An Expert’s Guide to the HITRUST Framework

HITRUST Framework

What is HITRUST?” is typically the first question asked of Linford by organizations exploring HITRUST for the first time. Formerly, HITRUST stood for Health Information Trust Alliance but recently it rebranded to simply HITRUST to align with changes to the “framework” making it industry agnostic (more below).

HITRUST is an organization and a security framework. HITRUST the organization is a nonprofit organization originally created in 2007, based in Frisco, Texas. Its goal is to help companies effectively manage and certify compliance with information security controls, and consolidate compliance reporting requirements. The organization is responsible for the creation and maintenance of the Common Security Framework (CSF).

What is the HITRUST Common Security Framework (CSF)

The HITRUST was initially developed for organizations working in the healthcare industry which often found the vagueness of the HIPAA Security rule difficult to understand and properly implement. This often resulted in healthcare payers and providers not having an adequate way to assess the security posture of their IT vendors and the effectiveness of the controls in place to safeguard protected information.

The goal of the HITRUST CSF is to harmonize compliance requirements and provide specific details regarding how controls are implemented. The CSF is a proprietary risk and control framework that is updated on an annual basis and is currently in version 9.3. The framework is made to be scalable for organizations based on the entity type and volume of data/transactions. The framework also allows organizations to incorporate controls to meet requirements from other regulatory and security frameworks (PCI, COBIT, Meaningful Use, ISO, etc.).

How is the HITRUST Framework Structured

The HITRUST CSF is broken out into 19 different “domains,” which are aligned with common IT process areas.

HITRUST Domains
01 Information Protection Program08 Network Protection15 Incident Management
02 Endpoint Protection09 Transmission Protection16 Business Continuity & Disaster Recovery
03 Portable Media Security10 Password Management17 Risk Management
04 Mobile Device Security11 Access Control18 Physical & Environmental Security
05 Wireless Security12 Audit Logging & Monitoring19 Data Protection & Privacy
06 Configuration Management13 Education, Training, and Awareness
07 Vulnerability Management14 Third-Party Assurance

These 19 domains are broken into 135 Security Controls and 14 Privacy Controls controls can map back to multiple domains. Controls are then broken down into control requirements. It is important to note organizations can only certify against the HITRUST Security Assessment (vs. Comprehensive Assessment and Privacy Assessment), and there are only 75 controls in-scope of the baseline security assessment.

For organizations that elect to conduct comprehensive security and privacy examinations, if they achieve certification, the certification only covers the 75 required security controls. The remaining 60 controls are optional and are only included in Comprehensive Assessments. Privacy is currently not certifiable by HITRUST. For this reason, Linford encourages our clients to focus their certification efforts on the baseline security assessment.

The number of controls included in an organization’s assessment is driven by “scoping factors.” Each organization must scope its object (HITRUST assessment). Scoping consists of answering a variety of questions that are used to determine how many controls are in-scope for an assessment. The largest driving factor in-scope is the number of sensitive records maintained by an organization. For healthcare organizations, this is defined as the number of breach notification letters which would need to be sent in the event of a catastrophic breach (not discrete pieces of data). As a rough estimate, we see the number of control requirements similar to the following:

  • Under 10 Million Records: Assessment size of ~300 control requirements,
  • Between 10 to 60 Million Records:  Assessment size of ~375+ control requirements,
  • Over 60 Million Records: Assessment size of ~450+ requirements.

Here is an example of the how the framework is structured:

  • Domain: 08 Network Protection
  • Control Family: 01.o Network Routing Control
  • Requirement Statement: Routing controls are implemented through security gateways (e.g., firewalls) used between internal and external networks (e.g., the Internet and 3rd party networks).

 

Achieving HITRUST certification

How do Organizations Achieve HITRUST Certification

To achieve HITRUST certification organizations must achieve a passing score in each of the 19 HITRUST domains. Each control requirement is scored and evaluated against five different “Maturity Levels” based on the degree to which the control is implemented.

  • Policy: Are there policies in place that directly address the requirements of the controls.
  • Procedure: Formal documentation for non-automated controls which outlines the who, what, when, where, and how of a process. For example, if you conduct a risk assessment, is there a procedure that defines how the risk assessment is conducted in addition to a policy that simply states one will be performed.
  • Implementation: Are all elements of the requirement statement implemented?
  • Measured and Managed: The last two maturity levels are highly interrelated and are akin to continuous monitoring. There is extensive evidence and documentation threshold for the measured and managed maturity levels. As a result, they are typically not included by organizations in their HITRUST assessments as they are not needed to achieve certification.

