Introduction to HITRUST (Part 1 of 6)

Travis Good
November 3, 2021

The simplest way to think about HITRUST is that it is an attempt to simplify and streamline security assessments. The goal of HITRUST, a non-profit organization initially backed by large healthcare insurance companies, is to create efficiencies for both companies being assessed and for organizations assessing other companies.

The problem HITRUST is solving is the largely bespoke security review process to which organizations subject other organizations. HITRUST has also expanded out from security assessments to allow companies to use HITRUST to complete assessments for SOC 2, PCI, and GDPR. While HITRUST initially launched with a focus on healthcare and HIPAA, it has expanded into other industries and data protection regimes; healthcare remains the industry with the strongest adoption of HITRUST.

Assess Once, Report Many - HITRUST Tagline

HITRUST accomplishes this mission and tagline with its CSF, or Common Security Framework. The CSF rationalizes controls across multiple regulations and frameworks such as NIST, PCI, and HIPAA. The CSF is a meta framework for security and privacy. It can be used both for compliance, as a point in time assessment, as well as a continuous risk management tool.

Having used HITRUST extensively for over 7 years, it works mostly as intended. While there is a steep learning curve for HITRUST first timers, it is a certification that can streamline security assessments with partners and customers. The caveat is that not all organizations accept HITRUST in leu of their own security assessments.

While the foundation of HITRUST is the CSF, HITRUST does offer multiple programs for managing risk and proving compliance.

  • HITRUST Assurance Program. This is the core of HITRUST and the focus of this training course. The HITRUST Assurance Program leverages the CSF to streamline security assessments and 3rd party assessments.
  • De-identification. The De-identification Framework is both a framework and a methodology that organizations can adopt and use for their de-identification programs. With big data initiatives and analytics becoming more and more common, de-identification is a large topic when it comes protected data and this is an attempt by HITRUST to provide a mechanism for organizations to de-identify data.
  • Threat Catalogue. The Threat Catalogue is a database of threats mapped to CSF controls. It is updated along with the CSF and assists organizations in using the CSF as a risk management tool.
  • Shared Responsibility. In order to meet the needs of companies leveraging the cloud, HITRUST created this program. The tagline is Assess Once, Inherit Many. Basically, companies can inherit certain controls from their cloud providers, such as physical security controls. Inheritance is done in the CSF.
  • HITRUST Academy. The HITRUST Academy is the educational component of HITRUST, with courses focused on training security professionals to manage risk and be administrators for the CSF.

The HITRUST CSF

The HITRUST CSF (Common Security Framework) is the anchor for all HITRUST programs. It is a certifiable framework that can be used to both demonstrate compliance as well as manage risk; the difference between these functions is that risk management is an ongoing operational process and demonstrating compliance is typically a point in time validation of a data protection program.

The CSF rationalizes and maps various data protection regimes, such as PCI and HIPAA, and data protection frameworks such as NIST into one framework. By using the CSF, companies can easily show how their information security programs meets the requirements for various regimes and regulations. Assess once, report many.

At the most basic level, the CSF is a database of controls with mappings to various data protection schemes. This does not trivialize the CSF. The value in it is all of the mapping that has been done and that is kept up to date with data protection regulations as well with modern technology.

Additionally, HITRUST provides prescriptive guidance to assist companies in meeting the mapped controls. This prescriptive guidance goes beyond other frameworks and the regulations themselves.

The CSF is then divided into domains. Think of domains as categories or collections of controls or Requirements Statements.

You can download the current version of the CSF here. Pay attention to the license agreement before downloading and using the CSF.

Initially, the CSF was offered as a spreadsheet. It is now used via a web app called MyCSF. You buy a license to MyCSF or to a certain tier of assessments in the MyCSF. The CSF is then populated by users and then optionally validated by assessors and again by HITRUST the organization.

Each version of the CSF is different in terms of the specific control requirements that must be met to achieve HITRUST Certification. HITRUST updates these certification requirements based on changes to the regulatory and technical environments. Because of this, HITRUST Certification is specific to the version of the CSF that was used for the assessment. HITRUST CSF is current at CSF version 9.x.

Practically speaking, for each control, which contains a Requirement Statement and a control description, a users for the company will assess the maturity of the company against the control and add supporting statements and evidence. Having been through this multiple times, it can be a time consuming process to populate the entire CSF.

For each control in the HITRUST CSF, there are 3 different Implementation Levels. As you go up in Implementation level, the requirements for each control increase. The implementation level for each control is determined by the specific calculated risk for that organization, application, or environment. The higher the determined risk, the higher the implementation level. A large health system will have different requirements that a small digital health startup. Risk is determined by the following factors (and done automatically by the CSF):

  1. Organizational - scope and scale of the company;
  2. Regulator - regulations to which the company must comply (PCI, HITECH, etc); and
  3. System - type of data processed and accessibility (mobile, public Internet, etc).

The HITRUST CSF serves as the basis for a HITRUST assessment. It can also be used as a risk management tool on an ongoing basis. Used for risk management, it is updated regularly and identified or emerging gaps in security are documented, and ideally mitigates, as they arise.

The HITRUST CSF is a meta-framework that maps to multiple regulations and data protection regimes, providing prescriptive guidance for each control. It is the basis for HITRUST Assurance, assessments, and shared responsibility.