HITRUST CERTIFICATION: IMPORTANCE IN HEALTHCARE

Being HITRUST-certified is one-way companies can demonstrate their commitment to security and privacy to clients and partners

Healthcare is one of the most highly regulated industries regarding privacy and security. There is a good reason for this, too, as personal health information (PHI) is some of the most valuable information for cybercriminals and people that commit fraud. According to the US Department of Health and Human Services 2020 Healthcare Breach Report, the average cost per breached record is $499 and can be sold for over $1000. As a result, PHI has become highly targeted by criminals, and to combat this, regulations and security standards have been created to ensure that businesses protect this information correctly. This article will discuss a popular security framework and certification in the healthcare industry called HITRUST.

What is HITRUST Certification?

HITRUST, created in 2007, is a standards and certification body that helps organizations manage information security, privacy, and regulatory compliance.

Organizations that achieve HITRUST certification have passed the framework checks and have shown an ability to adhere to the security requirements of HIPAA. 

Then there is the HITRUST CSF framework.

What is HITRUST CSF

The HITRUST CSF is a certifiable security and privacy controls framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with data protection professionals, the HITRUST CSF provides structure, transparency, guidance, and cross-references to 40+ authoritative sources, standardizing requirements and providing clarity and consistency. The HITRUST CSF is regularly updated as mapped authoritative sources change and new sources are introduced. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and regulatory requirements.

The HITRUST CSF assurance program combines aspects of many popular security frameworks, including ISO, NIST, PCI, and HIPAA. So it’s not limited to just evaluating companies based on HIPAA requirements. There is a roadmap that organizations can follow to achieve data security and compliance with HIPAA. 

Why is HITRUST Important in Healthcare?

Whether you are a healthcare provider or a processor of healthcare information, you have a big responsibility to ensure that you protect that information. Not only is this heavily mandated through regulations like HIPAA, but your potential clients will want to know that you can uphold these standards as part of their requirements for doing business with you. Being HITRUST certified is one-way companies can demonstrate their commitment to security and privacy to potential clients and business partners.

HITRUST vs. HIPAA

The relationship between HITRUST and HIPAA can be confusing at first. However, it’s essential to understand that they are not the same but are closely related. HIPAA stood for the Health Insurance Portability & Accountability Act and was passed by Congress in 1996. While HIPPA is a regulation created by lawmakers, HITRUST is a framework developed by security experts that covers key aspects of HIPAA compliance and draws from dozens of other authoritative sources, as well.

One of the issues organizations face with HIPAA compliance is translating somewhat vague requirements into quantifiable and measurable criteria and objectives. HITRUST helps companies achieve this by providing a framework for identifying the organization’s appropriate administrative, technical, and physical safeguards. 

HITRUST Certification Requirements

Now that we’ve discussed the value of HITRUST in the healthcare industry, let’s look at how a company can become certified. For an organization to become HITRUST certified, it must undergo a validated assessment by a HITRUST assessor firm. The company must purchase a MyCSF subscription from HITRUST and a certification report credit. Upon completion of the validated review, the organization will submit the corrective action plans required for issues that were found. The assessor firm will, in turn, assess the company’s compliance with HITRUST CSF requirements and submit the assessment to HITRUST to spot-check the assessment results. If no significant problems are identified beyond what was found in the assessment, then the organization will be awarded HITRUST certification. 

HITRUST Assessment Levels

HITRUST offers three levels of assessments, basic, current-state assessment (bC), HITRUST Implemented, 1-year assessment (i1), and HITRUST risk-based, 2-year assessment.

HITRUST Certification: Importance in Healthcare

                                                                                       Source @ HITRUST

HITRUST bC Assessment

This is the starting point for organizations seeking a HITRUST assessment. It is a standardized self-assessment that companies can perform without hiring an external assessor. It focuses on good hygiene and performs simple validations by applying HITRUST’s Intelligence Engine. The level of effort required is the lowest of all three, and it provides the lowest level of assurance and results in no HITRUST Certification. 

