HITRUST often receives questions regarding our products, services and other cybersecurity issues that affect our industry. Our Ask a HITRUST Expert feature with Dr. Bryan Cline briefly addresses some of these common questions and provides helpful links and references to clarify:
- Is the HITRUST CSF actually effective? The HITRUST CSF is the most widely adopted control framework in the industry and used for everything from a best practices reference to the basis for a certifiable information protection program. HITRUST, with the help of the healthcare industry, leveraged the risk analysis used by some of its authoritative sources, e.g., ISO/IEC 27002 and NIST SP 800-53, to generate a tailored control baseline for the healthcare industry designed to address common types of threats to common technologies and practices used in healthcare for the processing of sensitive information, but most particularly ePHI. Healthcare organizations can then tailor the HITRUST CSF controls to more closely fit their organization based on specific organizational, system and regulatory risk factors, after which they’re free to continue tailoring the controls for their unique environment.
For more information on how HITRUST provides one of the most comprehensive, tailorable and certifiable information protection frameworks in the industry, refer to the whitepaper entitled “Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.” A more comprehensive discussion of HITRUST’s approach to risk analysis can be found in the “Risk Analysis Guide for HITRUST Organizations and Assessors,” and the “Frequently Asked Questions about the HITRUST Risk Management Framework” whitepaper provides more information on specific, related issues.
- Can an assessment of the HITRUST CSF controls demonstrate a measurable reduction in cyber risk?
Yes, and this is demonstrated by joint cyber insurance initiatives between HITRUST and insurance brokers like the Willis Group to leverage the HITRUST CSF and CSF Assurance Program’s assessment and scoring model, discussed in the Risk Analysis Guide for HITRUST Organizations and Assessors, to provide more consistent and reliable risk estimates for cyber insurance underwriters. More information on the program, including potential discounts for HITRUST CSF assessment and certification by insurers such as Allied World can be found on HITRUST’s “CSF Assurance-based Cyber Insurance Program” Webpage and in a joint HITRUST, Allied World and Willis Towers Watson press release entitled, “HITRUST CSF Certification Provides Enhanced Coverage and Reductions in Cyber Insurance Premiums.”
Dr. Bryan Cline is Vice President of Standards and Analytics at HITRUST. Twitter: @IA_Doctor
You may be interested
Ensuring the Integrity of HITRUST CSF® AssessmentsSandra Omielanczuk - Jan 29, 2019
By Ken Vander Wal, Chief Compliance Officer HITRUST® There is a common theme among many of our clients following their…
Improving Cloud Security with a Shared Responsibility ModelSierra Reed - Jan 07, 2019
HITRUST streamlines the process to determine who’s responsible for what security controls among your service providers By Hector Rodriguez, Worldwide…
From Providers to Patients: Time to Protect the Entire Healthcare Supply ChainLacy Deatrich - Dec 18, 2018
Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…