HITRUST and NIST are both entities involved in creating and defining security frameworks that help to reduce cybersecurity risks and safeguard sensitive information. By implementing one or both frameworks, organizations in regulated industries, such as healthcare or government, can better protect sensitive data.
Although HITRUST and NIST share similarities and can be used in tandem, they are quite different and offer unique advantages as well as challenges to those who implement them.
Before we dive into a detailed look at NIST and HITRUST, let’s take a look at the main, high-level differences between them.
HITRUST stands for the Health Information Trust Alliance, a privately held company located in Frisco, Texas, United States. Founded in 2007, the HITRUST Alliance creates programs to safeguard sensitive information and manage information risk for global organizations across all industries and throughout the third-party supply chain. The HITRUST Alliance developed the HITRUST Common Security Framework (CSF), which was developed by industry experts initially for the healthcare industry, but other industries are also adopting the HITRUST framework.
NIST is part of the U.S. Commerce Department. The group promotes and maintains security standards across a wide range of industries and has released over 200 security frameworks. The NIST Cybersecurity Framework (CSF) is the most widely used of the organization’s standards. Although originally designed for the protection of U.S. critical infrastructure and Department of Defense operations, NIST CSF is useful and accessible for any organization.
The NIST cybersecurity framework (CSF) is designed to help organizations improve security and resiliency. It consists of 5 Core Functions, which are each divided into subcategories by cybersecurity outcome. The NIST CSF contains a total of 108 security controls that must be implemented to achieve NIST compliance.
The HITRUST CSF is a more comprehensive framework than NIST. The HITRUST CSF encompasses 1800 security controls across 14 control categories, 75 control objectives, and 19 domains. It includes controls from the HIPAA framework, as well as other standards and regulations such as ISO, GDPR, NIST and PCI. It offers a unified approach to managing multiple compliance frameworks.
Companies that implement the HITRUST CSF can obtain HITRUST Certification, a third-party validated competency that verifies the necessary security controls have been met, for a free. In contrast, there is no NIST CSF certification, but companies that wish to improve their security posture can implement the NIST framework, free of charge.
The number of controls that a company must meet to achieve HITRUST certification varies greatly, depending on how organizations interact with PHI. A scoping exercise early in the HITRUST process allows HITRUST to determine the subset of requirements specific to that organization. A small healthcare vendor may have 200+ requirements to meet for certification, while a large enterprise could have 1000 or more. In this way, HITRUST is customizable for each organization whereas NIST is always the same.
The National Institute for Standards and Technology (NIST) is a US government agency founded in 1901 that is overseen by the Commerce Department. Its mission is to promote innovation and competitiveness across industries in the U.S by advancing measurements, standards, and technology in ways that improve quality of life and foster economic growth.
The NIST is involved in developing and codifying standards that address a number of issues faced by industry and society. In addition to the Cybersecurity Framework, the NIST has released frameworks targeting fire damage, automated driving conditions, and smart cities.
The NIST Cybersecurity Framework is designed to integrate industry best practices and standards to assist organizations with managing cybersecurity risks. The NIST CSF provides a common language to promote a shared understanding of cybersecurity risks by everyone in an organization. Working with private-sector and government security experts, NIST developed and released the NIST CSF in 2014. Since then, it has become the most widely adopted security framework across all industries.
The CSF is a voluntary framework that enables businesses to focus on five areas that can strengthen their cybersecurity. Let’s look at these five areas:
By focusing on these elements of cybersecurity, the NIST CSF provides organizations with a template they can use to strengthen their IT security. Companies should take the following steps according to the framework.
Identify - Organizations need an inventory of all computing equipment, software, and data resources. A cybersecurity policy should be developed that defines roles and responsibilities for any employees, contractors, or vendors with access to sensitive information.
Protect - Protecting IT assets is a critical component of any cybersecurity initiative. The CsF defines multiple activities that contribute to the protection of data resources including:
- Controlling who logs into an organization’s networks and systems;
- Encrypting sensitive data in transit and at rest;
- Backing up data regularly;
- Implementing and regularly updating security software;
- Conducting cybersecurity training for everyone in the organization;
- Developing policies to safely dispose of files and devices containing sensitive information.
Detect - It is essential to monitor systems for unauthorized access. Any unusual activities that are detected should be investigated to uncover their root causes.
Respond - Organizations need to have a plan in place to respond to cyberattacks. The plan should address multiple aspects of the response including:
- Notifying anyone whose data is at risk due to the attack;
- Maintaining business operations;
- Reporting the attack to the appropriate authorities;
- Preparing for unexpected outages such as from extreme weather events;
- Updating the plan and policies based on lessons learned.