HITRUST i1 Validated Assessment + Certification

This assessment is considered a validation of cybersecurity best practices and is well-suited for environments with moderate risk. HITRUST stated that this assessment would be threat-adaptive to reflect the evolving threat landscape and include a static list of required security controls. The level of effort required is considered moderate by HITRUST, but it gives a good level of assurance and allows you to get a one-year certification by HITRUST. The i1 assessment must be completed annually or replaced by an r2 Validated Assessment on or before the anniversary of the i1 submission.

HITRUST r2 Validated Assessment + Certification

This fully tailored assessment considers multiple risk factors relevant to the company that is undergoing the assessment to determine its scope. The r2 is most suitable for high-risk scenarios where high-level assurance is required or expected. When an external assessor completes this, it results in a two-year certification for HITRUST as opposed to 1 year under i1. 

What is HITRUST MyCSF?

The MyCSF tool is a SaaS platform that helps organizations navigate and prepare for the HITRUST assessment process. It allows organizations to manage information risk and meet international, federal, and state regulations around privacy and security. It also helps organizations understand the gaps between their current state and international standards and best practices. Some of its key features include:

MyCSF Compliance and Reporting Pack for HIPAA:

The tool automatically compiles the list of evidence collected from your HITRUST assessment process and provides recommendations on what is required to ensure HIPAA compliance. The information from your assessments is consolidated into a report formatted by HIPAA control and populated with evidence that can be shared directly with the Office for Civil Rights (OCR) investigators.

Custom Assessments:

It can tailor assessments to fit your organization’s needs by focusing on specific regulatory factors or specific control requirements individually.

Assurance Intelligence Engine:

This feature provides automated checks that evaluate our assessment documentation and flag potential errors that may slow down the assessment review process. 

Recap

Healthcare is one of the most heavily regulated data security and privacy industries. This is why frameworks like HITRUST were created. HITRUST is not a regulation but a security framework and certification that demonstrates that the certified company adheres to security best practices, particularly the security requirements of HIPAA. Organizations that want to achieve HITRUST compliance must complete an i1 or r2 assessment by a HITRUST-certified external assessor. This certification allows other organizations to verify that this company has the proper security controls to protect PHI in their environment. The MyCSF tool is a SaaS platform that helps organizations govern risk and prepare for HITRUST assessment. If you want help getting your organization certified in HITRUST, you can book some time with one of our HITRUST experts here.

HITRUST® introduces the leaner version of the Validated HITRUST Assessment – The Implemented, 1-Year (i1) Validated Assessment + Certification

HITRUST, recently, announced the implementation of a new annual HITRUST Assessment + Certification, the i1. The aim of this release is to provide a cybersecurity assessment that remains continuously relevant by utilizing the latest threat intelligence to address information security risks and emerging cyber threats like ransomware and phishing. 

Experts highly tout the “Gold Standard” for information security assurances as the original HITRUST Validated Assessment, which is now dubbed the r2. The HITRUST Risk-based, 2-Year r2 Validated Assessment + Certification uses the HITRUST CSF® cybersecurity framework to unify and harmonize controls from many regulatory and industry frameworks, including HIPAA, GDPR, and PCI-DSS. It often considered as a sort of “one framework to rule them all”, and organizations that implement a properly scoped HITRUST r2 Assessment can include more than 40 authoritative sources to conform to a variety of cybersecurity regulations and standards. The HITRUST a 2-year risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.

The new HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification is the first information security assessment of its kind and possesses attributes that other assurance programs do not have. The assessment’s design and control selection place it in a new category of threat-adaptive information security assessments, which evolve with emerging risks and new threats while also retiring irrelevant controls.

The HITRUST i1 Assessment is designed to:

  • Designed to maintain control requirements that mitigate existing and emerging threats by providing updates as new threats are identified. The assessment is threat-adaptive, prescriptive, and concentrates on controls that are relevant to risk.
  • Sunset controls that have lost relevance and have limited assurance value based on the effort required to comply or assess.
  • Delivers greater reliability than other moderate assurance options due to its unique control selection and assurance program design.

The HITRUSTi1 Validated Assessment + Certification is a “best practices” assessment that consists of 219 pre-selected controls. The design of the assessment was based on relevant information security risks and emerging cyber threats. It provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). Although the HITRUST i1 is a leaner version of the r2, the evaluation process is still incredibly rigorous and provides the same credibility associated with the original HITRUST Assessment.

