What is HITRUST Compliance?

HITRUST is a healthcare-driven industry organization that created and maintains the certifiable Common Security Framework (CSF).

What is HITRUST and What Does it Mean?

The HITRUST CSF enables healthcare organizations and providers to demonstrate security and compliance in a consistent and streamlined manner.

The HITRUST CSF builds on HIPAA and the HITECH Act US healthcare laws that have established requirements for the use, disclosure, and safeguarding of electronic personal health information (ePHI). 

HITRUST provides an integrated approach to ensure that security frameworks and controls are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance program.

Designed to leverage the best in class components for a comprehensive information risk management and compliance program that integrates and aligns the following:

• HITRUST CSF – a core privacy and security controls framework
• HITRUST Threat Catalog — a list of potential security threats mapped to specific HITRUST CSF controls
• HITRUST CSF Assurance Program — a scalable and transparent methodology to provide reliable assurances for internal and external stakeholders
• HITRUST Shared Responsibility Program — a matrix of HITRUST CSF requirements that identify service provider and customer responsibilities
• HITRUST Assessment XChange — a third-party risk management solution encompassing people, process, and technology, to streamline and simplify third-party risk management
• HITRUST MyCSF — an assessment and corrective action plan management platform
• HITRUST Third Party Assurance Program — a third-party risk management process
• HITRUST Academy — a training program covering information protection and the implementation of the HITRUST CSF

Looking for a HITRUST Compliant Cybersecurity Solution ?

HITRUST Requirements

HITRUST requirements include complying with 19 control domains, 75 control objectives, and 156 specific controls. The HITRUST CSF 19 control domains cover the following information security and privacy areas:

• Information Protection Program
• Endpoint Protection 
• Portable Media Security
• Mobile Device Security
• Wireless Security 
• Configuration Management
• Vulnerability Management 
• Network Protection
• Transmission Protection 
• Password Management
• Access Control
• Audit Logging and Monitoring
• Education, Training, and Awareness
• Third-Party Assurance
• Incident Management
• Business Continuity and Disaster Recovery
• Risk Management
• Physical & Environmental Security
• Data Protection and Privacy

The 156 HITRUST CSF controls are separated into three implementation levels, each of which builds on the previous level. Thus, HITRUST level 2 includes all level 1 controls plus additional control requirements. 

Level 3 controls include level 2 controls and additional requirements making Level 3 the most secure implementation of the HITRUST CSF.

Organizations using the CSF must determine their level of applicable ris based on attributes such as organization size, number of health records, and ePHI that must be secured.

How Often is HITRUST CSF Updated?

New versions of HITRUST CSF are published periodically to stay ahead of the latest technology and cyber security threats. The average update is once per year. The last time that HITRUST CSF was updated was in June 2020.

It is currently operating with HITRUST CSF version 9.4, which builds on its mission of “One Framework, One Assessment, Globally”.

As technology continues to develop, we can expect that version 10 is just around the corner. The HITRUST Threat Catalogue is also updated annually and may also be released at another time if there is a significant change to warrant a new release in the interim.

HITRUST CSF Version 9.4 – New Requirements You Should Know About

As technology continues to develop, we can expect that a version 10 is just around the corner. The HITRUST Threat Catalogue is also updated annually and may also be released at another time if there is a significant change to warrant a new release in the interim.

HITRUST CSF Version 9.4 – New Requirements You Should Know About

As technology continues to develop, we can expect that a version 10 is just around the corner. The HITRUST Threat Catalogue is also updated annually and may also be released at another time if there is a significant change to warrant a new release in the interim.

Looking for a HITRUST Compliant Network Security Solution?

HITRUST CSF Version 9.4 – New Requirements You Should Know About

The HITRUST CSF version 9.4 delivered several updates to meet the evolving regulations, risk-management landscape, and the need for control requirements.

The latest update included significant development to the HITRUST NIST mapping. The most noteworthy updates made available with this version include:

• Update of HITRUST NIST mapping (SP 800-171 r2) to ensure its continued alignment with real-world needs.
• Integration of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v1.0
• The piloting of community-specific authoritative sources to help extend the benefits of HITRUST’s approach of ‘Assess Once, Report Many’.
• Enabling the HITRUST MyCSF platform with new functionality, providing CMMC customers with the ability to select CMMC Maturity Levels specific CSF requirements. This update intends to support compliance pursuits.

