A growing number of digital health companies are being asked to adopt the HITRUST standard. You too may soon get asked. HITRUST is now the compliance standard for many large healthcare organizations like Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group.
So what is HITRUST? The HITRUST Common Security Framework (CSF) takes applicable parts of existing standards and regulations such as ISO 27001/2, SOC II, SSAE 16, the NIST Cyber Security Framework and the OCR HIPAA Audit protocols, and presents it as a “common” framework. Hence the name, Common Security Framework.
For the average digital health company, HITRUST certification can be a daunting task. Most organizations are required to manage their information security and compliance to multiple standards and regulations, not just HITRUST. So how do you build HITRUST certification into the mix of other information security standards and regulations you are already working to meet?
The HITRUST Requirement
Let’s look at the essentials that HITRUST certification requires:
Evidence gathering and storage (logs and other data)
Up-to-date policy and procedure documentation
Scheduled and tracked compliance activities (training, acknowledgments, document management, vendor and asset management)
It is important to know that for a HITRUST audit, you must use a HITRUST-approved assessor and you must use their online software tool, myCSF, to complete the certification process. So you will need to be sure that you can create, manage and track the evidence as required for a HITRUST assessment, and be able to deliver it to the assessor/auditor.
Your security framework and evidence gathering must be ready to go no matter which organization is conducting an audit.
Our suggestion? Leverage an information security and compliance tool such as MyVCMTM to streamline all of the data collection and evidence gathering that the HITRUST assessor needs for an audit. For instance, evidence required for HITRUST certification can be tagged for relevant industry controls and easily exported for upload to the HITRUST myCSF tool. It’s an effective, efficient way to provide auditors with all of the security and compliance evidence needed, and it allows you to be in a state of permanent readiness for any audit, from HIPAA to HITRUST.
Don’t get caught short when the HITRUST requirement is delivered. Build your security and risk management program into MyVCM in advance so you are ready with all the evidence and compliance data you are required to present as part of the HITRUST certification process. In doing so you will have it for all other standards and regulations as well.