Examination of the Five Maturity Levels Tested in r2 and i1 Assessments

  • Policy– Detail management’s requirements for the organization and in=scope systems
  • Procedures– Document the organization’s methods for implementing policies
  • Implemented– Demonstrate how the organization implemented policies and procedures
  • Measured– Examine how the organization evaluates its program
  • Managed– Show how the organization continuously manages risk

Conclusion

Although some organizations may consider the i1 assessment to be less assuring than the r2 assessment, the i1 provides several benefits due to its threat-adaptive approach paired with an annual assessment cycle. The HITRUST i1 concentrates solely on the implemented PRISMA maturity level, thus limiting the scope of assessment and helping reduce the preparation required. The i1 considers particular “Evaluative Elements” to confirm the complete implementation of each control, and an organization can be evaluated based solely on the level of implementation. An i1 assessment can serve as either a readiness assessment, (which includes an identification and remediation report), or a validated assessment, (which includes a requirements check and an official certification.)

It’s recommended that every organization start with a readiness assessment to get a detailed report on your organization’s cybersecurity posture and remediation requirements before performing a Validated i1 Assessment. This is important in finding vulnerabilities within your organization as it allows you to complete any recommended remediations before the HITRUST Q&A team conducts the validated assessment.

The Accorian Advantage

Accorian is a full-service security service provider organization with many years of experience providing data security compliance, information security program implementation, and testing services. As an authorized HITRUST CSF Assessor, Accorian has Certified HITRUST Practitioners and advisors with the expertise to provide the guidance and knowledge your organization requires to successfully complete a HITRUST Validation or Certification. Our qualified security advisors can initiate the scoping process for your assessment and facilitate the self-assessment process, reducing your costs, time, and resources with our HITRUST compliance services. As your organization adopts new technology, we can help with a HITRUST Assessment to streamline information security compliance as part of the implementation process. Additionally, We can help you maintain compliance by monitoring task completion and performing required third-party services for vulnerability testing and reviews. We are here if you need us.

The Journey from HIPAA Compliance to HITRUST Certification

In today’s complex technological world, there is always the danger of a hostile threat environment lurking around the corner, waiting to manipulate the potholes in the processes and technology. People and organizations with malicious intent always try to act upon such opportunities and cause everlasting damage to the organization’s reputation and finances. In such a scenario, securing information and information assets of the organization are of paramount importance. There are several ways to secure information and information assets within an organization. Some organizations may deploy strict controls like access control, secure equipment sitting area, authorization, and authentication, etc.

The healthcare industry is no different and is not safe from the malicious intent of hackers and trespassers. Sensitive healthcare information like patient data, patient recovery status, personal information, etc. always needs to be safeguarded. Hence, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, which outlines protection and security standards for health care data. HIPAA is a public law that can be considered landmark legislation when it was enacted in the ‘90s.  Before its enactment, there were no security standards or requirements for protecting health care information.  While HIPAA is an act that details standards for compliance, HITRUST is an organization that helps you achieve those standards by the means of industry-acclaimed certification.

Transitioning from HIPAA Compliance to HITRUST Certification

When an organization transitions from being HIPAA Compliant to being getting HITRUST certified, is not a straightforward and simple journey altogether. This involves a lot of effort and adjustments along the way on the part of the organization. Often organizations who are HIPAA compliant, assume, that getting HITRUST certification is an easy walk. But in reality, the path to HITRUST certification is very robust and cumbersome. HITRUST certification is an exhaustive and comprehensive certification process and organizations often must scale up their efforts to get compliant.

The common pitfalls or roadblock often faced by organizations in the journey from HIPAA to HITRUST are:

  • HITRUST requires exhaustive policies and procedures to be in place spread across 19 domains of Information Security. Organizations often fall short of producing the exhaustiveness or robustness in their documentation that HITRUST mandates
  • HITRUST certification process mandates the actual implementation of solutions and security controls. In many cases, organizations that are HIPAA compliant do not have enough security controls in place to be even eligible for HITRUST certification
  • HIPAA compliance is a self-declaration made by the management of the organization keeping in view the security posture of the entity. In most cases when the organization goes for HITRUST certification, it comes as a revelation as they do not clear the HITRUST certification because of not having a good enough security posture. HITRUST certification is a very comprehensive and robust assessment of the security posture of an entity
  • HITRUST mandates the storage and secure treatment sensitive and covered information should get. Covered information includes ePHI, PII, etc. In comparison to HIPAA, HITRUST is more particular and employs strict measures about the secure handling of ePHI
  • As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors
  • HITRUST also claims that with their framework, you can “assess once and report many” – which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC II or NIST 800-53.  Thus, HITRUST can be labeled as more versatile and comprehensive

How to attain HITRUST Certification?

