited for other regulations and not necessarily have to complete questionnaires or spreadsheets specific to those other regulations. The prescriptive guidance that HITRUST provides goes further than the regulations in guiding companies to be successful meeting various informations security controls.

I've had personal experience leveraging HITRUST for HIPAA, SOC 2, and GDPR. While my use of HITRUST to attest to these other regulations and reporting frameworks did create efficiencies in the process, it is not a simple matter of completing the HITRUST CSF and then checking off the the regulations you want. And, there are additional auditor and assessor costs for each additional regulation and framework.

Other than HIPAA, which is fully incorporated into HITRUST, the following regulations and frameworks are the most commonly asked about in terms of HITRUST mappings.

SOC 2

SOC 2 is the most formal existing partnership for HITRUST reporting. SOC 2 has been mapped to HITRUST CSF beginning with CSF version 8. The mapping of the CSF to SOC 2 controls is here.

SOC 2 is an increasingly common information security reporting framework. More and more companies are requiring SOC 2 Type 1 and Type 2 reports from their vendors. SOC 2 is governed by the AICPA and getting a SOC 2 report requires that you work with a CPA member of AICPA.

SOC 2 is made up of controls across five Trust Services Categories. One of the categories, Security, is a part of all SOC 2 reports while the other four categories are optional. The HITRUST CSF version 9.4 is mapped to the following SOC 2 Trust Services Categories - Security, Confidentiality, Availability, and Privacy. Privacy was the last Trust Service Category mapped to the CSF and laid the groundwork for mappings the CSF to GDPR and eventually CCPA (more on both below).

Even though SOC 2 and the CSF are mapped to each other and the AICPA and HITRUST have a formal partnership, the process of doing both a SOC 2 report and HITRUST Certification are different. Most companies will work with an auditing firm that has a CPA division. The first step is to do the HITRUST Certification process then the SOC 2 engagement. The main benefits are that the CPAs doing the SOC 2 report will require much less data and evidence as they will use the CSF for creating the SOC 2 report. If you use the same firm as you HITRUST assessor and SOC 2 auditor, you will gain additional efficiencies.

HITRUST has a SOC 2 FAQ here (it is from 2018 so slightly dated).

PCI-DSS

HITRUST, from its beginning ~20 years go, has incorporated mappings to PCI into the CSF. PCI is similar to HIPAA in that it is an industry specific framework catering to the financial industry, specifically applying to companies that process credit / debit cards and cardholder data. Doing PCI with HITRUST is not a fully automated process. Using the mappings provided by HITRUST, companies can quickly populate the PCI self assessment questionnaire (SAQ) and work with a PCI approved auditor to create a Report on Compliance (ROC).

GDPR

GDPR was mapped to the CSF starting with CSF version 9.1 in 2018. All 99 Articles of GDPR are now mapped to the CSF. GDPR is relevant to all global technology companies as GDPR applies to all personal data on EU citizens. Companies can leverage the HITRUST CSF to show compliance with GDPR requirement, though this typically entails work, hours, and costs from auditors to do this work and ultimately generate a GDPR-specific report.

The Data Protection Authorities in the EU have not established specific certification bodies for GDPR, though the process of establishing such bodies is defined in GDPR. HITRUST is working to become a certifying body, which theoretically would enable companies to use their HITRUST Certification directly for GDPR.

CCPA

CCPA was mapped in 2019 to CSF version 9.3. CCPA is similar to GDPR but covers California resident data. CCPA went into effect in 2020 so the rules are new to all companies. The CSF mapping to CCPA is also similar to the GDPR in that is can be used by companies or auditors to manually verify how CCPA rules are addressed. Also similar to GDPR, CCPA prioritizes privacy over security so many of the rules are privacy-related, such as data subject rights and requests.

NIST

The NIST Cybersecurity Framework is a well adopted security framework. NIST is frequently used as an internal security and risk management tool. NIST was used as a basis for the original HITRUST CSF so mappings from the CSF to NIST have been a part of the CSF for many years. Organizations can use the CSF to populate or map evidence to NIST.

Department of Defense (DoD) Cybersecurity Maturity Model (CMMC)

The DoD recently, in 2020, mandated that all contractors must certify against the DoD maturity model (CMMC). Starting in HITRUST CSF version 9.4 in 2020, the CMMC is mapped into HITRUST. Organizations that use HITRUST can leverage the CSF to score and show their CCMC maturity levels in support of work with the DoD.

----

The HITRUST CSF is mapped to many regulatory frameworks and can be used to streamline assessments and audits for multiple industries, geographies, and reporting frameworks.