Technician analyzes security of data on servers


Secure protected health information using the HITRUST CSF

Baker Tilly’s HITRUST professionals help organizations handling personally protected health information (PHI) tap into the HITRUST CSF to secure that critical information and provide greater cybersecurity assurance.

    Secure protected health information using the HITRUST CSF

    In response to emerging requirements from customers, primarily from within the healthcare insurance payor industry, third-party service providers may be tasked with obtaining a HITRUST CSF certification.

    Streamlining third-party assurance

    Organizations with PHI have increasingly become a primary target of cybersecurity attacks – since 2017 over 16 million individual records have been reported as breached (United States Department of Health and Human Services Office for Civil Rights).

    HITRUST’s objective in creating the HITRUST CSF was two-fold

    1. Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
    2. Establish a common, certifiable framework to reduce costs and inefficiencies.

    The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

    • Organizational: size and complexity of operations
    • System: technology environment characteristics
    • Regulatory: applicable compliance requirements

    As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001:2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

    It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining HITRUST CSF certification, including:

    • Developing an overall certification project plan
    • Scoping your HITRUST CSF assessment
    • Understanding potential certification challenges and success factors
    • Selecting the right report deliverable
    They were able to explain the [HITRUST] process in a clear way to me and my IT security team. In addition, they were a great sounding board as we discussed the finer points of the process. They also led the discussion with leadership, which really provided great context to the project.
    Chief Information Officer of a large corporation