Without a standardized framework, process, and certifying body, HIPAA is often an obstacle for healthcare technology. HITRUST is an attempt to help vendors better prove their security and to help covered entities streamline security and compliance reviews of vendors. HITRUST is an acronym for the Health Information Trust (HITRUST) Alliance, an independent testing organization that issues the Certified Security Framework (CSF) certification to vendors who successfully pass their rigorous security evaluation. Because HIPAA is a set of standards, and the HITRUST CSF provides a prescriptive set of controls that meet the requirements of not only HIPAA but other security standards such as PCI and NIST. As such, HITRUST is a valuable resource for risk management and compliance for organizations that handle sensitive data.

The 5 Steps to HITRUST CSF Certification

  • Step 1: Investigate the process
  • Step 2: Scope the project with the chosen HITRUST CSF Assessor
  • Step 3: Complete the CSF
  • Step 4: Validate the CSF with the assessor
  • Step 5: Certify the CSF with HITRUST Alliance

The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be performed to prepare organizations for the Validated Assessment. Organizations can involve Authorized Internal and External Assessor Organizations as part of the Readiness Assessment. Based upon the results of the Readiness Assessment the organization should develop a remediation plan and work with its Authorized External Assessor Organization to define the timing of the Validated Assessment. Before beginning the Validated Assessment, the organization will need to purchase a Validated Assessment object from HITRUST if they are not a subscriber. The organization will need to complete the Validated Assessment using the MyCSF tool and then the Authorized External Assessor Organization will be required to perform the validation/audit work. Once the Authorized External Assessor Organization’s work is complete, they submit the assessment to HITRUST for review. HITRUST will perform quality assurance procedures, create a report, and, depending on the scores in the report, will issue a Letter of Certification.

Thus, we have seen that though HIPAA mandates a set of security and privacy safeguards to be implemented, HITRUST is the certifying body that evaluates the compliance of an organization against the standard. Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit. I can conclude by saying that the journey traversed by an organization from being HIPAA compliant to HITRUST certified is indeed an eventful Security Compliance journey.

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden. 

Typically, a Risk Management program comprises of the following phases:

  • Risk identification
  • Risk analysis
  • Risk evaluation
  • Risk treatment
  • Risk Monitoring

A good risk management framework will have the following characteristics:

  • Comprehensive in types of risks it covers
  • Practical for an organization to implement
  • Updated with current real-world risks
  • Based on controls that can be reviewed and audited
  • Reliable so that your vendors and customers can accept it

There are many risk management frameworks that one can choose from and it important to understand the advantages of each.

Common risk management frameworks include:

NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.  

SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality. 

HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement. 

It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

1 Minute Guide to the Updated HITRUST Scoring & Metrics for 2020

At the start of the year, HITRUST released an updated methodology for scoring requirements. This will ensure that organizations focus on maintaining a robust program with implemented controls for enhancing security posture and adherence to HITRUST.

Hence, if you’re on the path to HITRUST or new to it, the following will be applicable to you:

  1. HITRUST will now place a greater influence on implementation of controls
  2. It can potentially increase the number of Corrective Action Plans (CAPs) due to gaps in implementation.
  3. The increase in CAP’s in implementation would correspond with a decrease in the number of CAPs attributed to gaps in policies and procedures as well as an increase in the scores for managed & measured if implemented well.
  4. A greater emphasis will be placed on procedure in comparison to policy.
  5. HITRUST wants to ensure that SOPs are well documented, but more importantly, followed with workflows and ownership.
  6. Assessors and enterprises will now be able to objectively score each control using the Control Maturity Rubric.
  7. Managed now holds greater importance in comparison to measured.

