Ensuring regulatory compliance is one of the most vital — and complex — tasks healthcare organizations and their business partners wrestle with. Failure to secure patient data can result in costly penalties and reputational damage. The compliance process is time-consuming, and its requirements are often vague, and many healthcare entities lack the resources and skills to implement the necessary practices and controls to achieve compliance. It’s not surprising that in 2020 the HHS had found organizations non-compliant with HIPAA in 69 percent of its investigations. Because of the subjective nature of HIPAA requirements, HITRUST has emerged to create a standardized framework that any HIPAA-covered entity can use to prove they are working in line with HIPAA requirements.
What is HITRUST?
HITRUST stands for the Health Information Trust Alliance.
Founded in 2007, HITRUST is a private organization that developed and maintains a cybersecurity framework to help organizations manage information risk and achieve HIPAA compliance.
According to the alliance:
HITRUST “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
One of the biggest challenges to compliance that organizations face is balancing the necessary risk mitigation measures with their resource, skill, and budgetary limitations. HITRUST streamlines the process by breaking down and prioritizing the full set of controls and requirements and phasing their implementation. This brings more focus to the organization’s compliance efforts, enabling them to prioritize the most critical issues and spread the costs and implementation of controls over a larger period.
The HITRUST CSF (Common Security Framework), combines aspects of other common security frameworks including HIPAA, PCI, ISO, and NIST, and outlines a set of controls that meet their requirements. It has 135 specific controls that it maps to specific HIPAA-compliant standards and specifications, and each CSF control has multiple levels with varying requirements.
This was added to HIPAA to promote the adoption of health information technology, and the use of electronic health records (EHRs) in particular, to streamline healthcare and reduce costs. It also made changes to ensure HIPAA-covered entities were complying with HIPAA requirements and changed the way they are enforced.
Some of the changes HITRUST introduced include:
- Tougher penalties for violation of the HIPAA Security and Privacy laws
- Mandatory security audits of all healthcare providers to determine if providers meet minimum standards to comply with the Security and Privacy rules
- A four-step tiered system for assigning penalties for HIPAA violations. Organizations could now be penalized even if they were unaware a violation occurred.
- The extension of HIPAA Privacy and Security Rules requirements to apply directly to healthcare organization’s business associates, including medical transcription companies, law firms, software vendors, collections companies, and other entities whose work allows them to access personal health information.
Because HITRUST is an expansion of HIPAA, the HITRUST CSF will move organizations toward compliance with HITRUST requirements.
What is HITRUST Certification?
HITRUST certification is a way for organizations to demonstrate compliance with HIPAA. In the past, healthcare organizations signed agreements or verbally attested that they had proper security controls and practices in place and were HIPAA compliant. Essentially, this was a promise made to business associates that couldn’t be easily validated. With HITRUST certification, healthcare organizations can show they are operating in line with HIPAA guidelines and requirements and establish themselves as a trusted business partner.
HITRUST offers a three-step process, called the Degrees of Assurance, to become HITRUST CSF Certified.
The first step is a self-assessment using the HITRUST myCSF tool. The organization answers a series of questions and a customized HITRUST assessment is created to determine how well that business’ particular environment is meeting applicable compliance standards. The myCSF tool helps identify areas where the organization is in compliance with HITRUST criteria and areas where it needs improvement.
After completing the self-assessment and taking any necessary corrective actions, the organization can take the second step and request a third party to confirm that they meet the relevant HITRUST criteria. A HITRUST-approved CSF Assessor makes an on-site visit to verify the information the organization gathered during the self-assessment and issues a validated assessment.
For the final Degree of Assurance, the organization can submit their validated assessment to HITRUST to be reviewed and certified. The certification is good for two years, after which the company’s compliance must be assessed again.
How Long Does It Take to Achieve HITRUST Certification?
