HITRUST is a non-profit organization that created and maintains the HITRUST Common Security Framework ("CSF"). The HITRUST CSF was originally designed to be a security framework for companies in the healthcare industry handling electronic protected health information, but now has been expanded to other data sensitive sectors. HITRUST provides a framework for organizations to comply with various regulations and standards based on the company's size, types of systems deployed, and applicable regulatory requirements.
The HITRUST CSF incorporates existing controls and requirements developed from laws such as HIPAA and HITECH, as well as security standards such as NIST, ISO, PCI, and federal and state privacy laws. Organizations assess their internal systems, policies, and procedures against these controls.
By leveraging the HITRUST CSF and CSF Assurance program, your organization can satisfy all of your information risk management and compliance requirements—locally, nationally, or internationally.
Some of these internationally relevant authoritative sources include:
- The European Union General Data Protection Regulation (GDPR)
- Singapore’s Personal Data Protection Act
- International Standards Organization (ISO) 27001
- The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
- The Organisation for Economic Co-operation and Development (OECD) Privacy Framework
- ISACA’s COBIT 5
- Center for Internet Security (CIS) Controls v7.1
- U.S. Health Insurance Portability and Accountability Act (HIPAA)
- U.S. DOD Cybersecurity Maturity Model Certification (CMMC)
More recently, HITRUST has been designated as a U.S. accountability agent under the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rule (CBPR) System and Privacy Recognition for Processors (PRP) System by the International Trade Administration. Accountability agents serve as a third-party validation to ensure that the minimum privacy requirements are met, as well as ease the compliance burdens in the Asia Pacific region.
Many healthcare (and increasingly non-healthcare related) organizations are beginning to require that their vendors and partner organizations are HITRUST compliant. There are three ways of demonstrating HITRUST compliance: through certification, self, or validated assessments. Official certification by HITRUST is the best way of proving HITRUST compliance.
Being HITRUST Certified means that you have undergone a Validated Assessment performed an authorized HITRUST Assessor and have implemented the minimum requirements needed to become HITRUST certified. HITRUST Certification is evidence that your organization has a mature and robust security program in place.
In order to get HITRUST certified, it is necessary to have a HITRUST Validated Assessment performed by an authorized HITRUST Assessor such as Vicis Law and then submit it to HITRUST for their approval and official certification.
Our HITRUST Readiness offering is designed for organizations who are considering HITRUST but aren't sure where to start. We will review your current data security program and let you know what major areas you need to concentrate on, what areas are in good shape, and everything in between. A HITRUST Readiness engagement performed by an official HITRUST Assessor such as Vicis Law will provide you the assessor’s perspective of the gaps that need to be addressed and allow you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. A HITRUST Readiness engagement or facilitated Self-Assessment is the best way to ensure that your organization will have a successful HITRUST Validated Assessment.
- The key to a successful HITRUST assessment is properly determining its scope. The larger the scope of a HITRUST assessment, the more complex it is. Having an unnecessarily large scope can be costly in terms of time and money. Scope is ultimately determined by your organization but Vicis can help you figure out the right scope for your needs.
- Once scope has been decided, the next step is to perform a HITRUST Self or Validated Assessment. This stage involves reviewing data security controls and providing the evidence necessary to satisfy them. If you are working on a Validated Assessment, you will work with an authorized HITRUST Assessor such as Vicis Law who will validate your assessment.
- Providing evidence of how your organization satisfies each control is critical to any successful HITRUST Assessment. Extensive documentation will be required and, in many cases, your organization may have to develop new policies and procedures to satisfy the controls.
- In certain cases, you may have controls that do not pass HITRUST’s requirements for certification. For those controls, you will need to develop a corrective action plan ("CAP") in order to gain certification. A HITRUST Assessor can help you identify what CAPs are needed and help formulate a plan of attack.
HITRUST offers two types of assessment reports: (1) Self-Assessments or (2) Validated Assessments.
- Self-Assessment: A HITRUST Self-Assessment is performed using internal resources, although you can work with a HITRUST Assessor to help you along the way. Note that you cannot be certified by HITRUST via a Self-Assessment. Even so, this step is incredibly useful for organizations who are considering becoming HITRUST certified but who are not yet ready for a HITRUST Validated Assessment.
- Validated Assessment: A HITRUST Validated Assessment is conducted in three main stages. First, your organization conducts an internal assessment and completes its review of each required control in scope. Second, a HITRUST Assessor will review your assessment and evidence. Once you and your HITRUST Assessor agree on the assessment results, it is submitted to HITRUST to perform their final QA checks. If they approve, HITRUST will then issue a HITRUST Validated Report with Certification.