Choosing a Privacy and Security Framework Doesn’t Have to Be An “Either-or” Proposition: The HITRUST CSF for HIPAA and NIST CsF

February 20, 2017
1667 Views
1 Comments

By Dr. Bryan Cline, VP of Standards and Analytics at HITRUST.

Although the HIPAA Security Rule has been in effect for a decade — and the HITRUST CSF has been around for almost as long — I’m still surprised by the misconceptions and confusion about both that persist in the industry. Adding to the confusion is the recent introduction of the NIST Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the NIST Cybersecurity Framework (NIST CsF).

From my perspective, much of this confusion stems from an “either-or” proposition on which one to implement: the HIPAA Security Rule, the HITRUST CSF, or the NIST CsF. However, this is a “red herring” argument. The HITRUST CSF was designed to be used by healthcare organizations to fully address the standards and implementation specifications of the HIPAA Security Rule — including the risk analysis requirement — and the objectives specified by the NIST CsF Core Subcategories.

There also seems to be an inaccurate perception by some in the industry that implementing the HITRUST CSF is much more difficult than merely implementing the HIPAA Security Rule. They see the HIPAA Security as a “hill” and the HITRUST CSF as a “mountain,” due to its comprehensive treatment of the risks to ePHI. This couldn’t be further from the truth.

Compliance with the HIPAA Security Rule requires addressing its standards and implementation specifications — which involves determining an organization’s requirements, performing a risk assessment, and evaluating and addressing the gaps in the required controls. This is why HIPAA compliance is not quick or easy; if it was, you’d see a lot fewer breaches in the industry.

Fortunately, HITRUST does much of the hard work for you in making compliance with the HIPAA Security rule easier. In fact, there are many benefits in adopting the HITRUST CSF to support HIPAA compliance and information risk management — plus, you get the additional bonus of leveraging an industry-accepted level of due care and due diligence for the protection of ePHI. That’s a “win-win” from anyone’s perspective.

The same is true for the NIST CsF. Like the HIPAA Security Rule’s standards and implementation specifications, the NIST CsF Core Subcategories provide high-level objectives for cyber security and organizational resilience. And while the NIST CsF provides examples of specific security controls needed to achieve these objectives, the HITRUST CSF provides a complete set of security controls — tailored specifically for the healthcare industry — that addresses all of the NIST CsF objectives.

In fact, the HITRUST CSF actually provides the foundation for health- and public health industry-specific guidance on its implementation, available on the US-CERT Cybersecurity Framework website.

These misconceptions (and several others) are addressed in more detail in HITRUST’s RMF FAQ whitepaper. I encourage anyone that has questions about the HITRUST CSF — and its relationship to regulations like HIPAA and other frameworks like the NIST CsF — to check it out. It will also point you to other helpful resources that further explain the HITRUST approach to cybersecurity and risk management, and how all these seemingly disparate pieces fit together. You’ll be glad you did!

You can always reach out to HITRUST if you have any questions.

By Dr. Bryan Cline, is Vice President of Standards and Analytics at HITRUST

You may be interested

Understanding and Improving the Role of Self-assessments in Third-Party Risk Management
Risk Management
shares292 views
Risk Management
shares292 views

Understanding and Improving the Role of Self-assessments in Third-Party Risk Management

Lacy Deatrich - Nov 11, 2019

By Dr. Bryan S. Cline, Chief Research Officer, HITRUST Information risk assessments are an integral component of the third-party risk…

Improving the Throughput and Transparency of the HITRUST Assurance Program
Assurance
shares308 views
Assurance
shares308 views

Improving the Throughput and Transparency of the HITRUST Assurance Program

Lacy Deatrich - Oct 25, 2019

By Bimal Sheth, Vice President — Assurance Services The HITRUST brand has always been synonymous with quality and it is…

“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management Collaboration
Compliance & Risk Management
shares621 views
Compliance & Risk Management
shares621 views

“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management Collaboration

Lacy Deatrich - Sep 11, 2019

By Jeremy Huval, Vice President, Compliance & Internal Audit Completing HITRUST CSF Assessments will now require less time and fewer…