With GDPR now being enforced, can the HITRUST CSF address GDPR mandates?
Yes. Incorporation of the EU General Data Protection Regulation (GDPR) is part of HITRUST’s initiative towards internationalization of the CSF and increased support for global organizational privacy programs. The updated framework now allows organizations to easily manage and report on the controls intended to address GDPR requirements.
Is it possible to address the NIST Cybersecurity Framework (CsF) with the HITRUST CSF?
Yes. HITRUST CSF may be applied to achieve NIST CsF certification. Incorporating the NIST Cybersecurity Framework into the HITRUST CSF and establishing a certification mechanism as part of the HITRUST CSF Assurance program gives organizations an effective and efficient approach for reporting their cybersecurity posture leveraging the NIST Cybersecurity categorization.
The 23 NYCRR 500 is a comprehensive cybersecurity regulation. Does HITRUST CSF address this New York regulation?
Yes. The HITRUST CSF may be applied to address New York’s 23 CRRNY 500 regulatory requirements. Integrating the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) into the HITRUST CSF will enable the financial industry to leverage the framework to achieve better cybersecurity resilience and protection.
Is the HITRUST CSF limited to use by healthcare entities only?
No. The HITRUST CSF framework can be applied by businesses and organizations of all sizes across all industries. HITRUST operates in conjunction with healthcare, business, technology and security leaders to identify solutions to challenges related to streamlining the effective implementation and assessment of security controls that are applicable to all organizations.
Can business associates in countries such as India and the Philippines apply the HITRUST CSF standard?
Yes! HITRUST CSF is a global standard and may be used by businesses and organizations globally. Organizations outside of the U.S.—typically business associates providing services to U.S. healthcare organizations may be required to implement the CSF.
Does the HITRUST CSF address PCI DSS requirements for cardholder data?
Yes. The HITRUST CSF framework may be applied to address PCI DSS requirements for cardholder data. The CSF integrates and harmonizes requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA and others, and tailors the requirements to a organization based on specific organizational, system and regulatory risk factors.
Can organizations in the healthcare industry, that are covered entities or business associates, address compliance with HIPAA and HITECH with the HITRUST CSF?
Yes. Absolutely. An organization can demonstrate compliance with HIPAA and HITECH with HITRUST CSF certification. The CSF integrates and harmonizes requirements from many authoritative sources such as ISO, HIPAA, HITECH and others, and tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors.
How many key phases are there on the path to HITRUST certification?
The HITRUST CSF standard is based on the global information security standards, ISO 27001 and ISO 27002. HITRUST recognized the global nature of healthcare and the need to gain assurances around the protection of covered information from non-U.S. business associates, which led to the International Organization for Standardization and International Electronically Commission (ISO/IEC) 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, being used as the foundation upon which the CSF controls were built.
The HITRUST CSF is applicable to large organizations only.
False. The HITRUST CSF standard is applicable to organizations of all sizes across all industries. The HITRUST CSF is applicable to large organizations only.
The HITRUST CSF may be best described as:
The HITRUST CSF standard is flexible, comprehensive and prescriptive. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
How many control categories (or clauses) are defined in the HITRUST CSF?
How many controls are included a HITRUST assessment?
There are 149 control specifications with associated implementation requirements (referred to as controls) that cover security and privacy-related The CSF contains 14 security Control Categories comprised of 46 Control Objectives and 149 Control Specifications. There are 135 controls that cover security and some privacy-related requirements and 14 controls that cover specific privacy practices in the CSF.
How many assessment options are available in the HITRUST CSF Assurance Program?a) CSF Security Assessment
CSF Security Assessment: Questionnaire created utilizing ONLY the Required CSF Controls for Certification.
CSF Security & Privacy Assessment: Questionnaire created utilizing the Required CSF Controls for Certification as well as the Privacy Controls.
CSF Comprehensive Security Assessment: Questionnaire created utilizing ALL the CSF Security Controls.
CSF Comprehensive Security & Privacy Assessment: Questionnaire created utilizing ALL CSF Controls.
NIST Cyber Security Assessment: Questionnaire created utilizing only the most significant HITRUST CSF Requirement Statements that pertain to the NIST Cyber Security Framework.
Who conducts HITRUST Validated Assessments?
A HITRUST Approved (Authorized) Assessor conducts Validated Assessments. HITRUST CSF Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class to assist organizations with certifications or independent consultants that have completed the HITRUST training class and assist organizations with self-assessments or implementing the CSF in their environment.
Established in 1999 ecfirst is an Iowa-based Corporation. ecfirst delivers complete end-to-end compliance and information security services across the United States and worldwide. ecfirst has completed several hundred information security assessments over the last few years for satisfied clients. Our team has managed assessments using various standards including, but not limited, to NIST 800-53, HITRUST, HIPAA, GDPR, ISO-27001, PCI-DSS and others. We are well regarded in the industry as an affordable and high-quality team with well-established expertise in a number of fields. Many clients first engage ecfirst for its flexible services that range from On-Demand Consulting (ODC) to Managed Compliance Services Programs (MCSPs) covering training, policies, remediation, risk assessment, technical vulnerability assessments, penetration testing and much more.
The HITRUST CSF is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and cost- containment; and additional assurances around the accuracy, consistency and repeatability of assessments due to the use of pre-qualified professional services firms—all of which is designed to meet the unique regulatory and business needs of the healthcare industry. It is a risk-based approach to selecting HITRUST CSF controls for assessment, including management oversight of the assessment. The HITRUST CSF Assurance Program delivers simplified compliance assessment and reporting that addresses healthcare federal, state and industry requirements for both covered entities and their business associates.