In 2021, healthcare data beaches hit a new record high, affecting 45 million people.
With an exorbitant amount of patient data, healthcare is one of the most at-risk industries for data breaches. Every second, new healthcare records are stored and transmitted between healthcare providers, pharmaceutical companies, and integrated technologies. So, it’s not surprising that one wouldn’t have to look too far to read about a healthcare data breach.
Those familiar with the world of cybersecurity recognize HITRUST as a preeminent data security standard for safeguarding healthcare information.
This resource will give you a stronger understanding of the HITRUST framework, including security benefits, costs and how to prepare for certification.
Let’s get started.
HITRUST stands for Health Information Trust Alliance. It was created in 2007 as an independent, not-for-profit organization with the goal to develop and enhance security programs designed to safeguard Protected Health Information, or PHI.
Initially, the Alliance was founded to create a third-party certification for the healthcare industry that also incorporates HIPAA controls, known as the HITRUST Common Security Framework (HITRUST CSF). Since its inception, the Alliance has broadened its services and capabilities to help organizations across multiple industries manage risk and compliance.
Nonetheless, HITRUST CSF remains a go-to security framework for healthcare organizations, with 81% of hospitals and 80% of health plans leveraging the framework.
The HITRUST CSF is a widely-adopted Common Security Framework (CSF) that provides organizations across industries with a comprehensive approach to implementing and demonstrating compliance with a broad range of security standards and regulatory frameworks.
This risk- and compliance-based framework encompasses a variety of security standards such as ISO 270001/2, SOC 2, PCI, SSAE 16, NIST, HIPAA, and many more. Because of its universal approach, organizations can implement HITRUST CSF to tailor their security programs based on organization type, size, systems and compliance requirements.
A HITRUST Validated Assessment is a certification for organizations that handle PHI or other forms of sensitive information that must be protected. The goal of HITRUST certification is to provide industries with a single, holistic approach to managing risk and demonstrating compliance. When an organization passes a HITRUST Validated Assessment and receives a certification letter, this letter and the associated report demonstrates to the organization’s customers and stakeholders that they have taken steps to rigorously protect the sensitive information in their care.
While HITRUST is not federally mandated, it does encompass several federally-mandated controls including HIPAA, ISO and PCI, making it a desirable framework for companies that also need to demonstrate compliance in these frameworks.
No. Any organization, regardless of industry, can seek HITRUST certification. Whether you’re seeking HITRUST for a startup, or a large organization, HITRUST can be a valuable framework to consider even outside of healthcare.
While we mostly refer to healthcare providers throughout this resource, more organizations are adopting HITRUST due its comprehensive nature.