The key takeaways are as follows:

1) Change in weightage

Maturity LevelsOldNew
Policy25%15%
Procedure25%20%
Implemented25%40%
Measured15%10%
Managed10%15%

2) Updated HITRUST Control Maturity Rubric

An objectively defined control maturity rubric is in place. It will aid in quantifying current state of controls during self-assessments for HITRUST prospective enterprises & for validated assessments. There are 5 tiers for assessing the strength of the control (policy, procedure, implementation, measurement and management) and 5 tiers for assessing coverage and adherence.

3) Applicability

The new scoring rubric is applicable for all myCSF material created and all assessments (self and validated) submitted to HITRUST in the year 2020.

4) Will the new scoring metrics impact already certified organizations?

Not yet, but it will play a role in re-certification. The metrics associated with the original assessment will be applicable for the interim assessment. 

Due to the updated assessment guidelines, companies up for re-certification will be required to implement their CAPs associated with implementation. In turn, this will aid in increasing your implementation score, and, consequently, increase your scores for measured and managed.

Insider Threats – Healthcare’s Crippling Reality

We often learn about the latest security issues, threats, vulnerabilities, attacks, and ransoms every day. While much of the advertised information we read is about external vulnerabilities, there is another, often-overlooked, hazard lying in wait: Insider threats.

What are Insider Threats?

An insider threat is an often-overlooked security threat from within an organization.
Often an employee, contractor, business associate or, third-party entity, an insider threat is anyone who had or still has access to proprietary information within an organization. Due to the unforeseen nature of these breaches, traditional security measures and products often fail in preventing and detecting insider threats.

Why should organizations be concerned?
  1. 75% of internal breaches go unnoticed. An employee logging-in is easily overlooked in comparison to an external threat.
  2. Internal breaches are twice as costly and damaging as external threats due to the longevity of the breach and the detection lag
  3. 69% of organizations that were breached internally had a prevention solution in place, but still failed to detect the attack.
  4. On average, it takes 32 months to detect an internal breach.
  5. 65% of breaches are unintentional, making privileged-users the largest risk for organizations.
  6. Not every breach is the result of maliciousness, recklessness, or negligence, but regardless, the presence of human error in internal breaches means organizations have to invest in training, education, and technology that work with the user in mitigating insider threats.
Why should Healthcare organizations be concerned?

Hackers leverage highly targeted phishing campaigns to gain access to healthcare organizations’ networks, which serves as a critical reminder for the need to frequently train and educate employees. In general, healthcare entities are able to detect external hacking incidents quicker than insider incidents. There are many cases of hacking incidents have been discovered in one day, while insider incidents have proceeded without detection for years. Healthcare is the most vulnerable industry to internal threats, with 59% of all breaches being internal-infiltrations
in 2018. (Verizon DBIR report 2019)

Current State of Healthcare –

  • 15 million patient records were breached in 2018 over 503 breaches. 139 were internal breaches responsible for over 2.3 million patient records. (Protenus Breach Barometer 2019)
  • 32 million patient records were breached in the first half of 2019 across 285 breaches; The new Protenus 2019 Breach Barometer found the number of breached patient records tripled from 2017 to 2018, as healthcare data security challenges increased.
  • 91% of healthcare organizations have had at least one data breach involving the loss of patient data in the last two years (Forbes)
  • 68% of patients are not confident that their medical records are secure with their healthcare providers (Ponemon Medical Identity Threat Report)
How should Healthcare organizations manage & mitigate this threat?
  • Proactive Insider Threat monitoring – User & Entity Behavior Analytics (UEBA), Endpoints Controls
  • Auditing & managing privileges & permissions
  • Implementing a device management policy
  • Security training and testing among employees
  • Policies & Procedures for increasing accountability amongst employees & contractors
  • Incident Response Strategy & Plan
How does HITRUST prevent Insider Threats?

HITRUST’s Cybersecurity Framework (CSF) provides a comprehensive security blueprint for organizations to achieve and adhere to.

HITRUST requires organizations to have the following controls in place in order to prevent insider threats –

  1. Employee awareness & education
  2. Secure workplace and data practices
  3. Confidential data taxonomy
  4. Auditing & managing privileges & permissions
  5. Secure disposal/re-use of media/equipment
  6. Compliance to policies & procedures
  7. Acceptable use of assets
  8. Reporting of security incidents

HITRUST just released Version 9.3 of the HITRUST CSF. How will that affect your company?

