“What is HITRUST?” is typically the first question asked of Linford by organizations exploring HITRUST for the first time. Formerly, HITRUST stood for Health Information Trust Alliance but recently it rebranded to simply HITRUST to align with changes to the “framework” making it industry agnostic (more below).
HITRUST is an organization and a security framework. HITRUST the organization is a nonprofit organization originally created in 2007, based in Frisco, Texas. Its goal is to help companies effectively manage and certify compliance with information security controls, and consolidate compliance reporting requirements. The organization is responsible for the creation and maintenance of the Common Security Framework (CSF).
What is the HITRUST Common Security Framework (CSF)?
The HITRUST was initially developed for organizations working in the healthcare industry which often found the vagueness of the HIPAA Security rule difficult to understand and properly implement. This often resulted in healthcare payers and providers not having an adequate way to assess the security posture of their IT vendors and the effectiveness of the controls in place to safeguard protected information.
The goal of the HITRUST CSF is to harmonize compliance requirements and provide specific details regarding how controls are implemented. The CSF is a proprietary risk and control framework that is updated on an annual basis and is currently in version 9.4. The framework is made to be scalable for organizations based on the entity type and volume of data/transactions. The framework also allows organizations to incorporate controls to meet requirements from other regulatory and security frameworks (PCI, COBIT, CMMC, ISO, etc.).
How is the HITRUST Framework Structured?
The HITRUST CSF is broken out into 19 different “domains,” which are aligned with common IT process areas.
|01 Information Protection Program||08 Network Protection||15 Incident Management|
|02 Endpoint Protection||09 Transmission Protection||16 Business Continuity & Disaster Recovery|
|03 Portable Media Security||10 Password Management||17 Risk Management|
|04 Mobile Device Security||11 Access Control||18 Physical & Environmental Security|
|05 Wireless Security||12 Audit Logging & Monitoring||19 Data Protection & Privacy|
|06 Configuration Management||13 Education, Training, and Awareness|
|07 Vulnerability Management||14 Third-Party Assurance|
These 19 domains are broken into 135 Security Controls and 14 Privacy Controls controls can map back to multiple domains. Controls are then broken down into control requirements. It is important to note organizations can only certify against the HITRUST Security Assessment (vs. Comprehensive Assessment and Privacy Assessment), and there are only 75 controls in-scope of the baseline security assessment.
For organizations that elect to conduct comprehensive security and privacy examinations, if they achieve certification, the certification only covers the 75 required security controls. The remaining 60 controls are optional and are only included in Comprehensive Assessments. Privacy is currently not certifiable by HITRUST. For this reason, Linford encourages our clients to focus their certification efforts on the baseline security assessment.
The number of controls included in an organization’s assessment is driven by “scoping factors.” Each organization must scope its object (HITRUST assessment). Scoping consists of answering a variety of questions that are used to determine how many controls are in-scope for an assessment. The largest driving factor in scope is the number of sensitive records maintained by an organization. For healthcare organizations, this is defined as the number of breach notification letters which would need to be sent in the event of a catastrophic breach (not discrete pieces of data). As a rough estimate, we see the number of control requirements similar to the following:
- Under 10 Million Records: Assessment size of ~300 control requirements,
- Between 10 to 60 Million Records: Assessment size of ~375+ control requirements,
- Over 60 Million Records: Assessment size of ~450+ requirements.
Here is an example of how the framework is structured:
- Domain: 08 Network Protection
- Control Family: 01.o Network Routing Control
- Requirement Statement: Routing controls are implemented through security gateways (e.g., firewalls) used between internal and external networks (e.g., the Internet and 3rd party networks).
How Do Organizations Achieve HITRUST Certification?
To achieve HITRUST certification organizations must achieve a passing score in each of the 19 HITRUST domains. Each control requirement is scored and evaluated against five different “Maturity Levels” based on the degree to which the control is implemented.
- Policy: Are there policies in place that directly address the requirements of the controls.
- Procedure: Formal documentation for non-automated controls which outlines the who, what, when, where, and how of a process. For example, if you conduct a risk assessment, is there a procedure that defines how the risk assessment is conducted in addition to a policy that simply states one will be performed.
- Implementation: Are all elements of the requirement statement implemented?
- Measured and Managed: The last two maturity levels are highly interrelated and are akin to continuous monitoring. There is an extensive evidence and documentation threshold for the measured and managed maturity levels. As a result, they are typically not included by organizations in their HITRUST assessments as they are not needed to achieve certification.
Each control requirement is evaluated against the maturity levels to determine the score. The score for each maturity level is based on the degree of implementation, and the weighting of the maturity level. The policy, procedure, and implementation maturity are weighted at 15%, 20%, and 40% respectively — meaning organizations can obtain 75 out of 100 points from these maturity levels, which is more than enough to achieve certification. The measured and managed maturity levels are weighted at 10 and 15% respectively.
