One of the many frustrations for healthcare organizations is information security. Beyond the much publicized large data breaches of health data, the most recent headlines relate to medical facilities such as Hollywood Presbyterian Medical Center and others that have been targets of ransomware.

Ransomware is a malicious software that encrypts large numbers of systems, often crippling systems at an organization, and then demands payment to a shadowy group to ostensibly decrypt the data. If it were not hard enough to keep the bad guys at bay, once the smoke clears, you can be pretty sure the regulators will swoop in for a thorough examination of the weaknesses in your security program.

The Health Information Portability and Accountability Act (HIPAA) establishes some high-level objectives and implementation standards for organizations that deal with electronic protected health information (ePHI) but it is very difficult for these organizations to know how high to set the bar to be compliant with the regulatory mandate. On top of that, there is no guarantee that becoming “compliant” will actually keep your organization secure.


Given these dynamics in the industry, many organizations outsourcing critical business processes that require the sharing of ePHI with 3rd parties, are becoming much more interested in the security practices of their business associates. If you are on the receiving end of that data, you are probably also on the receiving end of more and more requests probing the quality of your security program. The requests range from questionnaires to on-site audits, to requests for independent reports like SOC attestations or HITRUST certification.


HITRUST is a security framework developed to address the 3 challenges described above:

    1. The need for a solid security framework to reduce the risk of data breaches
    2. Confusion caused by HIPAA’s lack of prescriptive guidance
    3. A way to audit once and report many times to demonstrate the quality of your security program to interested business partners and customers

The HITRUST CSF is rapidly becoming a new “standard” in the healthcare industry. It is a framework that is built on a number of previous standards, most notably, ISO 27001/2. In addition, HITRUST has included coverage for other standards and regulatory mandates such as Payment Card Industry Data Security Standards (PCI-DSS), Federal Information Systems Management Act (FISMA – NIST 800-53), Federal Trade Commission (FTC) Red Flag rules, as well as several State regulations related to data security and privacy including Massachusetts and Nevada. In building the framework, and the assessment tools that accompany it, HITRUST has concentrated on 19 key areas that have the greatest impact on reducing the likelihood and/or severity of a data breach.

Unlike the HIPAA security rule, HITRUST has taken a prescriptive approach to developing the framework.  However, it is not a one-size-fits-all standard as it takes into account the size of an organization and nature of its data and systems as it utilizes a tiered approach having up to 3 levels of requirements that vary based on the organization, system, and regulatory factors. At its most basic level, implementing the controls in the CSF will meet the mandates of HIPAA, which is certainly a goal for everyone in the industry.


To address the problem that many service providers in the industry are facing related to “proving” the quality of their security program and responding to dozens, if not hundreds of requests for information, HITRUST has developed an assurance program that allows for independent validation or certification against the framework.   These validation or certification engagements are performed by organizations (Assessors) that have been specially trained and vetted by HITRUST as having experience and expertise specifically in healthcare information security.

LBMC’s experience in helping organizations prepare for HITRUST certifications and performing certification assessments shows that many organizations are not prepared for the increased security rigor and maturity required to meet the requirements of the CSF. However, this should not be a deterrent, but more of a motivator. If you are considering the CSF as an option for your security program, here are a few action items.

    1. Register with HITRUST and obtain a PDF copy of the CSF.Take advantage of a number of the information downloads provided on the HITRUST web site.
    2. Investigate the value of HITRUST validation or certification report in terms of enhancing the relationships (and reducing risk) with existing customers or business partners.
    3. Reach out to an assessor organization to gain valuable insight on strategies given the current state of your security program.
    4. Understand the framework and how your unique organizational, system, and regulatory factors set the bar for the controls you will need to implement.
    5. Consider performing a self-assessment utilizing HITRUST’s MyCSF tool as a starting point for developing plans to implement the framework.

In summary, if your organization is looking to mature its security program and facing some of the challenges discussed above, HITRUST may be worth investigating. Several very large payors are now requiring their business partners to comply with the framework and provide certification reports as part of their vendor management process. With this type of catalyst in the industry, the CSF will continue to become a go-to standard for healthcare Infosec.

Additional information on HITRUST can be obtained at Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!