On October 28, 2019, HITRUST announced the release of version 9.3 of the HITRUST CSF information risk and compliance management framework.

The HITRUST CSF is an important step in the HITRUST certification process. It provides necessary risk management and compliance methods that helps organizations ensure that their security programs are aligned and meets compliance standards.

This new version of HITRUST CSF includes changes requested by the HITRUST community, corrections as needed and updated language to the glossary that effectively clarify terms found in the HITRUST framework.

New authoritative sources:

The California Consumer Privacy Act (CCPA) 1798 – Effective January 1, 2020, this act requires qualifying organizations to protect California consumer data and gives them the option to opt-out sharing of their data. HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session.

NIST SP 800-171 R2 (DFARS) – provides guidance to protect controlled unclassified information in nonfederal systems and organizations. HITRUST CSF provides the controls needed to implement NIST Cybersecurity Framework effectively. A company can certify its implementation of the NIST Cybersecurity Framework by using the widely adopted HITRUST assurance program. A 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework.

The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – Effective January 1, 2019, the SCIDSA requires qualifying organizations to report and investigate cybersecurity events within specific time frames. HITRUST v9.3 provides controls needed for risk management and due diligence.

Updates to existing sources in HITRUST CSF:

  • AICPA 2017
  • CIS CSC v7.1
  • ISO 27799:2016
  • CMS/ARS v3.1
  • IRS Publication 1075 2016
  • NIST Cybersecurity Framework v1.1

How will it affect your company?

Organizations that are currently involved in a HITRUST assessment using version 9.2 will not be impacted by this new update. However, HITRUST plans to release version 10 in Q4 2020 that will include more enhancements to make the framework more efficient.

Premal Parikh, Managing Director of Accorian says, “The inclusion of these security acts shows that HITRUST is determined to stay up to date on the new information security advancements.”

To learn more about HITRUST CSF v9.3 contact one of our HITRUST practitioners and we can help you get informed about these updates.

To download the HITRUST CSF go to: https://hitrustalliance.net/hitrust-csf/

HITRUST Press release – https://hitrustalliance.net/hitrust-releases-version-9-3-of-the-hitrust-csf-incorporating-new-privacy-and-security-standards/

Lessons from our recent HITRUST Community Extension Program.

On August 27, 2019, Accorian, facilitated a successful HITRUST Community Extension Program in New York city. Security and Technology professionals from organizations in healthcare, finance and technology attended the town hall. Michael Parisi, VP of Assurance Strategy & Community Development was the main speaker and he did a great job informing the attendees about HITRUST.

Lively discussions about the HITRUST process kept the event energetic. Real world examples and case studies helped attendees to see the benefits of becoming HITRUST certified.

John Langhauser, the co-founder of AdhereTech

John Langhauser, the co-founder of AdhereTech, explained how pursuing a HITRUST certification differentiated them from competitors.  AdhereTech provides software that uses smart pill bottles to provide patient support. They have found that being a HITRUST certified company in the healthcare industry has simplified their security conversations with potential customers.

Live demo of MyCSF® scoping exercise

Pete Niner, one of our HITRUST CSF Practitioners, conducted a live scoping exercise using the My CSF tool. He also provided a case study of a client benefited from the scoping exercise despite challenges.  

Pete recommended that the scope of the HITRUST Assessment be made very clear and as minimal as possible. Companies should ensure that legal and compliance obligations should be precisely scoped and only included if required.

Key Points from Michael Parisi

The main objective of the CEP event was to promote awareness of the HITRUST process while promoting the benefits of the certification.

Michael Parisi spoke about the journey to certification, the types of assessments and products such as the HITRUST Threat Catalogue, Assurance Program and the Shared Responsibility program.

In addition to answering questions from the audience, Michael Parisi stressed the importance of performing a risk analysis before starting the HITRUST framework. A few people had concerns about the procedures used by assessors during the process. Michael assured them that every audit is reviewed by HITRUST and that all assessors are held to the strict guidelines of the process.