Note: Organizations seeking certification can obtain passing scores only by evaluating their in-scope requirements against the policy, procedure, and implementation maturity levels. There is no requirement to pursue scores for the Measured and Managed areas.
As such, Linford recommends organizations new to HITRUST avoid evaluating the measured and managed maturity levels. Each requirement can achieve a score of 0 to 100% for each maturity level based on the degree the control is implemented. HITRUST defines the implementation maturity as follows:
|Non-Compliant (NC) – 0%||Very few, if any, of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).|
|Somewhat Compliant (SC) – 25%||Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).|
|Partially Compliant (PC) – 50%||About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).|
|Mostly Compliant (MC) – 75%||Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed.)|
|Fully Compliant (FC) – 100%||Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).|
The key takeaway is that scores are for each domain are based on a large weighted average for each control requirement and associated maturity level. For specific details on HITRUST Scoring please see How to Score HITRUST CSF Controls.
HITRUST CSF Assessments
There are multiple types of assessment organizations that can elect to perform the HITRUST CSF. As noted above, HITRUST certification only includes the control requirements in-scope for the 75 key controls required for certification.
- Self Assessment: This type of assessment allows the organization to obtain access to the HITRUST CSF via the myCSF tool. Organizations can scope their assessment, and conduct gap assessments against the framework. It is highly recommended that organizations work with a HITRUST assessor firm to conduct the self-assessment to ensure control requirements are appropriately interpreted and evaluated. This provides a stepping stone to a validated assessment and ensures controls are properly designed prior to seeking CSF validation. Organizations that complete a self-assessment are not HITRUST certified.
- Validated Assessments: A validated assessment must be successfully completed to achieve HITRUST certification. Organizations are required to use an authorized HITRUST assessor firm to conduct the assessment. Unlike self-assessment, remediation is not allowed during a validated assessment.
To conduct a HITRUST assessment, organizations must purchase access to the HITRUST framework from HITRUST. There are various pricing packages and it is recommended that organizations communicate directly with HITRUST to obtain the latest pricing.
How the HITRUST CSF Compares to Other Security Frameworks
When comparing HITRUST to other security frameworks, it is easy to see the similarities and differences. At the end of the day, HITRUST is a certifiable framework, unlike HIPAA, which is regulation. The HITRUST CSF is foundationally built on ISO27001. If properly implemented, the baseline security assessment is considered to address all HIPAA security rule requirements.
One of the main differences between HITRUST and other security frameworks is the focus on security governance activities. This is achieved on multiple levels.
The first method requires organizations to have current and approved policies and procedures that address the HITRUST requirement specifications. These requirements go beyond simply stating an organization encrypts data, but rather require the organization to specify how data is encrypted at rest in all types of IT mediums and in transit.
The second way this is achieved is through numerous review controls that many consider routine IT operations activities. For example, most information security frameworks, including HITRUST, require organizations to deploy firewalls or similar protections to restrict inbound traffic to their networks.
In addition, HITRUST also requires that a review of firewall rules is performed and documented at least annually.
Recent Changes to HITRUST CSF Framework
As of June 2020, HITRUST CSF v9.4 is now the current version of the CSF. As a whole, there have not been any material changes from v9.2 to v9.3. The main focus has been on updating the control language. The transition from v9.2 to v9.3 brought a shift in focus away from the health care sector (for example, PHI” [Protected Health Information] was replaced with PII [Personally Identifiable Information] for many controls). The transition from v9.3 to v9.4 brought in new frameworks including the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v1.0 and the revised NIST SP 800-171 r2 mappings.
Landmark breaches over the past year in multiple industries outside of healthcare (hospitality, retail, manufacturing, etc.) have highlighted the need and benefit for an organization to have one control framework that can easily map to other common security frameworks. Every year, organizations are facing new state and national security regulations (GDPR, CCPA, etc.) which can result in “death by a thousand audits.” The ability to audit once and report many is a top priority for most organizations with information security reporting requirements.
The HITRUST Common Security Framework (CSF) is unique and can be challenging to understand. Hopefully, this article has provided clarity on the framework and how it is structured. Linford & Co. is an approved HITRUST Assessor firm, with deep expertise in HITRUST audits and HIPAA assessments.
Lastly, please contact us with any HITRUST related questions. We are happy to consult about providing a HITRUST assessment, or discuss one of the many other audit and certification services we can provide for your organization.
Richard is a leader in the HITRUST practice with Linford & Company and performs a variety of other assessments including SOC, HIPAA and NIST. He has guided more than 100 clients on their compliance journeys and holds a variety of certifications including the PMP, CISSP, GSNA and CCSFP as well as the CASP+, CySA+, Security+ and others from CompTIA, which he supports actively as a member of the Subject Matter Expert Governance Committee. He also holds an MBA from Western Governors University.