HITRUST

Secure protected health information using the HITRUST CSF

Janice S. AhlstromDirector, FHIMSS, CPHIMS, CCSFP , RN, BSN

Baker Tilly’s HITRUST professionals help organizations handling personally protected health information (PHI) tap into the HITRUST CSF to secure that critical information and provide greater cybersecurity assurance.

Secure protected health information using the HITRUST CSF

In response to emerging requirements from customers, primarily from within the healthcare insurance payor industry, third-party service providers may be tasked with obtaining a HITRUST CSF certification.

Streamlining third-party assurance
Organizations with PHI have increasingly become a primary target of cybersecurity attacks – since 2017 over 16 million individual records have been reported as breached (United States Department of Health and Human Services Office for Civil Rights).

HITRUST’s objective in creating the HITRUST CSF was two-fold

Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
Establish a common, certifiable framework to reduce costs and inefficiencies.

The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

Organizational: size and complexity of operations
System: technology environment characteristics
Regulatory: applicable compliance requirements

As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001:2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining HITRUST CSF certification, including:

Developing an overall certification project plan
Scoping your HITRUST CSF assessment
Understanding potential certification challenges and success factors
Selecting the right report deliverable

Article

They were able to explain the [HITRUST] process in a clear way to me and my IT security team. In addition, they were a great sounding board as we discussed the finer points of the process. They also led the discussion with leadership, which really provided great context to the project.

Chief Information Officer of a large corporation

Our industries

Financial Services
The financial services industry continues to diversify, but competition and more complex vendor relationships make determining business strategy more complicated.
Healthcare & Life Sciences
We deliver innovative and sustainable results through our collaborative approach across the provider, health plan and life sciences spectrum.
Higher Education
Higher education and research institutions ensure student and institutional success by balancing competing priorities and effectively aligning limited resources.
Not-for-Profit
We have a deep understanding of the issues not-for-profit organizations face, and the creativity and humanity required to thrive in your world.