As part of these updates, HITRUST has flagged that organizations may have requirements imposed on them as a result of being part of a smaller niche.

Such organizations include those who are a State Agency or a subset of an industry group.

In some scenarios, there will not be any new privacy or security controls, but organizations will have more specific implementation requirements with version 9.4.

HITRUST has established a mechanism that is enabled by MyCSF for these requirements to become incorporated, harmonized, and included during the assessment process. They are also included in the HITRUST CSF Assessment Report.

The HITRUST CSF maps to CMMC requirements, with HITRUST developing guides to help organizations understand and become confident in the HITRUST framework.

HITRUST CSF Version 10 – What to Expect Next

HITRUST CSF Version 10 is expected to be one of the most innovative releases. It’s predicted to be a significant update from the existing versions. Although HITRUST CSF has focused on health care organizations, the upcoming version 10 is expected to create a more general security framework with a view of attracting specific industries.

The new framework is expected to help facilitate the adoption of CSF outside the healthcare industry by giving organizations a certification option to provide assurances to clients through third-party validated assessments.

The impending version 10 is expected to require certification of all 135 control references. By comparison, version 9.2 only required 75 of the 135 control references to allow for certification. This is expected to result in a larger number of individual requirement statements, similar to what we saw when HITRUST moved from 66 control references to 75 as their requirement for certification after the initial version 9 release.

It was widely held that Version 10 would be released in mid-2020, but it’s no surprise that the global pandemic appears to have delayed this release. As of summer 2021, version 10 is yet to be released. As long as version 9.4 remains up to date and current in its technology, there appears to be no rush to release version 10.

What is the HITRUST Common Security Framework?

The HITRUST Common Security Framework (CSF) is divided into 19 different domains that include endpoint protection and access control. The CSF helps organizations address security challenges through a comprehensive framework of prescriptive and scalable security and privacy controls. HITRUST certified IT offerings against these controls by adapting requirements for certification based on organizational, system, and regulatory factors.

HITRUST provides a standardized compliance framework, assessment methodology, and certification process so that cloud service providers and covered health entities can measure their compliance posture.

The HITRUST CSF is a highly tailored, industry-level overlay of NIST SP 800-53 moderate impact baseline controls, structured on ISO 27001:2005 Appendix A.

The CSF also incorporates healthcare-specific security, privacy, and other regulatory requirements from frameworks such as the Payment Card Industry Data Security Standard (PCI-DSS), ISO/IEC 27001 information security management standards, and Minimum Acceptable Risk Standards for Exchanges (MARS-E).

What are HITRUST Controls?

HITRUST CSF operates by providing organizations with the controls and framework for security compliances and to support data protection. HITRUST controls form the Common Security Framework (CSF) which brings together guidelines – or controls – from industry-specific documents and gather them in one inclusive form of guidance.

HITRUST Controls are designed to streamline and simplify cybersecurity for organizations. These controls help organizations to meet the requirements and be compliant with regulations like GDPR and HIPAA.

The HITRUST framework is made up of three elements. The ‘Control Categories’ are the general cybersecurity domains from HITRUST. The ‘Objective Names’ form the control groups which are found within these categories. Finally, ‘Control References’ are the HITRUST controls themselves.

HITRUST CSF Controls are mapped across various standards – 13 in total – that achieve and ensure regulatory compliance. These controls and the HITRUST CSF framework enable data protection and security compliance for companies.

For example, Control Category 02.0 ‘Human Resources’ has four Objective Names, with nine Control References. These categories, objective names, and control references operate as follows:

• Objective Name (02.01) HR: Controls Before Employment

o   Control Reference 02.a – Define roles and responsibilities

o   Control Reference 02.b – Implement personnel screening.