Each control requirement is evaluated against the maturity levels to determine the score. The score for each maturity level is based on the degree of implementation, and the weighting of the maturity level. The policy, procedure, and implementation maturity are weighted at 25% — meaning organizations can obtain 75 out of 100 points from these maturity levels, which is more than enough to achieve certification. The measured and managed maturity levels are weighted at 15 and 10% respectively.

Note: Organizations seeking certification can obtain passing scores only evaluating their in-scope requirements against the policy, procedure, and implementation maturity levels.

As such, Linford recommends organizations new to HITRUST avoid evaluating the measured and managed maturity levels. Each requirement can achieve a score of 0 to 100% for each maturity level based on the degree the control is implemented. HITRUST defines the implementation maturity as follows:

MaturityRequirement
Non-Compliant (NC) – 0%Very few, if any, of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Somewhat Compliant (SC) – 25%Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Partially Compliant (PC) – 50%About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Mostly Compliant (MC) – 75%Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed.)
Fully Compliant (FC) – 100%Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

The key takeaway is that scores are for each domain are based on a large weighted average for each control requirement and associated maturity level. For specific details on HITRUST Scoring please see How to Score HITRUST CSF Controls.

 

HITRUST CSF Assessments

HITRUST CSF Assessments

There are multiple types of assessment organizations that can elect to perform the HITRUST CSF. As noted above, HITRUST certification only includes the control requirements in-scope for the 75 key controls required for certification.

  • Self Assessment: This type of assessment allows the organization to obtain access to the HITRUST CSF via the myCSF tool. Organizations can scope their assessment, and conduct gap assessments against the framework. It is highly recommended that organizations work with a HITRUST assessor firm to conduct the self-assessment to ensure control requirements are appropriately interpreted and evaluated. This provides a stepping stone to a validated assessment and ensures controls are properly designed prior to seeking CSF validation. Organizations that complete a self-assessment are not HITRUST certified.
  • Validated Assessments: A validated assessment must be successfully completed to achieve HITRUST certification. Organizations are required to use an authorized HITRUST assessor firm to conduct the assessment. Unlike self-assessment, remediation is not allowed during a validated assessment.

To conduct a HITRUST assessment, organizations must purchase access to the HITRUST framework from HITRUST. There are various pricing packages and it is recommended that organizations communicate directly with HITRUST to obtain the latest pricing.

How the HITRUST CSF Compares to Other Security Frameworks

When comparing HITRUST to other security frameworks, it is easy to see the similarities and differences. At the end of the day, HITRUST is a certifiable framework, unlike HIPAA, which is regulation. The HITRUST CSF is foundationally built on ISO27001. If properly implemented, the baseline security assessment is considered to address all HIPAA security rule requirements.

One of the main differences between HITRUST and other security frameworks is the focus on security governance activities. This is achieved on multiple levels.

The first method requires organizations to have current and approved policies and procedures that address the HITRUST requirement specifications. These requirements go beyond simply stating an organization encrypt data, but rather requires the organization to specify how data is encrypted at rest in all types of IT mediums and in transit.

The second way this is achieved is through numerous review controls that many consider routine IT operations activities. For example, most information security frameworks, including HITRUST, require organizations to deploy firewalls or similar protections to restrict inbound traffic to their networks.

In addition, HITRUST also requires that a review of firewall rules is performed and documented at least annually.

 

Changes to HITRUST CSF framework

Recent Changes to HITRUST CSF Framework

As of January 1, 2020, HITRUST CSF v9.3 is now the current version of the CSF. As a whole, there have not been any material changes from v9.2 to v9.3. The main focus has been on updating the control language. The biggest change users of the framework will notice is that the word “PHI”  (Protected Health Information) has been replaced with PII (Personally Identifiable Information) for many controls. This change is part of a larger focus of HITRUST to expand the framework to be applicable beyond just the healthcare industry.

Landmark breaches over the past year in multiple industries outside of healthcare (hospitality, retail, manufacturing, etc.) have highlighted the need and benefit for an organization to have one control framework that can easily map to other common security frameworks. Every year, organizations are facing new state and national security regulations (GDPR, CCPA, etc.) which can result in “death by a thousand audits.” The ability to audit once and report many is a top priority for most organizations with information security reporting requirements.

Conclusion

The HITRUST Common Security Framework (CSF) is unique and can be challenging to understand. Hopefully, this article has provided clarity on the framework and how it is structured. Linford & Co. is an approved HITRUST Assessor firm, with deep expertise in the HITRUST audits and HIPAA assessments. I would be happy to discuss your compliance and third-party reporting needs.

Leave a Reply

Your email address will not be published. Required fields are marked *