In the last HITRUST 101 post, we examined the scoring methodology for a HITRUST assessment. In this post, we will go back to basics and take a deep dive into the why of HITRUST and determine if it is something that your organization should pursue.
The History of HITRUST
HITRUST was created over 10 years ago as a solution to healthcare’s major security problem: increasing demands for security without a cohesive set of controls or measurement. As the security landscape has changed, there has been an sharp increase in the need for a consistent approach to healthcare information protection. This approach also needed to include a comprehensive approach to capturing the growing and changing regulations in the industry. Finally, healthcare organizations have needed to find ways to reduce their own liabilities and risk.
HITRUST was created to address these challenges in a flexible and scalable system. The Common Security Framework (CSF) aggregates existing healthcare controls and combines risk and compliance models into one system. Additionally, the CSF has developed a defined system for evaluating compliance and information security program maturity.
HITRUST Has Its Benefits…
The HITRUST CSF was created with both healthcare providers and healthcare vendors in mind. For healthcare organizations and providers, it works to aggregate multiple security frameworks into one system. By using principals across the board, including from ISO 27002, COBIT, NIST, PCI, and the State of Texas Health and Safety Code, the CSF incorporates multiple security models into one system. Organizations can use this one single benchmark to assess the security of vendors across the board. This, in turn, promotes trust and transparency between healthcare organizations and their business partners.
While HITRUST considerably streamlines the vendor management process for healthcare organizations, it has many benefits for the vendors and business partners as well. The CSF provides a prescriptive approach for vendors so they know what controls they need to implement to pass vendor assessments. The HITRUST CSF has earned consensus across many major healthcare providers and organizations so vendors and business associates can use the ‘assess once, report many’ approach, instead of filling out separate vendor inquiries for each client. Finally, the HITRUST CSF reduces risk and liability and incorporates legal requirements from HIPAA into the assessments. In addition to these high-level benefits, performing a HITRUST assessment and pursuing certification can lead to a huge increase in information security program maturation.
Do I Need to Become HITRUST Certified?
This is probably the part of the article that you’re really here for: does your organization need a HITRUST certification? The short answer is that it depends. We typically see organizations fall into one of two categories:
1. Your organization has received a notice from a current or future client that you must become HITRUST certified to maintain or obtain business operations.
2. You are exploring HITRUST to bolster sales and marketing objectives or to alleviate the need to fill out multiple vendor management assessments.
If you find yourself in the first group, you almost certainly will have to perform a HITRUST assessment…if you have PHI or other sensitive health information in your environment. There are a small number of organizations that will receive notices from their major clients requiring a HITRUST certification that don’t touch PHI at all. For some of these certifications, FRSecure has been able to successfully negotiate more appropriate assessments.
If your organization is pursuing HITRUST on its own for sales and vendor management purposes, and your organization deals with PHI or other sensitive health information, a HITRUST certification can be an excellent business tool to have. However, if you have no sensitive information at all in your environment, and no defined business need, HITRUST is likely not the best fit for your organization.
If you have determined that you will need to undergo a HITRUST assessment, or if you are still unsure of your next steps, FRSecure can help! Contact us today for help in choosing the right direction and for getting started with your assessment.