Recover - After an attack, organizations need to promptly repair and restore IT infrastructure components that were damaged or compromised. Customers and employees should be kept updated regarding the recovery activities.
NIST 800-53: NIST designed this framework to protect the US federal government. However, since the government outsources much of its work to business and technology partners, NIST 800-53 has become the de facto standard for private businesses that do business with the US federal government.
NIST 800-53 is recognized because it is incredibly rigorous. The document is 460 pages in comparison to the 40 pages of the CSF. The NIST CSF is a subset of NIST 800-53 and also shares controls found in ISO 27002. The NIST CsF takes parts of ISO 27002 and parts of NIST 800-53, but is much shorter than both.
NIST 800-171: This framework helps organizations that are not a part of the federal government protect their sensitive information.
Compliance is required for entities doing business with the U.S. Department of Defense (DoD). Both NIST 800-171 and NIST CsF take a high level approach to cybersecurity, focusing on reducing risk. In contrast, NIST 800-53 takes a granular approach to cybersecurity, focusing on detailed technical specifications.
The Health Information Trust Alliance or HITRUST was founded in 2007 to protect sensitive information and manage risks associated with data processing across industries and throughout third-party supply chains. HITRUST works with public and private security and risk management experts to develop and maintain frameworks for risk and compliance management.
The HITRUST approach to information risk management and compliance is comprised of multiple components that promote these four main principles:
Identify and define;
Specify;
Implement and manage;
Assess and report.
The HITRUST Common Security Framework (CSF) is a comprehensive framework for addressing security, privacy, and regulatory requirements. CSF offers a unified approach to managing compliance with HIPAA as well as a range of globally recognized standards, regulations, and business requirements formulated by organizations such as ISO, GDPR, NIST, and PCI. The beauty of HITRUST is that it consolidates compliance activities for multiple regulations that would otherwise be separate tasks.
There are 14 categories of controls defined in the CSF including an organization’s:
Information Security Management Program;
Access Controls;
Human Resources Security;
Risk Management;
Compliance;
Asset Management;
Physical and Environmental Security;
Information Security Incident Management;
Privacy Practices.
HITRUST and HIPAA often get conflated and it’s not hard to understand why, because they both relate to security and privacy in healthcare. But it’s the differences that matter.
For starters, HIPAA is a mandatory law of the United States that applies to all healthcare organizations. In contrast, HITRUST is a voluntary certification, although many hospitals and other institutions require their vendors to be HITRUST certified — not exactly voluntary if you want to stay in business.
When it comes to organizational compliance, there is no such thing as HIPAA certification. In contrast, HITRUST certification establishes that the organization is HIPAA compliant because the HIPAA requirements are embedded in HITRUST CSF.
HITRUST combines the base controls of the NIST CsF with controls from other frameworks and standards such as HIPAA and HITECH. The NIST CsF works together with HITRUST in three main ways.
A good first step toward fortifying your information security program is to implement the NIST CsF framework. With 108 security controls specified, implementing NIST is both effective and attainable. Since HITRUST CSF includes controls from NIST CsF, implementing NIST first will make your HITRUST journey easier.
The HITRUST CSF is robust, encompassing 1800 controls that can be mapped across multiple security frameworks, including NIST CsF and NIST 800-53. Because of this, becoming HITRUST certified makes managing NIST compliance easier. HITRUST allows you to combine multiple compliance activities into one workflow that would otherwise be separate tasks.
Because there is no NIST certification, anyone can claim to be NIST compliant. Knowing this, how secure do you feel when a vendor says they are “NIST compliant”? Probably not very secure. HITRUST certification can help organizations prove that they are meeting the highest security standards because it is a third-party validated accreditation.
HITRUST is a private-sector company whose mission is to develop programs that safeguard sensitive information and manage information risk. The HITRUST CSF offers a unified approach to managing compliance with HIPAA as well as multiple other business requirements. Getting certified is optional, but it is becoming increasingly more important as more healthcare organizations require certification of their vendors.
NIST is a public sector organization whose mission is to promote innovation by advancing standards and technology. The NIST CsF provides guidance on how to manage and reduce IT infrastructure security risk. Although not as comprehensive as the HITRUST CSF, the NIST CsF is one of the most widely embraced security standards across all industries.
However, since there is no NIST certification, it’s strongly recommended that companies in the healthcare market obtain HITRUST certification as a way to validate their security standings with frameworks such as HIPAA and NIST. Want to learn more about how HITRUST Certification can help? Download the free infoguide, Why HITRUST is Your Business Priority.
Or schedule a free consultation to discuss your HITRUST readiness today.