 Objective Name (02.02) HR: Controls During Onboarding

• Control Reference 02.c: Define terms and conditions
• Objective Name (02.03): HR: Controls During Employment  
  • Control Reference 02.d: Manage personnel security
  • Control Reference 02.e: Cultivate security awareness
  • Control Reference 02.f: Define disciplinary procedures
• Objective Name (02.04): HR: Controls for Personnel Moves  
  • Control Reference 02.g: Define procedures for termination
  • Control Reference 02.h: Control return of assets after move(s)
  • Control Reference 02.i: Remove user access rights immediately

How Many HITRUST Controls Are There?

There are over 150 individual requirements within HITRUST Controls. The number of controls that a business needs to implement for their security and compliance will depend on the control specifications and other requirements. 

The 150+ HITRUST Controls requirements are placed into tiers, otherwise known as control categories or objectives. The most basic control category has 49 objectives, which then break down into 156 references. It is these references that are often thought of as controls.

Technically, every reference can be broken down into specific instruments. There are 156 HITRUST controls that every company must implement. For some businesses, it’s easier to think of them as 14 objectives.

HITRUST Control Categories

The HITRUST Control categories are made up of the objectives and their corresponding reference. These categories are as follows:

• Category 0.0: Information Security Management
• Category 0.1: Access Control Security
• Category 0.2: Human Resources Security
• Category 0.3: Risk Management Policy
• Category 0.4: Information Security Policy
• Category 0.5: Information Security Organization
• Category 0.6: Regulatory Framework Compliance
• Category 0.7: Asset Management Security
• Category 0.8: Physical and Environmental Society
• Category 0.9: Communications and Operations Security
• Category 0.10: Information Systems Management
• Category 0.11: Security Incident Management
• Category 0.12: Business Continuity Management
• Category 0.13: Privacy Security Practices

These HITRUST CSF security controls require verification of implementation’s assessments including self-assessment, CSF validation or certification, along with HITRUST CSF Bridge Assessment.

Looking for a HITRUST Compliant Network Security Solution?

Why Businesses Should Get HITRUST CSF Certified

Every business should get HITRUST CSF certification as it helps control and reduce your risk. It reduces risk through increased information security, enabling companies to establish security frameworks.

Most healthcare providers are HITRUST CSF as it ensures that patient information and other personal data are kept protected from any potential breach that could lead to significant financial and reputational consequences for the business.

Companies that are HITRUST CSF Certified have a lower security risk. They are better informed about changes in the security sphere and are able to improve their coverage when necessary, allowing for a reduction in the premiums on their cyber premiums. For any modern company, being HITRUST CSF Certified is a win-win.

Being fully certified also helps to reduce time spent on audits and saves companies money. When you have a HITRUST CSF certificate, it allows you to qualify for other certifications, including NIST, PCI, and HIPAA.

HITRUST Requirements

Each of the 156 HITRUST controls has three distinct implementation levels within them. Each implementation level builds on the previous one, meaning that level 2 includes all the requirements of level 1 with additional requirements.

Level three has all the requirements of levels 1 and 2, including its own requirements.

The implementation level is determined based on the risk profile of each company, accounting for its size and the data it holds. Most companies have a varied level of different implementations between levels 1, 2, and 3.

Throughout the different control categories, there are requirements that deal specifically with passwords. The HITRUST password requirements include:

• A minimum of eight characters for a given password. The most privileged access requires accounts to have passwords of a minimum of 15 characters. These password requirements also have complexity measures in place, including at least one special character or number. Privileged accounts must also have at least one upper- and lower-case letter.

• The HITRUST pass power requirement for history varies depending on the security level that the user has. Accounts with the highest level of privilege will need to change their passwords every 60 days, with no combination from the previous 12 passwords allowed to be used. Lower privilege accounts are unable to use any of their previous six passwords.

Other HITRUST requirements worth noting include accounts, multi-factor authentication on privileged accounts, and user credentials.

HITRUST Policies

The average cost of a data breach is $4.24 million. HITRUST Policies are always evolving, alongside the updates to the framework in order to help prevent potential leaks and costly data breaches from hitting organizations.

The documentation that you provide during audits and assessments must meet HITRUST’s policies and criteria.

