HITRUST often receives questions regarding our products, services and other cybersecurity issues that affect our industry. Our Ask a HITRUST Expert feature with Dr. Bryan Cline briefly addresses some of these common questions and provides helpful links and references to clarify:
- Is the HITRUST CSF actually effective? The HITRUST CSF is the most widely adopted control framework in the industry and used for everything from a best practices reference to the basis for a certifiable information protection program. HITRUST, with the help of the healthcare industry, leveraged the risk analysis used by some of its authoritative sources, e.g., ISO/IEC 27002 and NIST SP 800-53, to generate a tailored control baseline for the healthcare industry designed to address common types of threats to common technologies and practices used in healthcare for the processing of sensitive information, but most particularly ePHI. Healthcare organizations can then tailor the HITRUST CSF controls to more closely fit their organization based on specific organizational, system and regulatory risk factors, after which they’re free to continue tailoring the controls for their unique environment.
For more information on how HITRUST provides one of the most comprehensive, tailorable and certifiable information protection frameworks in the industry, refer to the whitepaper entitled “Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.” A more comprehensive discussion of HITRUST’s approach to risk analysis can be found in the “Risk Analysis Guide for HITRUST Organizations and Assessors,” and the “Frequently Asked Questions about the HITRUST Risk Management Framework” whitepaper provides more information on specific, related issues.
- Can an assessment of the HITRUST CSF controls demonstrate a measurable reduction in cyber risk?
Yes, and this is demonstrated by joint cyber insurance initiatives between HITRUST and insurance brokers like the Willis Group to leverage the HITRUST CSF and CSF Assurance Program’s assessment and scoring model, discussed in the Risk Analysis Guide for HITRUST Organizations and Assessors, to provide more consistent and reliable risk estimates for cyber insurance underwriters. More information on the program, including potential discounts for HITRUST CSF assessment and certification by insurers such as Allied World can be found on HITRUST’s “CSF Assurance-based Cyber Insurance Program” Webpage and in a joint HITRUST, Allied World and Willis Towers Watson press release entitled, “HITRUST CSF Certification Provides Enhanced Coverage and Reductions in Cyber Insurance Premiums.”
Dr. Bryan Cline is Vice President of Standards and Analytics at HITRUST. Twitter: @IA_Doctor
You may be interested
Improving the Throughput and Transparency of the HITRUST Assurance Program: July 2020 UpdateLacy Deatrich - Jul 27, 2020
By Bimal Sheth, Vice President of Assurance Services Welcome back for the July update in our series on Improving the…
HITRUST Answers the Call for Adapting Security and Compliance Assessments During PandemicLacy Deatrich - Jul 22, 2020
By Michael Parisi, Vice President of Assurance Strategy and Community Development As the COVID-19 pandemic hit, businesses found themselves in…