HITRUST often receives questions regarding our products, services and other cybersecurity issues that affect our industry. Our Ask a HITRUST Expert feature with Dr. Bryan Cline briefly addresses some of these common questions and provides helpful links and references to clarify:
- Is the HITRUST CSF actually effective? The HITRUST CSF is the most widely adopted control framework in the industry and used for everything from a best practices reference to the basis for a certifiable information protection program. HITRUST, with the help of the healthcare industry, leveraged the risk analysis used by some of its authoritative sources, e.g., ISO/IEC 27002 and NIST SP 800-53, to generate a tailored control baseline for the healthcare industry designed to address common types of threats to common technologies and practices used in healthcare for the processing of sensitive information, but most particularly ePHI. Healthcare organizations can then tailor the HITRUST CSF controls to more closely fit their organization based on specific organizational, system and regulatory risk factors, after which they’re free to continue tailoring the controls for their unique environment.
For more information on how HITRUST provides one of the most comprehensive, tailorable and certifiable information protection frameworks in the industry, refer to the whitepaper entitled “Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.” A more comprehensive discussion of HITRUST’s approach to risk analysis can be found in the “Risk Analysis Guide for HITRUST Organizations and Assessors,” and the “Frequently Asked Questions about the HITRUST Risk Management Framework” whitepaper provides more information on specific, related issues.
- Can an assessment of the HITRUST CSF controls demonstrate a measurable reduction in cyber risk?
Yes, and this is demonstrated by joint cyber insurance initiatives between HITRUST and insurance brokers like the Willis Group to leverage the HITRUST CSF and CSF Assurance Program’s assessment and scoring model, discussed in the Risk Analysis Guide for HITRUST Organizations and Assessors, to provide more consistent and reliable risk estimates for cyber insurance underwriters. More information on the program, including potential discounts for HITRUST CSF assessment and certification by insurers such as Allied World can be found on HITRUST’s “CSF Assurance-based Cyber Insurance Program” Webpage and in a joint HITRUST, Allied World and Willis Towers Watson press release entitled, “HITRUST CSF Certification Provides Enhanced Coverage and Reductions in Cyber Insurance Premiums.”
Dr. Bryan Cline is Vice President of Standards and Analytics at HITRUST. Twitter: @IA_Doctor
You may be interested
HITRUST® Grows Its Privacy Controls and ActivitiesLacy Deatrich - Jun 05, 2019
By Natalie Leutwyler, Lead Privacy Analyst, and Anne Kimbol, Chief Privacy Officer Recently a number of important privacy initiatives and…
HITRUST’s Contribution to Healthcare’s New ‘Network of Networks’Lacy Deatrich - May 17, 2019
HITRUST’s Role in the New Trusted Exchange Framework and Connected Agreement (TEFCA) By Anne Kimbol, Chief Privacy Officer, HITRUST The…
HITRUST’s Shared Responsibility Working Group Ensuring Efficient Operation of Security Controls for Customer of Cloud Services and Cloud ProvidersLacy Deatrich - May 09, 2019
By Matthew Datel, Director of Education and Strategic Initiatives and Becky Swain, Director, Standards Development, HITRUST Since September 2018, the…