The Benefits of HITRUST Certification: Understanding HITRUST vs HIPAA

In previous blog articles, we have covered HITRUST certification and compliance requirements, understanding the HITRUST certification process, and scoring HITRUST CSF controls, but one question we hear constantly is, “What is the benefit of getting HITRUST certified?” Additionally, we hear a lot of “How does a HITRUST certification differ from HIPAA compliance?” This blog will primarily cover HITRUST, however, will also include a brief overview of HIPAA vs HITRUST.

Security Concerns in Healthcare & How to Address Them

Healthcare security breaches

If you are a healthcare organization or you provide services to them, securing your infrastructure and applications is critical to the growth and reputation of your organization. This is especially important if you are a small to a medium-sized organization that cannot afford even the smallest breach. According to the 2020 IBM data breach report, the average total cost of a healthcare security breach is $7.13 million – not to mention the loss of public trust resulting in significant reputational implications. A single breach could destroy your company.

That was a lot of bad news…so let’s talk about some good news: by implementing sound security controls and following industry best practices, you can significantly reduce the chance of being breached.

 

The Problem with Healthcare Compliance

If you are in the healthcare business you are probably very familiar with all these regulations: HITECH, HIPAA, NIST, PCI, FTC, ISO, COBIT, GDPR, etc. Trying to make sure you are compliant with all of these regulations takes a lot of time and money. Let’s face it, few companies have unlimited resources, so you are probably stuck with a limited budget, time, and resources.

Some organizations are in a perpetual audit period, one compliance audit after another, and constantly filling out security request forms. Also, many of the regulations are non-prescriptive or ambiguous, as anyone who has tried to read and understand what “reasonable and appropriate” means in the HIPAA requirements can tell you.

 

What is the HITRUST Common Security Framework (CSF)

According to HITRUST: The HITRUST CSF was developed to address the multitude of security, privacy, and regulatory challenges facing organizations. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls and privacy controls.

The HITRUST CSF:

•       Includes, harmonizes, and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, EU GDPR, NIST, PCI (and HIPAA)
•       Scales controls according to type, size, and complexity of an organization
•       Provides prescriptive requirements to ensure clarity
•       Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds
•       Allows for the adoption of alternate controls when necessary
•       Evolves according to user input and changing conditions in the standards and regulatory environment on an annual basis
•       Provides a unified approach for managing data protection compliance

Basically, the HITRUST CSF helps reduce complexity, risk, and cost while increasing the security posture of the organization.

 

The Top 4 Benefits of HITRUST Certification

So what are the benefits of getting HITRUST certified? There are many but I decided to break it down to the top four.

1. Meet customer and client needs: This is an easy one, and the primary reason why organizations look towards HITRUST: your client asked that you get HITRUST certified or else they will leave or are not going to sign-up. Pretty cut and dry. But to add to that, having a 3rd Party validated certification shows that your organization meets or exceeds the requirements defined in the HITRUST CSF and allows your business to have a competitive advantage over other organizations that do not have this. It’s great for marketing to be able to put the HITRUST badge on your website or publications, which can drive business your way since organizations already know you are using an industry approved framework and a certain level of security.
2. Reduce time dedicated to audits: While the HITRUST Certification cannot be used in lieu of certain compliance obligations – for example, PCI – it is possible some clients will waive requirements and most clients take the certification instead of requiring a specific response to all the questions on the security questionnaires. It also significantly reduces the time and cost by putting almost all the requirements from multiple regulations into one place to help identify risk and maturity. Having a central location to view and track compliance helps make sure you do not run into any issues when a secondary audit, like PCI, is required.
3. Enhance Security Posture: The HITRUST certification process is much more in-depth and prescriptive than other regulations and frameworks. For example, some other regulations do not focus on system hardening, event logging, data retention, etc. or do not go to the depth that the HITRUST CSF does. The HITRUST CSF pulls from multiple places like NIST, HITECH, and HIPAA, which forces an organization to do a comprehensive review of the environment. Having eyes on more parts of the environment helps identify risks and gaps which, when fixed, increases the security posture and reduces the organization’s overall risk.
4. Help an Organization Understand its Risks and Growth Opportunities: With many regulations, organizations push to do the bare minimum to pass and leave it be. They do not go back to assess growth in their organization or attempt to identify any gaps that those regulations may not cover. The HITRUST framework allows an organization to identify risks and areas for maturity and provides a tool to track progress and growth with regards to the overall security of the environment.

