Understanding HITRUST from a CISO Perspective

July 25, 2017
919 Views

By Ray Biondo, CISO, BEYOND LLC.

How It All Began

I am a working CISO, and for 15 years I was the CISO at one of the largest healthcare payer organizations in the US.  It seemed that all I heard was “you have to get HITRUST certified!”  However, in my mind, HITRUST was just another certification, and we already had certifications…actually I was thinking “too many certifications!”  But then I started asking why this certification is so important, and why we should spend additional resources to attain HITRUST certification.  Why would we / should we do this?

The Answer

As we know, the healthcare sector is behind other business sectors such as finance and retail when it comes to Information Security.  And, within the healthcare sector, each organization runs its information security programs differently.  We all have different requirements based on varying budgets and different levels of security maturity, which can result in inconsistent ways of protecting ePHI data.  We CISOs even tend to believe that our own organizations operate a top-notch security program – which usually is not the case.

The solution to our industry’s Information Security and protecting ePHI data is the HITRUST CSF.  This certification is designed specifically for the healthcare sector.  HITRUST sets a de facto standard and approaches healthcare as one eco-system driven by HIPAA, HITECH, NIST and MARS-E to name a few…but all using the same framework – the HITRUST CSF.

The Advantages of HITRUST

The HITRUST CSF creates a “Culture of Compliance” within an organization.  This “Culture” is one that every CISO should expect from his/her team and organization.  In addition, the HITRUST CSF framework is well written and easy to understand.

HITRUST is an organization that is well established, and represents the healthcare sector.  HITRUST lobbies for our interests, creating a stronger healthcare community – one built for the protections and developments that are deserving to our organizations.

From a CISO perspective, the biggest advantage HITRUST CSF certification brings is that it identifies the security control maturity levels across your enterprise – to gain a certification, you must have proven the findings.  In my case, having the HITRUST CSF Certification made reporting to my Board of Directors easy.

The Wrap-up

Now I’m looking through a different lens. I’m, once again, a CISO, this time for BEYOND LLC, a HITRUST Assessor Organization. I have a new perspective on the HITRUST CSF.  The HITRUST CSF is a viable, quality solution to developing a framework for a strong Information Security program.  Many organizations have very little or no security around their computer information, which is shocking, but true. Often, there are few policies, fewer official procedures and very little monitoring of the systems.

Having seen some of the diverse situations that many organizations find themselves in has reinforced my belief in the importance of becoming HITRUST CSF certified.  HITRUST CSF Certification will provide a comfort level toward your organization’s due diligence. With the HITRUST CSF Certification, you will be secure in your knowledge of your internal operations; you will be comfortable monitoring your systems; ready and able to recover from any situation; and you will have peace of mind.   Having worked with BEYOND LLC clients, through their strengths and weaknesses, I can now see the high levels of competence and consistency within their Information Security programs after they have successfully completed the HITRUST CSF process and attained their HITRUST CSF certification.


Ray Biondo is CISO for BEYOND LLC.

Share this with your friends...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective
Leadership
shares252 views
Leadership
shares252 views

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective

Lacy Deatrich - May 03, 2018

Written by HITRUST Independent Security Journalist Sean Martin. As part of the commitment to support and engage with healthcare organizations…

Facebook and GDPR Show the Importance of Third Party Privacy Monitoring
Privacy
shares390 views
Privacy
shares390 views

Facebook and GDPR Show the Importance of Third Party Privacy Monitoring

Lacy Deatrich - May 02, 2018

Written by Anne Kimbol, Assistant General Counsel – Chief Privacy Officer at HITRUST The Facebook-Cambridge Analytica issue became public at…

Looking Back One Year Ago, We May Still WannaCry
Cyber
shares832 views
Cyber
shares832 views

Looking Back One Year Ago, We May Still WannaCry

Lacy Deatrich - Apr 05, 2018

Written by Elie Nasrallah, CISSP, Director – Cyber Security Strategy at HITRUST Research from Trend Micro and HITRUST points to…