HITRUST often receives questions regarding our products, services and other cybersecurity issues that affect our industry. Our Ask a HITRUST Expert feature with Dr. Bryan Cline briefly addresses some of these common questions and provides helpful links and references to clarify:
- Is the HITRUST CSF actually effective? The HITRUST CSF is the most widely adopted control framework in the industry and used for everything from a best practices reference to the basis for a certifiable information protection program. HITRUST, with the help of the healthcare industry, leveraged the risk analysis used by some of its authoritative sources, e.g., ISO/IEC 27002 and NIST SP 800-53, to generate a tailored control baseline for the healthcare industry designed to address common types of threats to common technologies and practices used in healthcare for the processing of sensitive information, but most particularly ePHI. Healthcare organizations can then tailor the HITRUST CSF controls to more closely fit their organization based on specific organizational, system and regulatory risk factors, after which they’re free to continue tailoring the controls for their unique environment.
For more information on how HITRUST provides one of the most comprehensive, tailorable and certifiable information protection frameworks in the industry, refer to the whitepaper entitled “Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.” A more comprehensive discussion of HITRUST’s approach to risk analysis can be found in the “Risk Analysis Guide for HITRUST Organizations and Assessors,” and the “Frequently Asked Questions about the HITRUST Risk Management Framework” whitepaper provides more information on specific, related issues.
- Can an assessment of the HITRUST CSF controls demonstrate a measurable reduction in cyber risk?
Yes, and this is demonstrated by joint cyber insurance initiatives between HITRUST and insurance brokers like the Willis Group to leverage the HITRUST CSF and CSF Assurance Program’s assessment and scoring model, discussed in the Risk Analysis Guide for HITRUST Organizations and Assessors, to provide more consistent and reliable risk estimates for cyber insurance underwriters. More information on the program, including potential discounts for HITRUST CSF assessment and certification by insurers such as Allied World can be found on HITRUST’s “CSF Assurance-based Cyber Insurance Program” Webpage and in a joint HITRUST, Allied World and Willis Towers Watson press release entitled, “HITRUST CSF Certification Provides Enhanced Coverage and Reductions in Cyber Insurance Premiums.”
Dr. Bryan Cline is Vice President of Standards and Analytics at HITRUST. Twitter: @IA_Doctor
You may be interested
From Providers to Patients: Time to Protect the Entire Healthcare Supply ChainLacy Deatrich - Dec 18, 2018
Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…
New National Risk Management Center to Help Combat CybersecurityLacy Deatrich - Aug 24, 2018
Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…
HITRUST 2018: Here’s an Impressive Set of Experts Ready to Share Their Risk Management KnowledgeLacy Deatrich - Aug 07, 2018
Written by HITRUST Independent Security Journalist Sean Martin. With HITRUST 2018 coming up soon—September 11-13 at the Gaylord Texan Resort…