The HITRUST Common Security Framework (CSF) has continued to progress since its inception. The HITRUST CSF maps information security related standards, regulations, and frameworks organizations must comply with, including HIPAA, PCI, NIST 800-53, ISO 27001, COBIT, and many others enabling an “audit once, report many” approach to compliance initiatives.

While the HITRUST CSF is prescriptive, it allows flexibility for different industries and organizational maturity. The framework reflects industry needs and leaves no stone unturned when it comes to new developments. So, it should come as no surprise that, as the information security landscape evolves, so does the framework itself.

While HITRUST was initially developed to protect ePHI/PHI within the healthcare industry, the CSF continues to expand with an evolving mission to “champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.”

What to Know about HITRUST 9.1

With the release of HITRUST CSF 9.1, the framework incorporates requirements from the financial sector and regulations soon to be enforced in the EU. Specifically, the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) and the EU General Data Protection Regulation (GDPR) requirements.

If you’re unfamiliar with the New York State Cybersecurity Requirements for Financial Services Companies, here’s what you need to know. The NYCRR was introduced in response to “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” The regulation gives companies some leniency in how they apply information security controls, but “requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.”

HITRUST CSF 9.1 also incorporates relevant requirements from the GDPR—a personal data regulation based on “more than four years of deliberation” set to go into effect May 25, 2018.

While the GDPR has its roots in the EU, it affects any US companies that conduct business in the E.U., target E.U. customers, or monitor the behavior of individuals within the E.U. The inclusion of the regulation is extremely helpful for any US-based companies affected, as violations can lead to strong penalties. The introduction of HITRUST CSF 9.1 exemplifies HITRUST’s commitment to develop a security framework that is flexible enough for any industry but prescriptive enough to provide clear direction.

A common struggle with implementing HITURST within an organization is that it is so robust it  can seem impossible to follow—but not if you have the right help. LBMC Information Security is part of a select group of HISTRUST CSF assessors who can not only assess your organization against the framework but also provide the necessary guidance to prepare you for certification. Companies should remember that many of the regulatory factors, even if applicable to their organization, do not all have to be tackled during the first validated assessment. Starting with a baseline assessment is allowed, which gives companies the flexibility to tackle HITRUST piece by piece as it applies to their organization.

What You Need to Know About HITRUST's MyCSF 2.0

If you’ve experienced a HITRUST assessment, you’re familiar with the MyCSF tool. It’s the online application used to verify compliance with the HITRUST compliance framework. There’s no arguing that MyCSF helps auditors and their clients manage the extensive HITRUST assessment process. But, if we’re being honest, it hasn’t historically provided the most efficient means to complete an assessment.

There’s good news, though. HITRUST is revamping the MyCSF tool to provide increased functionality for users, valuable analytics to aid in the tracking of both compliance and assessment completion, in addition to adding many efficiencies throughout the entire assessment process. In mid-June 2018, HITRUST held a webinar highlighting the big changes to MyCSF and how those changes positively affect users. Below are a few highlights to note.

HITRUST MyCSF 2.0 Highlights

1. MyCSF 2.0 will likely save users time. 

MyCSF allows users to assess compliance at the requirement level, but getting there hasn’t been easy within the MyCSF 1.0 tool. The interface is clunky and requires a number of clicks before you can even access the requirement you’re trying to address. Add to that the fact that HITRUST v9.1 has 233 requirements at minimum and 1,719 at maximum, with five scoring entries per requirement. You can see how easy it could be to get “lost in the weeds.” But, MyCSF 2.0 includes the ability to assess requirements by domain, which are much broader and provide a higher-level view of compliance.

If you’re unfamiliar, there are 19 HITRUST domains, including:

  • Risk Management
  • Information Protection Program
  • Data Protection & Privacy
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Configuration Management
  • Vulnerability Management
  • Network Protection
  • Wireless Protection
  • Password Management
  • Incident Management
  • Physical & Environmental Security
  • Transmission Protection
  • Access Control
  • Audit Logging & Monitoring
  • Education, Training & Awareness
  • Third Party Security
  • Business Continuity & Disaster Recovery

Beyond that, instead of navigating through a maze of pages to view and respond to the requirements they’re assessed against, MyCSF 2.0 users will be able to view all requirements for a domain on one page. These changes will likely give users a much simpler and more user-friendly MyCSF experience, leading to more efficiency and time savings.

2. MyCSF 2.0 will give users a clearer picture of their level of compliance with HITRUST. 

At the requirement level, it’s hard to understand your level of compliance. Under the first version of MyCSF, users have to jump through hoops to determine whether or not they’ll be compliant (i.e. Excel spreadsheets with formulas). There isn’t a simple way to view your current level of compliance within the MyCSF tool.

MyCSF 2.0 features a new dashboard and reporting features that will allow users to quickly identify their level of compliance in real-time, which will likely help teams have a greater peace of mind during assessments. It’s clear these changes are aimed at helping users navigate the robust HITRUST framework more easily. If you’ve experienced MyCSF 1.0, you’re probably wondering when you’ll be able to get your hands on 2.0. The reality falls between “don’t hold your breath” and “don’t give up hope.”

