As more health information is managed and stored in cloud systems, the attack surface area increases and so does the potential for sensitive data to be exposed. In fact, the number of healthcare data breaches recorded has more than tripled in the last ten years. Hackers are finding new ways to trick people into exposing sensitive data and to take advantage of weak security.
HITRUST CSF Certification is one of the strongest measures you can take toward fortifying your healthcare data security and minimizing your risk profile, as well as demonstrating your cybersecurity position to the market.
What is HITRUST Certification?
HITRUST certification is an accreditation program designed to help organizations in the healthcare industry ensure that their data security and privacy controls are in compliance with industry standards and regulations. It's designed to help them improve the security, privacy, and integrity of healthcare data while providing a platform organizations can use to signal their compliance with multiple industry standards.
How Do You Get HITRUST Certified?
HITRUST certification is a comprehensive and rigorous process that involves a review of an organization’s security controls and risk management practices. To achieve HITRUST certification, organizations must meet a set of requirements known as the Common Security Framework (CSF). The CSF is a set of controls that covers a wide range of areas, including risk management, access control, network security, and incident management.
In order to get HITRUST certification, organizations must follow these seven steps.
1. Determine if HITRUST is right for you
HITRUST certification is intended for healthcare organizations and their business associates who manage, store, and process sensitive healthcare data. While not mandated by law, many organizations in the healthcare space do require it of their vendors.
It’s also worth noting that 79% of security breaches affect the healthcare industry. Because of the sensitive nature of healthcare data and how comprehensive health records can be, healthcare data is more valuable on the black market than any other data type. This underscores the importance of implementing strong and up-to-date healthcare data security.
If your organization handles sensitive health information and wants to maximize its security, or if you're a B2B company and want to maximize marketability, HITRUST may be the right solution for you.
2. Select a HITRUST assessor
HITRUST assessors are third-party organizations that are authorized to conduct HITRUST assessments. The role of a HITRUST assessor is to evaluate an organization's security controls and risk management practices against the requirements of the HITRUST Common Security Framework, or the HITRUST CSF.
Choosing the right assessor is a critical decision, as the right assessor will be able to guide you through the process and simplify it as much as possible. Learn more about choosing a HITRUST assessor here.
Read the blog Seven Tips for Choosing a HITRUST Assessor
3. Conduct a Readiness Assessment and Gap Analysis
A readiness assessment is a preliminary review of your organization’s security controls, policies, and procedures to identify areas that need improvement before the actual HITRUST assessment.Your HITRUST assessor will perform the readiness assessment. They will use the results from this assessment to help develop a gap remediation plan to address any issues that would prevent you from achieving a successful HITRUST attestation.
4. Perform Gap Remediation
The gap remediation plan will identify the specific areas where the organization needs to improve its security controls and risk management practices to meet the requirements of the HITRUST CSF. It will also provide guidance on how to address these gaps, including recommendations for technical and administrative controls, policies, and procedures.
The gap remediation plan will typically include a timeline for completing the remediation activities, as well as responsibilities for each activity. The plan will also include a plan for testing and validating the effectiveness of the remediation efforts.
Once the gap remediation plan has been completed, the organization will need to implement the recommended controls and practices to address the identified gaps.
5. Conduct the Validated HITRUST Assessment
After addressing the gap remediation plan, your organization can begin the HITRUST validated assessment. The assessment will be conducted by the HITRUST assessor and will include a review of your organization’s Policies, Procedures, and implementation.
Your team will be responsible for providing evidence that demonstrates your organization is meeting the requirements of each HITRUST control in the assessment. Evidence is usually provided by screenshots and mappings to Policies and Procedures.
Typical team members involved in providing evidence are: the IT Manager, the Security Manager, and the Privacy Officer, or similar, but this will vary across different organizations. Other functional groups play a less time-consuming but essential role, for example, the HR manager could be tasked with providing evidence of HIPAA training.
The assessor will also conduct interviews with key personnel to ensure they understand and follow the policies and procedures.
6. Address any findings and complete the assessment
If any issues are identified during the assessment, the assessor will provide a report outlining the findings and recommendations for remediation. Your organization will need to address any findings and provide evidence of remediation to the assessor.
Once the assessor is satisfied with your submission, you enter a 90-day “no change” period, where you’re not allowed to make any changes to your control environment. Your assessor will review and submit your work to the HITRUST Alliance for review and approval.
You’ll get your results back in one to three months.
7. Maintain your HITRUST certification
HITRUST certification is not a one-time event. Your organization will need to maintain compliance with HITRUST requirements and continually demonstrate alignment with the framework to retain your certification. Maintaining HITRUST requires a re-certification assessment every other year, with a mini, interim assessment every other year between those.
How You Can Get Certified (and Recertified) Faster
If you want to get HITRUST CSF certified faster, one way to accomplish this is to use public cloud service providers (CSPs), like Amazon Web Services, Microsoft Azure, or Google Cloud Platform. These CSPs offer HITRUST certified services that allow you to inherit attestation to a number of controls already they've already met, which reduces the work your organization has to do to get certified.
There are a handful of CSP partners as well who offer HITRUST inheritance through their platforms. Cloudticity offers nearly 400 inheritable and partially inheritable controls and can accelerate the process by 40-60% on average. Learn more, read about the HITRUST Inheritance Program or schedule a free consultation with a healthcare cloud expert today.