Understanding HITRUST from a CISO Perspective

July 25, 2017
1170 Views

By Ray Biondo, CISO, BEYOND LLC.

How It All Began

I am a working CISO, and for 15 years I was the CISO at one of the largest healthcare payer organizations in the US.  It seemed that all I heard was “you have to get HITRUST certified!”  However, in my mind, HITRUST was just another certification, and we already had certifications…actually I was thinking “too many certifications!”  But then I started asking why this certification is so important, and why we should spend additional resources to attain HITRUST certification.  Why would we / should we do this?

The Answer

As we know, the healthcare sector is behind other business sectors such as finance and retail when it comes to Information Security.  And, within the healthcare sector, each organization runs its information security programs differently.  We all have different requirements based on varying budgets and different levels of security maturity, which can result in inconsistent ways of protecting ePHI data.  We CISOs even tend to believe that our own organizations operate a top-notch security program – which usually is not the case.

The solution to our industry’s Information Security and protecting ePHI data is the HITRUST CSF.  This certification is designed specifically for the healthcare sector.  HITRUST sets a de facto standard and approaches healthcare as one eco-system driven by HIPAA, HITECH, NIST and MARS-E to name a few…but all using the same framework – the HITRUST CSF.

The Advantages of HITRUST

The HITRUST CSF creates a “Culture of Compliance” within an organization.  This “Culture” is one that every CISO should expect from his/her team and organization.  In addition, the HITRUST CSF framework is well written and easy to understand.

HITRUST is an organization that is well established, and represents the healthcare sector.  HITRUST lobbies for our interests, creating a stronger healthcare community – one built for the protections and developments that are deserving to our organizations.

From a CISO perspective, the biggest advantage HITRUST CSF certification brings is that it identifies the security control maturity levels across your enterprise – to gain a certification, you must have proven the findings.  In my case, having the HITRUST CSF Certification made reporting to my Board of Directors easy.

The Wrap-up

Now I’m looking through a different lens. I’m, once again, a CISO, this time for BEYOND LLC, a HITRUST Assessor Organization. I have a new perspective on the HITRUST CSF.  The HITRUST CSF is a viable, quality solution to developing a framework for a strong Information Security program.  Many organizations have very little or no security around their computer information, which is shocking, but true. Often, there are few policies, fewer official procedures and very little monitoring of the systems.

Having seen some of the diverse situations that many organizations find themselves in has reinforced my belief in the importance of becoming HITRUST CSF certified.  HITRUST CSF Certification will provide a comfort level toward your organization’s due diligence. With the HITRUST CSF Certification, you will be secure in your knowledge of your internal operations; you will be comfortable monitoring your systems; ready and able to recover from any situation; and you will have peace of mind.   Having worked with BEYOND LLC clients, through their strengths and weaknesses, I can now see the high levels of competence and consistency within their Information Security programs after they have successfully completed the HITRUST CSF process and attained their HITRUST CSF certification.


Ray Biondo is CISO for BEYOND LLC.

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

New National Risk Management Center to Help Combat Cybersecurity
Security
shares989 views
Security
shares989 views

New National Risk Management Center to Help Combat Cybersecurity

Lacy Deatrich - Aug 24, 2018

Details forthcoming in new Department of Homeland Security initiative Written by Carl Anderson, Chief Legal Officer & Senior Vice President…

HITRUST 2018: Here’s an Impressive Set of Experts Ready to Share Their Risk Management Knowledge
Leadership
shares634 views
Leadership
shares634 views

HITRUST 2018: Here’s an Impressive Set of Experts Ready to Share Their Risk Management Knowledge

Lacy Deatrich - Aug 07, 2018

Written by HITRUST Independent Security Journalist Sean Martin. With HITRUST 2018 coming up soon—September 11-13 at the Gaylord Texan Resort…

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective
Leadership
shares718 views
Leadership
shares718 views

HITRUST Sessions Demonstrate the Value of Using a Framework for Certification and How Cybersecurity Efforts Need to Consider the Physician Perspective

Lacy Deatrich - May 03, 2018

Written by HITRUST Independent Security Journalist Sean Martin. As part of the commitment to support and engage with healthcare organizations…