The time frame for completing the HITRUST certification will vary by organization depending on many factors. HITRUST requires organizations to show readiness against 135 CSF controls. These controls are divided into 19 different domains:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Third-Party Security
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
How long this process takes will depend on the organization’s maturity and the complexity of its environment, as well as its resource availability, security program readiness, and remediation requirements. In general, the self-assessment and third-party validated assessment can each be completed within eight weeks, but it can take up to 24 months for HITRUST to review the assessments and issue certification.
Another consideration is cost as organizations can expect anywhere from $50,000 to $200,000 depending on the size of the organization as well as the complexity. Typically, the decision to pursue certification is based on requirements of doing business with a certain type of client or entering into a new market.
[Related Reading: Accelerating HITRUST CSF Certification with AWS]
Benefits of HITRUST Certification
HITRUST certification brings several benefits to the organization. The primary benefit is that it establishes the certified organization as a trusted business partner. Indeed, many organizations seek HITRUST certification because a business associate or client requires it to do business together. Being able to show that your organization meets or exceeds HITRUST CSF requirements gives you a competitive edge over other organizations that can’t demonstrate compliance.
Another benefit is that the HITRUST certification process improves an organization’s security posture because it is far more rigorous and prescriptive than other regulatory frameworks. The HITRUST CSF pushes an organization to conduct a deep and comprehensive review of its environment, which often uncovers security gaps and risks that would otherwise have gone undetected. Remediating these as part of the assessment process ultimately enhances the organization’s security and reduces its risk.
The HITRUST certification process also sets forth clear standards for achieving HIPAA compliance. HIPAA and other compliance frameworks don’t prescribe how to achieve and prove compliance, which often leaves organizations unclear about what actions to take. The HITRUST CSF offers clear, actionable guidelines for meeting a range of globally recognized standards.
The scalability of the HITRUST CSF is another benefit. The CSF control set is tailored to each business assessment according to its type, size, and complexity. Organizations can adapt the CSF to its particular needs, making it a solution for businesses of all sizes
Differences between HITRUST and HIPAA
Both HITRUST and HIPAA address regulatory compliance for healthcare organizations, so, understandably, some believe the two are interchangeable. It’s important to understand the differences between the two and how they work together so you can better meet your compliance responsibilities.
The main difference is that HIPAA is a federal law implemented and enforced by government agencies, whereas HITRUST is a framework created by a private group of security professionals. The HITRUST CSF was developed to help healthcare companies and their partners achieve HIPAA compliance more easily and efficiently.
Another difference is that HIPAA does not prescribe what practices and security controls organizations should adopt to meet its regulatory requirements. It’s often nuanced language that makes it difficult for many companies to determine what measures they need to take to meet its standards, and it offers no certification to prove they’ve done so successfully. HITRUST attempts to provide companies clearer direction around what actions to take along with a certification process to demonstrate compliance.
[Further Reading: HITRUST vs. HIPAA]
HITRUST Offers a Smoother Path to HIPAA Compliance
Data breaches can be devastating for healthcare organizations, and unfortunately, they are on the rise. A recent report found that healthcare industries experienced a 51 percent increase in breaches and leakages compared to 2019, concluding that the “COVID-19 pandemic engendered new vulnerabilities in the digital ecosystem for threat actors to exploit, resulting in items like vaccines, fraudulent vaccine certificates, and other COVID-19 related items being sold in dark marketplaces and underground forums.”
The HITRUST CSF certification can help identify and remediate any security holes in your environment, give you a higher level of confidence in your data security, and show that you are meeting applicable HIPAA requirements.
Healthcare organizations are turning to managed detection and response service to help with implementing security controls and demonstrating adherence to regulations. MDR providers help you achieve deep visibility into your environment and can provide you with a range of reports to help you understand where you meet requirements with specific HITRUST CSF control categories and HIPAA regulations and where you are falling short so that you can take corrective action and move more swiftly toward compliance.
Read more about how Alert Logic MDR empower and expedites compliance with security mandates or request a demo.