May 11, 2018
Understanding HITRUST: A Common Security Framework
By United Language Group
To understand HITRUST, it’s best to temporarily forget everything you know about HIPAA regulations, compliance and audits. Why? Chances are you view HIPAA as a challenge or an obstacle, while HITRUST is intended to be just the opposite.
The Health Information Trust Alliance (HITRUST) is the organization responsible for creating what’s known as the Common Security Framework (CSF). While HIPAA audits are inevitably subjective, HITRUST aims to standardize and streamline data security, making IT compliance easier for healthcare organizations and vendors.
To streamline IT security management, HITRUST brings together many of the most common standards, including HIPAA, ISO, NIST, PCI and state regulations. Instead of trying to weed through all these standards separately — which can be difficult, at best — healthcare providers and vendors can rely on CSF to make sure they’re compliant across the board. It’s a framework that’s all-encompassing.
WHY WAS THE COMMON SECURITY FRAMEWORK CREATED?
CSF certification is an invention of the healthcare industry, which tells you a lot about the motives behind it. While virtually all healthcare organizations understand why HIPAA is important, they find compliance difficult in some cases. CSF is intended not to add another confusing layer of compliance, but to simplify it.
The core principal behind CSF, according to HITRUST, is that information security should be a pillar of — not an obstacle to — the widespread adoption of health information systems and exchanges. Data security should be viewed as crucial to the success of technology in healthcare, not an afterthought or a hassle.
Perhaps the organization itself describes it best: “The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address those challenges through a comprehensive and flexible framework.”
BENEFITS OF CSF CERTIFICATION
Simplicity and flexibility are the hallmarks of HITRUST CSF. More specifically, the framework streamlines compliance by:
- Including, unifying and cross-referencing all globally-recognized data security standards that apply to the healthcare industry, which ensures that CSF meets the minimum compliance requirements for all standards
- Scaling controls based on the size, type and complexity of particular healthcare organizations, rather than using a one-size-fits-all approach
- Offering multiple implementation levels based on the amount of risk an organization is willing to take on
- Evolving and changing over time based on user input, shifts in the industry, new regulations like GDPR, and changing regulations
This is not an exhaustive list, but you can see a pattern emerging. HITRUST CSF offers the peace of mind that comes with compliance without confusion or rigidity. The certification gives healthcare organizations a tool by which to evaluate technology vendors, and it offers vendors a chance to prove the quality of their security.
ULG’s insights delivered straight to your inbox.
Thoughtful editorials from industry experts delivered weekly in bite-sized pieces.
WORKING WITH CSF-CERTIFIED VENDORS
Beyond streamlining data security, the ultimate goal of HITRUST CSF is exactly the same as the regulations it unites: protecting patient data and privacy. CSF helps healthcare organizations build trust in the vendors that handle and protect this confidential data, and it allows vendors to gain trust.
Earning CSF certification is no easy feat. The process is extremely detailed, comprehensive and long — intentionally so. When you hire a vendor that is CSF certified, you can be confident that the company’s data security practices have been intensely analyzed, scrutinized and validated.
Ideally, healthcare organizations should only work with technology vendors that have CSF certification. This includes not only the technology vendors that store sensitive patient data, but also those that have access to confidential data at any point in time, even briefly, including your translation provider.
For a more extensive look at the CSF, check out ULG’s HITRUST white paper.