Businesses that handle personal health information need to pay attention to HIPAA and HITECH requirements. Being HIPAA-compliant is a slippery goal, though. The only definitive determination of compliance comes from a court or administrative judgment after the fact. The Security Rule doesn’t provide specific technical guidance on an acceptable level of security.
With data breaches in healthcare on the rise, more solid and specific guidance is necessary. The HITRUST Common Security Framework (CSF) gives an organization that kind of guidance. It sets procedures for assessment and certification. A CSF assessment gives a good indication of an organization’s cybersecurity level and provides specific guidance on needed improvements.
The difference between HIPAA and HITRUST
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 are legal documents. They are concerned more with goals than means, and they don’t prescribe specific technical solutions.
The HIPAA Security Rule, revised under HITECH, requires protection of the confidentiality, integrity, and security of electronic protected health information (ePHI). While HHS provides a large amount of material on how to comply, it isn’t organized as enumerated controls.
The Security Rule applies to covered entities of all types and sizes. The appropriate actions depend on the amount of information an organization retains and the potential consequences of a security violation.
The HITRUST CSF is optional; no laws require anyone to comply with it. Its aim is to assess security measures rather than to mandate them. This lets it be more specific in the measures it recommends. Several standards and regulations contribute to it, including HIPAA, GDPR, state laws, and standards from ISO, NIST, and PCI. The security landscape changes over time, so the CSF is periodically revised.
How HITRUST assessments provide confidence
An organization can conduct a self-assessment or bring in an approved assessor. An assessment can be performed against any of three levels, depending on the organization’s required security level.
The organization will normally start with a self-assessment, using the MyCSF tool. Its results tell managers how good the organization’s current security position is and where it can be improved most effectively. This is valuable information by itself, and it’s a step toward bringing in an independent assessor and obtaining certification.
HITRUST certification tells potential customers and business partners that an organization is paying serious attention to security and following an enumerated set of recommendations. Some businesses require certification as a condition of entering into contracts. If a company wants to act as a Business Associate for a HIPAA-covered entity, certification will go a long way to demonstrating the company’s qualifications.
The framework allows consistency in audits and reviews. There is no universally accepted metric for HIPAA compliance, and assessors using different methods may vary significantly in the security ratings they grant. HITRUST is widely recognized, and assessments based on its CSF will yield consistent measurements.
What the HITRUST CSF measures
Unlike HIPAA by itself, HITRUST offers a detailed list of over 150 security controls (sometimes called “references”). These controls draw on many standards. The basis is ISO the 27001 and 27002 security standards, with additional considerations derived from HIPAA and HITECH. HITRUST draws heavily on the security controls in the NIST cybersecurity framework.
The controls are organized at the top level into 14 control categories. Each of them is divided into control objectives, and the objectives into control specifications. In broad terms, the categories cover plans, policies, organization, human factors, physical security, and information system security. They’re based on risk and compliance considerations.
Each control provides a way to identify and evaluate these factors:
- Policies and practices that help to attain the objective.
- Organizational, technical, and regulatory sources of risk.
- Implementation requirements at each of the 3 assessment levels.
- Information required for performing the assessment, e.g., people to interview and documents to review.
- Supporting standards which the control references.
As an example, the controls specify minimum requirements for password strength. The degree of strength differs for normal accounts and ones with high privilege levels. All passwords have to be protected by encryption, so that theft of the access database won’t immediately expose them. Regular passwords need to be at least 8 characters, and high-privilege ones need at least 15. When passwords are changed, none of the previous 6 ones may be reused; this number increases to 12 for privileged accounts. A new password must change at least 4 characters from the previous one.
Not all the controls are technical in nature. Category 0.2, for example, covers human resources security. Its four objectives, which cover nine control references, span the employee lifecycle:
- Secure personnel before hiring.
- Secure personnel during onboarding.
- Secure personnel during employment.
- Secure personnel through termination.
Two of the categories are simply instructions to implement a program and have a single objective each. Category 0.0 says to implement an information security management program; this is where everything has to start. Category 0.3 says to implement a risk management program and has four control references.
The benefits of HITRUST certification
A HITRUST-certified business has access to more opportunities in the healthcare business. The process is complex, but it lets the business reduce its vulnerability to security incidents and breaches. The costs of a breach are often huge, and the process of identifying and mitigating one disrupts business activity. If something goes wrong, managers and IT employees know what to do to mitigate the situation.
A risk of trying to follow HIPAA without more explicit guidance is that effort may be channeled where it is less useful. An organization may put its effort into controls that offer limited benefits while overlooking ones that should be more urgent. HIPAA compliance is, of course, a central requirement of any covered entity or business associate, and the HITRUST CSF presents a consistent approach which will carry weight with other businesses and with federal regulators. Compliance with other regulations, such as GDPR, is often necessary as well; HITRUST brings those requirements into the same framework, avoiding redundancy in implementation.
Project Hosts’ HITRUST Compliant Cloud can help your organization to achieve and retain compliance with HITRUST security controls. If you wish obtain certification, you can do so more easily by working with Project Hosts. Contact us today for more information: info@projecthosts.com