 

How Do I Get HITRUST Certified?

Linford and Co has written several blog posts on understanding the certification process and how to score CSF controls but I wanted to add a few additional notes based on our experience helping clients get certified.

1. It is not something to do on a whim, you need to dedicate time and resources in order to be successful
2. The first year is going to be difficult and time-consuming
3. The HITRUST Framework requires an organization to look at compliance against a maturity model which includes Policy, Process, Implementation, Measure, and Manage. This means for each control there are five responses required.
4. It’s big… see No. 3 above. If you have a scope of 450 controls (average), that is 2,250 responses and pieces of evidence that need to be collected for each one that is scored.
5. It will require changes and updates to your policies, standards, and processes (or the creation of them).
6. It is not cheap… there is a cost for access to the tool, reports, premium modules, time, and resources to implement internally, and then the 3rd party assessment.

What is HIPAA Compliance?

We have several blogs on HIPAA and HITRUST’s reporting process that can be referenced for further details. Therefore, in the section below, I will provide a brief overview of each to compare the two processes.

 

What is the Difference Between HIPAA and HITRUST? A High-Level Overview 

One of the main differences between HIPAA and HITRUST is that HIPAA is a compliance audit, and an organization cannot become “HIPAA certified.” In contrast, with a HITRUST assessment, certification can be achieved if the scoped HITRUST requirements (as applicable to your organization) are met.

HIPAA provides requirements/guidelines on how organizations are to protect Protected Health Information (PHI). An organization can perform a HIPAA self-assessment to demonstrate compliance, however, having an impartial third party conduct the audit and provide a report provides much greater assurance on your compliance to business partners. During a HIPAA compliance assessment, the third-party auditor will determine if you are compliant with the HIPAA requirements set forth, generally, in the HIPAA security, breach notification, and/or privacy rules. Additional information on the rules can be found at the HHS.gov site. If there are gaps identified as a result of the audit, once remediated, an organization should be HIPAA compliant.

In contrast, HITRUST (CSF) is tailored or scoped as applicable to your particular organization (client management defines the scope).  In other words, one organizations’ HITRUST assessment requirements could be very different from another. As stated above, the HITRUST CSF is built upon and effectively aligns the requirements and controls of a significant number of standards, regulations, and business requirements (more than 35 authoritative sources are mapped into the CSF). Therefore, the requirements required to be HITRUST far exceed the number of controls required for HIPAA compliance. 

To further explain, before starting a HITRUST assessment an organization must “scope” their assessment. As a part of this process, the organization will provide responses to various “risk factors” within the myCSF tool. Once completed, a set of requirements tailored to your organization (which are mapped and cross-referenced to multiple frameworks) will be selected and generated. From this point, an organization can choose to conduct a readiness assessment or a validated assessment. 

The readiness assessment is designed to help evaluate how closely an organization’s control environment aligns with the HITRUST CSF; there is no certification available with a readiness assessment. In contrast, a validated assessment will result in either one of the two reports: 

1. A validated report (no certification)  
2. A validated report with certification 

Also, an authorized HITRUST CSF external assessor organization is required to perform the validation assessment. Lastly, I will point out that starting with the 10.0 version of the CSF (released in Q4 2020) HIPAA is no longer implied; and will become a regulatory factor as part of the scoping exercise and may be selected, if applicable.

Summary

I hope this article helped clarify questions you have on the HITRUST overall and its benefits, as well as how the process contrasts from a HIPAA assessment.

From the information outlined, the HITRUST process may seem daunting. I am going to be honest – it can be the most painful and tedious thing you have done in a long time It can also be a very positive, eye-opening, and smooth process if you have the right organization helping you. Getting HITRUST certified can be a heavy lift and requires expertise in the maturity model, healthcare regulations, NIST controls, policy/standards/process development, and more.

In regard to HIPAA, from the brief comparison, you can see that the HIPAA and HITRUST assessments are very different. HITRUST is generally a much more time-intensive process based on an organization’s scope, and the number of requirements can exceed 200-500 or more (900+ in some cases)!  Further, as a HITRUST Authorized CSF Assessor, Linford & Co has over 25 years of NIST control experience, in-depth knowledge of the HITRUST Framework, and healthcare experience. Since we rely on the expert model, we can answer your questions right away and the audit is focused and efficient.

If you have been asked by one of your clients for a HITRUST validated certification, or your HIPAA compliance status to reach out to Linford & Co and we can walk you through the processes and pricing of each.