Ostendio Blog

What the HITRUST & NIST Alignment Brings to Healthcare Organizations

Written by Ostendio | Jun 13, 2018 4:05:35 PM

HITRUST (Health Information Trust Alliance) and NIST (National Institute of Standards and Technology) recently announced that they have teamed up and developed a certification designed to make it easier for security and compliance teams to demonstrate how they have implemented the framework. The new certification for NIST Cybersecurity Framework (CSF) could pay off big for healthcare organization security teams. They’ll be able to demonstrate security excellence to partners, regulatory agencies, board members and investors.

The NIST Cybersecurity Framework  (CSF) is an established US security standard in its own right, so the “credibility factor” for the certification’s value is already there. NIST’s proactive guidance helps organizations understand how to prevent cyber attacks, as well as how to respond to them. To learn more about NIST's voluntary framework, please visit their website.

What the HITRUST certification for the NIST CSF does is provide a roadmap healthcare organizations can measure themselves against for security compliance. One caution: those who have followed NIST’s guidance outside of a formalized certification process can attest that it requires a significant investment.

If you’d like to explore the NIST CSF certification, you’ll first want to take stock of your current privacy and security status. As a healthcare organization or healthcare vendor, you’ll naturally start with assuring a robust HIPAA compliance program. From there, you’ll evaluate the resource and financial cost vs the ROI of aiming for HITRUST’s assurance levels.

Source: HITRUST

Bringing NIST CSF into the fold of HITRUST’s CSF Assurance Program, which helps organizations see how they measure against everything from HIPAA to AICPA, rounds out the security side. Plus, the idea of being able to map to one standard then map back to all the various industry criteria likely appeals across industries. In fact, business partners and investors will likely look to HITRUST’s “all things to all industries” approach as a boon when it comes to provable adherence to high privacy and security standards.

The support to meet – and demonstrate - HIPAA privacy and security requirements already exists within Ostendio’s MyVCM, as does the capability to track and manage all the various HITRUST-related certification activities. If you decide that HITRUST certification is right for your organization, you can obtain a certification of your cybersecurity program’s implementation against the NIST Framework by submitting an assessment through the current HITRUST CSF Assurance Program.

Ostendio can help your healthcare organization ready itself for certifications, including HITRUST, which simultaneously supports building a stronger, more secure compliance program to protect sensitive data.  Contact us today to learn how.