The documentation must be approved formally by management, communicated to the workforce and stakeholders of the company. The following are criteria that should be met in order to achieve perfect HITRUST policy compliance: 

• The communication management’s expectations of the control should use phrases that include “will”, “shall”, or “must” clearly written in documentation for all employees to follow
• Have an appointed HITRUST CSF Assessor to handle all policy procedures and ensure that a HITRUST information security implementation manual be distributed among employees and remain up-to-date. 
• Require stringent password resets which should be different from existing passwords. Schedule password resets every 60 days in order to minimize the attack surface. 
• Conduct a thorough HITRUST audit and assessment.

How to Conduct a HITRUST Audit and Assessment

When a company meets its HITRUST compliance, it means that they’ve taken proactive steps to interrogate technological infrastructure to protect their data and systems.

A HITRUST audit and assessment can be carried out either through a self-assessment or validated assessment. You can carry out your own self-assessment with the myCSF tool, giving you an idea of where you would stand during an audit.

Self-assessments are usually chosen by companies who want to save money while showing their compliance. The individual within your business carrying out the self-assessment will need to have the appropriate expertise and skills. The results they produce will need to be verified.

By comparison, a validated assessment is carried out by a HITRUST CSF Assessor, who is an independent auditor. They carry out an audit and assess whether the business is compliant with their applicable HITRUST CSF requirements. If they are, the business can be certified as being HITRUST certified.

The average cost of a HITRUST audit ranges between $60,000 – $120,000 depending on the requirements of the organization. 

After the validated assessment is finished, the business pays its HITRUST certification fee and will submit any relevant plans to correct issues identified by the HITRUST CSF Assessor. 

When you’re conducting a HITRUST audit and assessment or having a validated assessment by a HITRUST CSF assessor, there are a few things you want to keep in mind. 

The business should be maintaining communication between its management, employees, the HITRUST CSF assessor, and HITRUST itself. The audit and assessment process is centered on your IT system, meaning that the company’s department will need to be flexible during this time.

The HITRUST certificate is valid for two years from its certification date, meaning that a business may need to update its standards prior to the audit to pass its assessment. Working with a HITRUST CSF assessor can ensure that the business gets its HITRUST certificate.

HITRUST Cyber Threat Xchange (CTX) – The Future of Healthcare Threat Analysis

In 2014, HITRUST announced the launch of their HITRUST Cyber Threat Xchange (CTX) that is designed to significantly speed up the detection of and response to cyber threat indicators targeted at companies within the healthcare industry.

CTX is designed to automate the process of analyzing and collecting cyber threats, distributing actionable indicators in electronically consumable formats. It’s tailored to be utilized by companies of all sizes and with various cyber security HITRUST maturity levels to improve their cyber defenses.

The CTX assessment is designed to function as an advanced early warning system to alert organizations to potential cyber threats.

The HITRUST Cyber Threat Xchange has undergone several updates since its release. It’s currently used to provide companies with various cybersecurity maturity levels a way to defend against the increasing volume of cyber threats that are becoming increasingly sophisticated.

As the future of healthcare threat analysis, CTX is designed to enable timely exchanges of cyber threat indicators, automating as much of the process as possible.

The HITRUST Cyber Threat Management and Response Center was announced in 2017 in partnership with Trend Micro. Its purpose is to expand and enhance the capabilities of CTX.

Since its launch, CTX has become the leader in threat indicator collection. It’s now moving its focus to ensure that companies of all types of cyber maturity are able to leverage these indicators in a timely manner.

In 2017, CTX was supporting over 1,600 organizations with cyber information sharing. CTX has allowed for IOCs to be spotted as early as 150+ days in advance.

HIPAA Requirements

Data security has grown into a significant problem for healthcare organizations as the proliferation of electronic patient data grows. To meet Health Insurance Portability and Accountability Act (HIPAA) compliance regulations, organizations must comply with the HIPAA Security Rule1 to protect ePHI through integrity control, access control, audit control, and network security.

This Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronically protected health information.

For HIPAA compliance, Technical Safeguards should be in place so that only authorized entities can access electronic protected health data. Additionally, these policies cover integrity control and network security.

For many organizations, a HIPAA compliant VPN is one of the best and easiest ways to implement network security, protect data transmission, provide encryption and meet other compliance requirements that secure electronic Protected Health Information (ePHI).

