The HITRUST CSF Assurance and Third-Party Assurance Programs Benefit the Entire Industry

February 20, 2017
755 Views

Written by HITRUST Independent Security Journalist Sean Martin.

Healthcare organizations must regularly assess their vendors in order to understand their adherence to privacy and security practices. Without that knowledge, they can’t determine risk, and without determining risk, they can’t manage that risk let alone ensure their own compliance with industry regulations. That’s where the HITRUST CSF Assurance program comes in, helping organizations manage those assessments with standardized templates and tools.

At the same time, vendors and business associates serving those healthcare companies need to document their privacy and security practices in order to facilitate those assessments. There’s where the HITRUST CSF Third-Party Assurance program has a role to play, making it easy for vendors to supply relevant information to their customers and prospective customers in an efficient, consistent manner.

To get a sense of how well these two programs are working, HITRUST recently surveyed healthcare organizations and their business partners about the value of these two assurance programs. You can read the full report here.

Here are a few of the highlights:

  • Healthcare organizations are justifiably concerned about letting business partners access their environment, including the network, applications and data. Although partners sign nondisclosure and business associate agreements, signatures can only go so far and security is only as good as its weakest link – the industry clearly recognizes that third parties cannot be that weakest link.
  • Survey respondents said that the HITRUST programs help strengthen their security posture in today’s fast-evolving environment: “HITRUST evolves to meet the changing landscape.”
  • A challenge for vendors is the lack of consistency in customer assessment reporting requirements, which means that assessments often have to be laboriously researched and written from scratch – for each and every partner. That problem is addressed by HITRUST CSF, which provides a common template for risk assessments. If customers can accept one comprehensive standard, the industry can devote fewer resources on compliance reporting, allocating those resources to what really matters – providing better healthcare.
  • Another concern and frustration by vendors: A lack of realism in their customers’ requirements, which means that the vendor is attempting to demonstrate compliance with nonsensical issues that don’t reflect real-world threats against the customers’ assets.
  • The HITRUST CSF programs reduce cost, and sometimes in unexpected ways. For example, one respondent cited using its HITRUST CSF assessment as a useful document when applying for their cyber-security insurance policy.
  • The HITRUST CSF Assessments provide universal concepts and vocabulary that can be shared with company’s employees — helping them talk about, understand and build security into their daily tasks with intelligence and understanding as opposed to rote response.
  • Respondents agree that the “network effect” will continue to enhance the value of the HITRUST CSF programs – the more healthcare organizations and business partners, the greater the benefit to the entire industry. HITRUST was encouraged to do “more marketing, more evangelism, more promotion to help tell the story.”
  • Finally, it was clear that the HITRUST CSF Third-Party Assurance program reduces the burden on suppliers, rather than adding to it. Vendors were urged to adopt the CSF framework in a practical manner consistent with the range of services a company provides, being mindful of the varied industries that suppliers may serve.

The August 2016 report, “The HITRUST CSF Assurance and Third-Party Assurance Programs: Delivering Confidence, Managing Risk, Inspiring Excellence in Healthcare IT,” may be downloaded from here.

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

Improving Cloud Security with a Shared Responsibility Model
CISO Corner
shares617 views
CISO Corner
shares617 views

Improving Cloud Security with a Shared Responsibility Model

Sierra Reed - Jan 07, 2019

HITRUST streamlines the process to determine who’s responsible for what security controls among your service providers By Hector Rodriguez, Worldwide…

From Providers to Patients: Time to Protect the Entire Healthcare Supply Chain
Leadership
shares545 views
Leadership
shares545 views

From Providers to Patients: Time to Protect the Entire Healthcare Supply Chain

Lacy Deatrich - Dec 18, 2018

Written by Taylor Lehmann, Chief Information Security Officer, Wellforce The patient-care ecosystem is a complex mix of healthcare providers, payers…

New National Risk Management Center to Help Combat Cybersecurity
Security
shares2969 views
Security
shares2969 views

New National Risk Management Center to Help Combat Cybersecurity

Lacy Deatrich - Aug 24, 2018

Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…