If your organization is in the healthcare industry, you focus extensively on valuable data. Whether you create it, store it, transmit or exchange it or simply access it, your systems must be secure in order to protect the confidentiality, privacy and integrity of the information.
This is by no means a simple process. In an effort to streamline it and to create harmony among the many compliance standards and regulations that companies must adhere to in this industry, leaders in business, information security and technology formed an organization known as the Health Information Trust Alliance (HITRUST), which worked to produce a unified compliance standard known as the HITRUST Common Security Framework (CSF).
Obtaining HITRUST CSF certification requires full compliance with all of the controls contained in the framework. Even if your organization’s management team is undecided as to whether to pursue certification, meeting the standards found in these HITRUST controls is equally important if you are conducting an internal self-assessment.
The Organization of the HITRUST CSF
The structure of the CSF framework is based on ISO/IEC 27001 and ISO/IEC 27002. It contains the following 13 control categories:
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of information security
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems acquisition, development and maintenance
- Information Security Incident Management
- Business Continuity Management
- Privacy Practices.
Depending upon factors such as the size of your organization and the risk it is expected to incur, you will be required to implement security controls based on one of three levels. In addition, the framework contains 46 control objectives and 149 control specifications.
HITRUST CSF Controls and Specifications
The control categories would not be very helpful if there were no criteria established to define them. To that end, the following specific factors must be identified and evaluated for each:
- Control specifications. This is the set of legal, administrative, management and technical policies, procedures, practices and organizational structures that will assist you in meeting the control objective;
- Organizational, regulatory and systems factors that could potentially put you infrastructure in jeopardy of a data breach;
- Implementation requirement. This requirement indicates how the control objective will be met and provides three levels, from baseline to comprehensive depending on the size of an organization and its risk profile;
- Guidance on how to perform the assessment, including document examination, interviewing of staff and suggestions for developing a test plan;
- Standard mapping. This helps you to cross-reference HITRUST control requirements against those of other standards such as HIPAA.
The HITRUST controls provide you with a specific road map that you can follow as you assess your organization’s compliance with industry standards. Because one size does not fit all when it comes to compliance with regulatory standards, it also furnishes a great deal of flexibility. Taking the time to use these categories and objectives to evaluate your systems will ultimately result in a clear understanding of their strengths and weaknesses. Armed with that knowledge, you can implement modifications that will serve to keep that all-important data private and secure.