If you’re reading this blog, you’re likely very aware that HITRUST certification and its proprietary MyCSF (Common Security Framework) is increasingly becoming the default choice for healthcare organizations. According to HITRUST’s over 80% of hospitals and health plans with over 500,000 members have adopted the framework.
In addition, over 4,500 professionals have obtained Certified Common Security Framework Practitioner (CCSFP) Designation and over 10,000 healthcare vendors have also adopted the certified framework. These numbers continue to grow – showing that HITRUST is here to stay.
Ever-increasing risk from cybercriminals combined with human error and malicious insiders is undermining healthcare cybersecurity. Healthcare data, a treasure trove of valuable information, is always under attack. HITRUST was developed to be the one overarching framework to ensure a comprehensive set of baseline security controls and to establish a single benchmark for organizations. HITRUST also wanted to follow the methodology of “Asses Once, Report Many” to reduce costs and to have a single, unified approach to compliance across organizations.
Organizations handling Protected Health Information (PHI) already have to comply with HIPAA, so what is the difference between HIPAA and HITRUST?
Two words: be prepared.
HITRUST certification is a resource heavy initiative, and before you get started, you need to ensure that you have completed a scoping exercise to assess your current level of maturity. Involve a 3rd party assessor early in the process to avoid pitfalls. Ostendio can offer expert advice for HITRUST preparation and we work with a number of approved HIRUST assessor partners.
You should also be aware that HITRUST has three different report types which are:
Self-assessment
CSF Validated
CSF Certified
The requirements for HITRUST certification have changed for 2018. Additional protocols and requirements in version 9 include 75 core control statements, up from 66. These controls are based on FedRAMP (Federal Risk and Authorization Management Program), EHNAC (Electronic Healthcare Network Accreditation Commission), HIPAA OCR Audit Protocol and DHS requirements.
The lowest number of controls that must be assessed in a security assessment is 75 (version 9). For certification, your average level of compliance for the 75 required controls needs to equate to “Implemented”. The number of controls is not standardized – they differ by company. Again, we highly recommend getting expert support early on in the process to avoid pitfalls. If you under assess your final certified report may not be sufficient for your customer. If you over assess, you may find it difficult to meet the requirements.
It is vitally important to note that both your HITRUST preparer and the approved 3rd -party assessor you choose should remain independent of each other. That is why Ostendio works with a number of approved HITRUST assessors – to keep the relationship independent.
Once you are Certified (which will typically take anything from 6-18 months), the HITRUST certification is valid for two years. But there’s no resting on your laurels. You’ll have an interim review about every 12 months, or if there are major material changes within the company such as an ownership change or an acquisition.
Ready to get started? Have any other questions? Contact us today to discuss your pathway to HITRUST success.