HITRUST often receives questions regarding our products, services and other cybersecurity issues that affect our industry. Our Ask a HITRUST Expert feature with Dr. Bryan Cline briefly addresses some of these common questions and provides helpful links and references to clarify:
- Is the HITRUST CSF actually effective? The HITRUST CSF is the most widely adopted control framework in the industry and used for everything from a best practices reference to the basis for a certifiable information protection program. HITRUST, with the help of the healthcare industry, leveraged the risk analysis used by some of its authoritative sources, e.g., ISO/IEC 27002 and NIST SP 800-53, to generate a tailored control baseline for the healthcare industry designed to address common types of threats to common technologies and practices used in healthcare for the processing of sensitive information, but most particularly ePHI. Healthcare organizations can then tailor the HITRUST CSF controls to more closely fit their organization based on specific organizational, system and regulatory risk factors, after which they’re free to continue tailoring the controls for their unique environment.
For more information on how HITRUST provides one of the most comprehensive, tailorable and certifiable information protection frameworks in the industry, refer to the whitepaper entitled “Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.” A more comprehensive discussion of HITRUST’s approach to risk analysis can be found in the “Risk Analysis Guide for HITRUST Organizations and Assessors,” and the “Frequently Asked Questions about the HITRUST Risk Management Framework” whitepaper provides more information on specific, related issues.
- Can an assessment of the HITRUST CSF controls demonstrate a measurable reduction in cyber risk?
Yes, and this is demonstrated by joint cyber insurance initiatives between HITRUST and insurance brokers like the Willis Group to leverage the HITRUST CSF and CSF Assurance Program’s assessment and scoring model, discussed in the Risk Analysis Guide for HITRUST Organizations and Assessors, to provide more consistent and reliable risk estimates for cyber insurance underwriters. More information on the program, including potential discounts for HITRUST CSF assessment and certification by insurers such as Allied World can be found on HITRUST’s “CSF Assurance-based Cyber Insurance Program” Webpage and in a joint HITRUST, Allied World and Willis Towers Watson press release entitled, “HITRUST CSF Certification Provides Enhanced Coverage and Reductions in Cyber Insurance Premiums.”
Dr. Bryan Cline is Vice President of Standards and Analytics at HITRUST. Twitter: @IA_Doctor
You may be interested
HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician PerspectiveLacy Deatrich - May 03, 2018
Written by HITRUST Independent Security Journalist Sean Martin. As part of the commitment to support and engage with healthcare organizations…
Facebook and GDPR Show the Importance of Third Party Privacy MonitoringLacy Deatrich - May 02, 2018
Written by Anne Kimbol, Assistant General Counsel – Chief Privacy Officer at HITRUST The Facebook-Cambridge Analytica issue became public at…