Technical Safeguards are required for Security Rule compliance. The following Technical Safeguards help ensure that only authorized entities can access ePHI data:

• Identify and map data that must be HIPAA protected on-premises or in the cloud.
• Determine which users should have access to HIPAA data and grant permissions to read, write or execute only the files, resources, or network access needed.
• Monitor user access to HIPAA-protected data.
• Create notification alerts when a user accesses or stores HIPAA data in a non-compliant repository.
• Protect network access with a Cloud VPN, endpoint security, two-factor authentication, strong passwords, and session timeouts.
• Continuously monitor user activity across the network, both on-premises and in the cloud.

Hitrust vs HIPAA : What Are The Differences?

How to Become HITRUST Compliant with Cloud Vendors?Amazon AWS GDPR Compliance

Cloud Service Providers (CSPs) that have achieved CSF certification meet all the certification requirements for HITRUST. The following cloud vendors all offer HITRUST-certified solutions and services.

AWS HITRUST Quickstart

The Amazon Web Services (AWS) HITRUST Quick Start deploys a model environment within the AWS Cloud that deploys workloads that fall within the scope of the HITRUST CSF.

The solution architecture maps to technical requirements imposed by HITRUST controls using AWS CloudFormation templates. The AWS Quick Start templates automate the building of compliant, baseline architectures. They also include security controls references that map to HITRUST controls.

Microsoft Azure HITRUST

BothMicrosoft Azure and Office 365 were the first hyper-scale cloud services to receive certification for the HITRUST CSF based on how Azure and Office 365 implement security, privacy, and regulatory requirements to protect customer data and sensitive information. Microsoft also supports the HITRUST Shared Responsibility Program.

Google and HITRUST

Google Workspace and Google Cloud Platform have both achieved HITRUST CSF certification. Google Cloud offers built-in default data protection that meets HITRUST requirements to secure organizations against intrusions, data theft, and cyber-attacks.

Customer data stored in Google Cloud is encrypted at rest by default. Google also applies default protections to customer data in transit.

Salesforce and HITRUST

Salesforce has obtained HITRUST CSF Certification and the company is committed to achieving and maintaining customer trust across its cloud solutions and services.

Salesforce provides a comprehensive cyber-security and privacy program encompassing its data protection across all of its suite of services, including the protection of customer data as defined in its Salesforce’s Master Subscription Agreement.

Microsoft Azure GDPR Compliance

Software giant Microsoft is another company that has adopted the GDPR compliance regulations. Azure users will want to check out the Azure Data Subject Requests for the GDPR and CCPA which explains the various GDPR requirements for all Microsoft products. 

Crucial information on GDPR for Office on-premises Servers can be found there as well – important for securing your remote workforce as well. They outline to their customers the services they offer that are in compliance with the European data protection law.

Looking for a HITRUST Compliant Network Security Solution

What is the Cost of HITRUST CSF Certification in 2021?

The cost of becoming HITRUST certified in 2021 is determined by the fees charged by a HITRUST CSF Assessor. At the beginning of the certification process, the appointed assessor will carry out a thorough analysis of your risk profile by asking 50 questions. It is your risk profile that will determine the cost of becoming HITRUST certified in 2021.

Small companies that have a lower risk profile can expect to see a fee from HITRUST of between $6,000 and $15,000. In this scenario, the HITRUST CSF assessor may also charge around $30,000. Larger organizations that are determined as having a higher risk profile can expect their costs to range anywhere from $40,000 to over $150,000.

When a business is working out how to become HITRUST certified, they also have to consider the indirect costs. An organization may be required to implement hundreds of controls to comply with the HITRUST certification. It can take 30 minutes to prove compliance for each control. 

Smaller companies with a lower risk profile can take around 200 hours to carry out this process. Larger companies with a higher profile risk could be required to spend around 1,350 hours. The indirect cost of HITRUST could range anywhere from $20k to $135k depending on the company’s circumstances and risk profile.

The total cost of becoming HITRUST certified in 2021 can vary due to the direct and indirect costs involved, ranging anywhere from $60,000 to over $285,000. This cost will facilitate certification that is valid for 2 years, with a mini-assessment in the intervening year.

AWS HITRUST Certification Cost

In 2020, 120 Amazon Web Services (AWS) services were certified for HITRUST CSF. An AWS HITRUST certification allows companies that are AWS customers to tailor their security control baselines to factors such as regulatory requirements and organization type.