HITRUST is currently piloting MyCSF 2.0 in efforts to identify and address any bugs within the interface. They plan to move all users to the new application by March 31, 2019.

With or without a new tool, HITRUST certification and compliance is a big undertaking. If you need help understanding the framework or how your organization can become compliant, click here to contact us.

What to Know About the HITRUST RightStart Program

In an ideal world, every organization would place high importance on information security, regardless of its maturity level, annual revenue, or contractual obligations. Unfortunately, we don’t live in an ideal world.

Many companies—especially new companies—simply don’t have the time, money, or knowledge to create a strong cybersecurity program. Instead, they must devote their limited resources to running and growing the business. This is a known issue, and thankfully, the HITRUST Alliance has recently introduced a program to help alleviate it. It’s called The HITRUST RightStart Program for Start-ups.

The HITRUST RightStart Program is specifically-designed for organizations that meet the following requirements:

  1. The business was incorporated or founded within the last 3 years.
  2. The business has a productive service line (or is close).
  3. The business has under 50 full-time employees.
  4. The business has an annual revenue of less than $10 million.

The goal of the HITRUST RightStart Program is (you guessed it) to help new companies get started on the right foot through implementing strong cybersecurity practices as a foundational part of their businesses. The HITRUST RightStart program accomplishes this by providing start-ups with access to the following resources:

  • The HITRUST CSF Library, which lets organizations assess themselves against the HITRUST CSF or any of the 35 other authoritative sources that make up the HITRUST CSF
  • The HITRUST CSF Assurance Program, which allows companies to take advantage of the major selling point of the HITRUST CSF: “Assess Once, Report Many”
  • The MyCSF Assessment Platform, which was updated in 2018 and allows companies to record and store information related to their compliance with the CSF
  • HITRUST Academy, which enables organizations to learn more about the CSF

The RightStart program was created to do all of this at a reasonable cost as well. The program costs $15,000 per year for two years, minimum, as long as the organization meets the four requirements necessary for membership in the program (mentioned above).

In the past, cybersecurity programs have been an add-on for start-ups—something they attached to their businesses with metaphorical duct-tape in hopes that they would work until there was time to invest in something better. The introduction of the RightStart Program creates a clear roadmap for start-ups to not only make cybersecurity an integral part of their business but also to ease compliance challenges in the future. And, at its most basic level, it might be able to keep start-ups from having to continually complete questionnaires and instead “assess once, report many” to both business partners and investors alike.

HITRUST® Provider TPRM Update

What is the Provider Third-Party Risk Management Council?

The Provider Third-Party Risk Management (PTPRM) Council is relatively new, announced in 2018. A group of prominent Chief Information Security Officers (CISOs) came together to solve a common challenge: vetting and monitoring third-party organizations in their supply chains.

They created the PTPRM Council to “develop, recommend, and promote practices to manage information security-related risks in their supply chain and to safeguard patient safety and information.”

The council upholds its mission by promoting HITRUST as a portion of its requirements by requiring its third parties that involve the disclosure of protected health information (PHI) to provide a certified HITRUST CSF™ Assessment prior to providing services and annually thereafter. How does this help? The HITRUST CSF certification serves as a standard for third parties that use patient or sensitive information. These third parties can become certified, participate in the network and, as a result, more easily work with other members.

The Provider TPRM Council’s Objectives

The PTPRM Council’s objectives are designed to improve the cybersecurity posture of participating organizations. Its main goals are to:

  • Bring uniformity to the vendor risk management life cycle (VRMLC);
  • Reduce the cost and increase the value that organizations expect from their VRMLC processes;
  • Address difficult problems efficiently and respond to emerging threats; and
  • Demonstrate commitment to industry-wide acceptance and adoption.

The council is working to achieve these goals.

How does this help the participating organizations?

Participating organizations can ensure that others in the PTPRM network are following vital security standards and that their compliance has been validated. Because participants are HITRUST CSF certified, working within the network gives organizations inherent initial trust, making the process of onboarding vendors and providers less cumbersome.

This initiative helps save these organizations time and money since resources that previously went toward vetting new providers and vendors can now be used elsewhere.

While this initiative is based on security, it’s also clear that joining this network is a competitive advantage as well. An organization will more likely choose to work with another participating organization due to the assurance of security standards and time efficiency.

The Potential of PTPRM’s Growth

Many organizations on the PTPRM Council have already seen rapid adoption of HITRUST from their vendors. This initiative has allowed vendors or service organizations to reduce security audits, questionnaires, and the time spent filling out vendor forms. This change affects not only organizations on the council but others, considering that HITRUST CSF is a widely-recognized security framework and certification. Since its inception, the number of participating providers has grown as well as the addition of BA/Vendor Council members.

Whether you’re a start-up or an established business, LBMC Information Security would love to help you navigate the complexities of the HITRUST CSF. Just click here to contact us and learn how we can help.