Comparing the NIST Cybersecurity Framework and HITRUST Common Security
Framework The NIST Cybersecurity Framework (NIST CsF) continues to gain traction as a tool for reporting on the maturity and effectiveness of an organization’s cyber related controls. At the same time, the HITRUST CSF continues to gain adoption as a controls and reporting framework for information privacy and security across many industries both domestically and internationally. The NIST CsF and HITRUST CSF are complementary tools and can be used together to satisfy many needs within and across organizations.
How are the NIST CsF and HITRUST CSF related?
The NIST CsF is provides a mechanism for assessing and maturing a cybersecurity program based on 98 objective-level Core Subcategories that describe intended cybersecurity outcomes. The HITRUST CSF and its Assurance Program complement the NIST CsF in two major ways: 1) the HITRUST CSF provides the details needed to implement each of the 98 cybersecurity objectives in a way that map to and meet many critical compliance and risk management standards in the most efficient way possible; and 2) the Assurance Program provides a standards-driven process to monitor, assess, and maintain those controls. Without the HITRUST CSF, practitioners using the NIST CSF must create these standards and processes themselves.
How has HITRUST enabled current NIST CsF users to get started?
With the release of HITRUST CSF v9, organizations participating in the HITRUST CSF Assurance Program can view their information privacy and security programs through the lens of the NIST CsF. The NIST CsF Scorecard, now provided in every HITRUST CSF assessment report, details how well an organization meets the objectives specified by the NIST CsF Core Subcategories based on how well it has implemented the underlying HITRUST CSF controls. And for those that do not undergo an assessment under the HITRUST CSF Assurance Program, organizations can prepare a similar report using a publicly-available cross-reference between the HITRUST CSF controls and the NIST CsF Core Subcategories.
About the HITRUST CSF Assurance Program
By leveraging the HITRUST CSF Assurance Program, an organization can perform one assessment against the HITRUST CSF framework to satisfy multiple reporting requests including HIPAA, SOC 2®, NIST Cybersecurity, MARS-E or one of the other regulations or standards incorporated into the HITRUST CSF. In short, it reduces costs, resource burdens and time via an assess once, report many approach.
Additional explanation on how the HITRUST CSF is a model implementation of the NIST CsF and provides support for an organization’s attestation of compliance with the NIST Cybersecurity Framework can be found on the Department of Homeland Security / US CERT website in the Healthcare Sector Cybersecurity Framework Implementation Guide.
You may be interested
From Providers to Patients: Time to Protect the Entire Healthcare Supply ChainLacy Deatrich - Dec 18, 2018
Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…
New National Risk Management Center to Help Combat CybersecurityLacy Deatrich - Aug 24, 2018
Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…
HITRUST 2018: Here’s an Impressive Set of Experts Ready to Share Their Risk Management KnowledgeLacy Deatrich - Aug 07, 2018
Written by HITRUST Independent Security Journalist Sean Martin. With HITRUST 2018 coming up soon—September 11-13 at the Gaylord Texan Resort…