HITRUST has seen an increase in adoption of the HITRUST CSF outside of the healthcare and public health sector – and internationally.​Future plans for the HITRUST Alliance include:

  1. Launching HITRUST CSF v10 in 2020
  2. They plan on providing services for GDPR certifications.
  3. HITRUST VC Council will be launched later this year.
  4. HITRUST is working with the FAIR Institute to create a threat catalogue to help with risk management.

Simplifying the Readiness Assessment

Premal Parikh, Managing Director of Accorian, shared the HITRUST certification methodology that his team uses to assist their clients to achieve certification. He focused on the pros and cons of doing a readiness assessment without the aid of a HITRUST Practitioner. He explained how guidance from an experienced assessor during the self-assessment increases the quality of the validated assessment.

“Participating in this HITRUST CEP was a great experience. It was an opportunity to share lessons learned with people in our industry to help them understand the complexities of HITRUST and risk management. We plan on partnering with HITRUST again in 2020 to produce more of these events throughout the United States.”
– Premal Parikh

We encourage people who are interested in this certification to take advantage of this free opportunity. It’s a great way to learn all you can about HITRUST to simplify the process and effectively implement the procedures in your programs.

As authorized HITRUST CSF experts, Accorian has experienced practitioners that are prepared to answer any questions you have about HITRUST. Contact us if you would like to see the presentations from this event or if you have any questions.

7 Ways to protect your Healthcare Data in 2019

In 2018, 15 million patient records were breached during 503 healthcare cyber-attacks. That’s three times the amount of reported incidents in 2017*. As breaches continue to escalate, healthcare records are becoming a big target and are valuable on the black market.

1. Where is your data and how is it protected?

Most organizations don’t know where and how much health data they possess. Mobility and easy access to data adds to the risk. The usage of IoT and other handheld devices also add a layer of complexity.

2. Train your staff on anti-phishing techniques

The healthcare industry suffers more from insider threats than external threats. hackers are using targeted and sophisticated social engineering techniques to cause human error. These advanced phishing techniques leverage AI & Crimeware that exploit the weakest link in security – Humans. It’s important that employees are educated so that they are not fooled into allowing a hacker to access the network.

3. Is your Network being monitored 24/7?

Hackers don’t take a day off and neither should your security. Attacks will be more sophisticated, harder to detect & defend in real time. Real time security monitoring & a robust incident response plan will be key. This will leverage AI to detect & defend your network in real time.

4. Increase your budget for cybersecurity

Successful data breaches significantly impact the bottom line of organizations. This includes fines, legal & investigator fees, the loss of credibility, reputation, customer confidence, valuation and changes in the CXO level. Cyber insurance premiums have also increased due to impact & cost of data breaches in 2018. It’s important that your organization devotes enough funds to cybersecurity because it will be costlier if your company has a data breach.

5. Make sure that your Data is compliant

There are new complexities associated to information sharing due to newer privacy laws across the world. The healthcare industry has a reputation of not always complying with GDPR, HITRUST and other data protection rules. Partnering with a security firm to help you get compliant will decrease your chance of being fined.

6. Are your IOT** medical devices secure?

Medical devices are becoming more digitally connected to increase patient care. However, just like computer systems, they can be vulnerable to security breaches. Increasing your adherence to the FDA’s Medical Device Security guide will reduce your chance of cyber-attack.

7. Partner with a cybersecurity company for long-term protection

The lack of security experience & skills in the healthcare industry often leaves organizations vulnerable to an attack. It’s best that Healthcare companies work with a security partner that specializes in their industry and stays ahead of cyberattacks.

Accorian is your full-service cybersecurity partner. We can help you protect your data, monitor your networks, conduct security tests and provide anti-phishing training for your employees. Contact us today to find out how we can help your business achieve Technology success.  

Sources:
*Protenus 2019 Breach Barometer
**Internet of Things
Source: Verizon’s DBIR 2018

Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

© 2023 Accorian. All Rights Reserved.

    Ready to Start?

    Download Case study

    Download SOC2 Guide

    Human Resources Director

    Posted On: 09 May, 2022

    Drop your CVs to joinourteam@accorian.com

      Interested Position
      First Name
      Last Name
      Email
      Total Experience
      Mobile Number
      Upload Resume