Research dollars and data now come with more terms and conditions than ever before. Many of these “newer” requirements are related to previous efforts to protect the current and future value of information or data, especially when funded by the federal government. Unfortunately, grants, contracts and cooperative agreements contain so many disparate research security requirements and terms that it can be difficult to determine what is most important for your institution to address.
To effectively address these requirements, stakeholders from across the institution must work together, as this is not simply an administrative, technology or cybersecurity problem. The latest developments regarding research security requirements, including National Security Presidential Memo 33 (NSPM-33), Controlled Unclassified Information (CUI), Export Controls, and Cybersecurity Maturity Model Certification (CMMC), all involve implementing a variety of people, process and technology controls.
As such, higher education and research institutions are looking for new and effective ways to navigate these research security requirements within their complex, distributed and diverse environments.
The HITRUST CSF provides coverage across multiple industry-specific standards and includes significant components from other well-respected information technology (IT) security standards bodies and governance sources, such as the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) 27001. HITRUST contains a minimum set of control requirements that organizations must implement. Institutions then obtain the complete, tailored set of control requirements (controls) necessary for certification based on certain categories of risk factors such as organizational, system, geographical and regulatory risks. This allows an institution to address different research data security requirements within one framework.
HITRUST offers multiple assessment types that can be utilized to satisfy contractual requirements, internal control environment requirements and due diligence with regulatory authorities and other external stakeholders.
HITRUST is widely adopted in the healthcare industry, but with HITRUST’s continued expansion of authoritative sources included within the CSF and the release of new threat-adaptive assessment options, the door has opened to other industries. Now, higher education and research institutions that traditionally may not have considered HITRUST as an optional framework are making a shift to leverage HITRUST as threats to securing sensitive data (e.g., electronic protected health information (ePHI), intellectual data) continue to rise.
Assessment types are not ‘one size fits all,’ but HITRUST has expanded its assessment portfolio to address the varying needs of different institutions:
The diagram below highlights the available assessment options and maps the level of assurance conveyed against the level of effort required to achieve it.
Certain higher education and research institutions are taking steps to move towards the HITRUST framework. Earlier in 2022, the Regulated Research Community of Practice (RRCoP) began building a professional network to aid with developing an affordable yet effective cybersecurity and compliance program for use by higher education and research institutions. Some of these organizations have chosen HITRUST as their guiding program to help provide reliable assurances to their stakeholders and we expect more to follow.
One of the collaborating partners for the RRCoP is HITRUST for data security and government regulations. The RRCoP has opted to partner with HITRUST as their updated assessment options have opened a door for these institutions to follow a rigorous yet manageable framework. “HITRUST’s ‘assess once, report many’ approach aligns well to the RRCoP’s mission to help academic organizations navigate a complex regulatory landscape,” said Michael Parisi, vice president of adoption at HITRUST. “The HITRUST approach is about managing risk as efficiently and effectively as possible, which enables these entities to do a single assessment to meet the assurance requirements of various stakeholders.”
For more information on this topic, or to learn how Baker Tilly Value Architects™ can help your higher education and research institution explore HITRUST, contact our team.
Footnote: Baker Tilly has been a HITRUST Assessor Firm since 2016 and sits on the External Assessor Council.