Choosing a Privacy and Security Framework Doesn’t Have to Be An “Either-or” Proposition: The HITRUST CSF for HIPAA and NIST CsF

February 20, 2017
1546 Views
1 Comments

By Dr. Bryan Cline, VP of Standards and Analytics at HITRUST.

Although the HIPAA Security Rule has been in effect for a decade — and the HITRUST CSF has been around for almost as long — I’m still surprised by the misconceptions and confusion about both that persist in the industry. Adding to the confusion is the recent introduction of the NIST Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the NIST Cybersecurity Framework (NIST CsF).

From my perspective, much of this confusion stems from an “either-or” proposition on which one to implement: the HIPAA Security Rule, the HITRUST CSF, or the NIST CsF. However, this is a “red herring” argument. The HITRUST CSF was designed to be used by healthcare organizations to fully address the standards and implementation specifications of the HIPAA Security Rule — including the risk analysis requirement — and the objectives specified by the NIST CsF Core Subcategories.

There also seems to be an inaccurate perception by some in the industry that implementing the HITRUST CSF is much more difficult than merely implementing the HIPAA Security Rule. They see the HIPAA Security as a “hill” and the HITRUST CSF as a “mountain,” due to its comprehensive treatment of the risks to ePHI. This couldn’t be further from the truth.

Compliance with the HIPAA Security Rule requires addressing its standards and implementation specifications — which involves determining an organization’s requirements, performing a risk assessment, and evaluating and addressing the gaps in the required controls. This is why HIPAA compliance is not quick or easy; if it was, you’d see a lot fewer breaches in the industry.

Fortunately, HITRUST does much of the hard work for you in making compliance with the HIPAA Security rule easier. In fact, there are many benefits in adopting the HITRUST CSF to support HIPAA compliance and information risk management — plus, you get the additional bonus of leveraging an industry-accepted level of due care and due diligence for the protection of ePHI. That’s a “win-win” from anyone’s perspective.

The same is true for the NIST CsF. Like the HIPAA Security Rule’s standards and implementation specifications, the NIST CsF Core Subcategories provide high-level objectives for cyber security and organizational resilience. And while the NIST CsF provides examples of specific security controls needed to achieve these objectives, the HITRUST CSF provides a complete set of security controls — tailored specifically for the healthcare industry — that addresses all of the NIST CsF objectives.

In fact, the HITRUST CSF actually provides the foundation for health- and public health industry-specific guidance on its implementation, available on the US-CERT Cybersecurity Framework website.

These misconceptions (and several others) are addressed in more detail in HITRUST’s RMF FAQ whitepaper. I encourage anyone that has questions about the HITRUST CSF — and its relationship to regulations like HIPAA and other frameworks like the NIST CsF — to check it out. It will also point you to other helpful resources that further explain the HITRUST approach to cybersecurity and risk management, and how all these seemingly disparate pieces fit together. You’ll be glad you did!

You can always reach out to HITRUST if you have any questions.

By Dr. Bryan Cline, is Vice President of Standards and Analytics at HITRUST

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

HITRUST® Grows Its Privacy Controls and Activities
Privacy
shares656 views
Privacy
shares656 views

HITRUST® Grows Its Privacy Controls and Activities

Lacy Deatrich - Jun 05, 2019

By Natalie Leutwyler, Lead Privacy Analyst, and Anne Kimbol, Chief Privacy Officer Recently a number of important privacy initiatives and…

HITRUST’s Contribution to Healthcare’s New ‘Network of Networks’
Security
shares1799 views
Security
shares1799 views

HITRUST’s Contribution to Healthcare’s New ‘Network of Networks’

Lacy Deatrich - May 17, 2019

HITRUST’s Role in the New Trusted Exchange Framework and Connected Agreement (TEFCA) By Anne Kimbol, Chief Privacy Officer, HITRUST The…

HITRUST’s Shared Responsibility Working Group Ensuring Efficient Operation of Security Controls for Customer of Cloud Services and Cloud Providers
Compliance & Risk Management
shares677 views
Compliance & Risk Management
shares677 views

HITRUST’s Shared Responsibility Working Group Ensuring Efficient Operation of Security Controls for Customer of Cloud Services and Cloud Providers

Lacy Deatrich - May 09, 2019

By Matthew Datel, Director of Education and Strategic Initiatives and Becky Swain, Director, Standards Development, HITRUST Since September 2018, the…