HITRUST Common Security Framework (CSF) Certification

What is HITRUST CSF?

Developed and maintained by the Health Information Trust Alliance (HITRUST), HITRUST CSF is a certifiable framework built upon multiple information security and privacy regulations, standards, practices, and compliance frameworks; including HIPAA, NIST 800-53, PCI DSS, FedRAMP, COBIT, Identity Theft Red Flags, GDPR, PDPA.

Why implement HITRUST CSF?

Several federal and state laws, regulations, and industry guidelines require organizations to implement and maintain a security and privacy program. Organizations in healthcare and those with multiple compliance requirements can benefit greatly by adopting HITRUST CSF over other security frameworks (i.e., NIST, COBIT, SANS, ISO) because HITRUST CSF is scalable, comprehensive, prescriptive, always evolving, and most importantly - certifiable.

HITRUST CSF can help you:

  • Meet external requirements (i.e., regulatory requirements, contractual requirements, etc.)

  • Demonstrate compliance to various security and privacy regulations and standards.

  • Implement a unified risk management framework that measures the state of cybersecurity and privacy and guides resource allocation.

  • Realize major cost savings due to streamlined processes, implementation of more effective internal controls, and reducing compliance costs by assessing once and reporting on multiple standards and regulations.

  • Obtain a sustainable competitive advantage.

How to get started with HITRUST CSF:

HITRUST CSF assessment and certification process requires substantial organizational attention to be effective; and not just IT or the compliance department. Therefore it’s important to ensure you have buy-in and support from management and key stakeholders and to ensure you have clear agreement on what is in scope for the assessment. The larger the scope, the more complex the assessment will be.

What is included in a HITRUST CSF Assessment?

HITRUST CSF control requirements are grouped into the following 19 assessment domains based on common IT organizational structures.

Assessment Domains:

  1. Information Protection Program

  2. Endpoint Protection

  3. Portable Media Security

  4. Mobile Device Security

  5. Wireless Security

  6. Configuration Management

  7. Vulnerability Management

  8. Network Protection

  9. Transmission Protection

  10. Password Management

  11. Access Control

  12. Audit Logging & Monitoring

  13. Education, Training, & Awareness

  14. Third-Party Assurance

  15. Incident Management

  16. Business Continuity & Disaster Recovery

  17. Risk Management

  18. Physical & Environmental Security

  19. Data Protection & Privacy

A narrow scope makes HITRUST certification more attainable - especially if this is a first-time assessment!

Assessment Criteria:

Policy
- Do formal, up-to-date, documented policies and/or standards exist?
- Does the policy address each element of the requirement statement?
- Are policies approved, in use, and communicated to the workforce?

Procedure
- Do formal, up-to-date, documented procedure in support of the policy?
- Does the procedure include each element of the requirement statement?
- Do the procedure include who, what, where, how, when, and solutions used?

Implemented
- Have the procedures been implemented?
- Do they operate effectively for each element of the requirement statement?
- Have the procedures been communicated to all individuals required to follow them?

Measured
- Are operational self-assessments or tests conducted routinely to evaluate adequacy and effectiveness of the control?
- Are independent assessments performed?
- Are assessment results documented, reviewed, and approved?

Managed
- Are corrective actions are implemented as needed?
- Do corrective action decisions consider cost, risk, and mission impact?
- Are metrics and measures reevaluated based on changing threat and technology landscape?

How Secliance can help you:

To ensure you successfully achieve your security, privacy, and compliance certification objectives, we assign a Certified Common Security Framework Practitioner (CCSFP’s) to work closely with you to meet your specific needs. Our HITRUST CSF services include:

  1. Strategize and scope the assessment

  2. Document and implement policies, standards, and procedures

  3. Complete a self-assessment or gap assessment

  4. Serve as audit liaisons with external assessors

  5. Perform project management through out the assessment life-cycle

  6. Correlate and analyze assessment results in order to monitor and manage risk

  7. Develop an information security roadmap and update the information security strategy

  8. Establish a continuous monitoring program aimed at transforming security and privacy practices.

To learn more about adopting the HITRUST CSF and obtaining certification, read our Guide to HITRUST CSF Certification.

Ready to achieve your cybersecurity and compliance goals?