It is being widely adopted for security and privacy measures.AWS HITRUST certified services will be required to meet the certification criteria for HITRUST CSF v9.1.There is no cost associated with getting an AWS HITRUST Certification if you already have AWS.

Microsoft Azure HITRUST Certification Cost

In February 2021, Microsoft Azure announced that they had increased the scope of its HITRUST CSF certification to include 172 Azur offerings across 49 Azure regions. Businesses can access the Azure HITRUST certification letter through Microsoft’s Service Trust Portal.

The HITRUST Shared Responsibility Matrix for Microsoft Azure is the result of a partnership between Azure and HITRUST Alliance. It allows Azure customers to leverage their HITRUST CSF certifications to inherit controls and apply them to carry out their own assessments.

Microsoft Azure customers can accelerate the deployment of HITRUST CSF by using Azure’s HITRUST Blueprint. It provides customers with a core set of policies to deploy, defining them as a repeatable set of standards, requirements, and patterns that can be enforced across Azure resources.

There is no cost associated with getting a Microsoft Azure HITRUST Certification if you already have Azure.

HITRUST Collaborate 2021 – The HITRUST Annual Conference

The HITRUST Summit happened virtually on 5-6^th October 2021, with pre-conference workshops being offered the day before. The HITRUST Collaborate 2021 conference had the tagline of “Learn. Collaborate. Deliver”. It pitches itself as the most comprehensive and definitive information risk management conference for privacy, security, and compliance professionals.

The purpose of the HITRUST summit is to enable the attendees to collaborate, learn, and deliver more effective methods of risk management, information protection, and compliance. Attendees of the HITRUST Collaborate summit were able to listen and participate in discussions focused on the best practices within the industry and the latest trends in cyber security.

The HITRUST Summit promises to give virtual attendees the opportunity to network and exchange information and ideas with industry influencers, peers, and HITRUST experts.

The conference also provides the opportunity for you to earn up to 8 continuing professional education credits. Sessions throughout the HITRUST Collaborate 2021 summit focused on industry trends, risk management tactics, and best practices.

Sponsors of the HITRUST Collaborate 2021 summit include Cloudticity, Paubox, Armor, and Intraprise Health.

Registration for the HITRUST Collaborate summit was done through the HITRUST events website. Registration fees for the conference were $299 per person. There is a package for the pre-conference workshops and conference that is on sale for $349.

How Perimeter 81 Can Help You Become HITRUST Compliant

Perimeter 81’s HITRUST Compliant solution, a highly scalable, cost-effective, and easy-to-use cloud VPN service gives companies of all industries and sizes the power to be confidently cloud-based and completely mobile. Perimeter 81’s advanced cloud VPN features include:

Two-Factor Authentication

Perimeter 81 offers a built-in Two-Factor Authentication[14]  with SMS/Push Notifications, Duo Security, and Google Authenticator. Two-Factor Authentication helps companies meet HIPAA compliance by preventing unauthorized account access through an extra layer of security.

Private VPN Servers with Dedicated IPs

With Perimeter 81’s single-click management platform, it’s easy to deploy secure private servers on the fly. This allows organizations to hide assets and confidential data from the public Internet with restricted IP access and create a virtual ‘key’ that permits only authorized users to access specific resources.

Automatic Wi-Fi Protection Across All Devices

Cross-platform client applications ensure data passing over any network is secured with 256-bit bank-level encryption. Perimeter 81’s innovative Automatic Wi-Fi Security immediately shields data by automatically activating VPN protection when employees connect to unsecured Wi-Fi networks.

 SOC 2 and ISO 27001 Compliance

Perimeter 81 adheres to the highest standards of software security compliance so that organizations needing to adhere to HIPAA Compliance[15]  can ensure their PHI data remains fully protected.

If you deal with any form of PHI, you must become HITRUST Compliant. It is very important to conduct a routine HITRUST assessment in order to keep up-to-date with new compliance regulations and avoid costly penalties. 

See how Perimeter 81 helped a leading healthcare technology company achieve HITRUST compliance and reduce their monthly manual hours by over 350 percent.