January 29, 2018

5 Keys to Achieving HITRUST Success

Adopting the latest version of HITRUST’s security framework

In mid-August 2017, the newest version of HITRUST CSF, the most widely used security framework for the healthcare industry, was released. The latest iteration, version 9, has enhanced cybersecurity protocols and expanded its framework to integrate broader regulatory requirements. Adopting version 9 provides organizations with stronger security measures to mitigate risk while meeting compliance regulations. Version 9 has adopted the NIST Cybersecurity (CsF) Framework, which brings organizations closer to achieving a NIST Cybersecurity Certification. As security threats continue to become more sophisticated, certification controls have also increased.

Adopting the latest version of HITRUST takes effective planning and management with its accompanying HITRUST certification. Here are five steps to achieving success in implementing version 9 of HITRUST CSF for your organization.

1. Conduct a Gap Assessment with the Latest HITRUST Version

Performing a gap analysis is critical in in determining any changes and updates your company will need to make to prepare for HITRUST certification.  Identifying gaps and the commensurate remediation steps at the onset of your HITRUST journey will set your organization down an effective path to certification.

Compared to the previous version of HITRUST, version 9 HITRUST CSF has adopted the NIST Cybersecurity (CsF) framework. Version 9 also increases the number of required security controls for certification from 66 to 75. The new 19 security controls establish enhanced security steps to mitigate risk from remote diagnostics to mobile code execution, log management as well as proactive business continuity planning and more. Version 9 also integrates other industry standard security protocols for financial transactions, DHS cybersecurity, civil rights and federal regulations for electronic signatures. New frameworks integrated into Version 9 include FFIEC (Federal Financial Institutions Examination Council), FedRAMP (Federal Risk and Authorization Management Program), DHS CRR (Department of Homeland Security (DHS) Critical Resilience Review), OCR (Office of Civil Rights) Audit Protocol v2 and CFR (Code of Federal Regulations) part 11. The newest version is in greater alignment with the Department of Homeland Security’s Healthcare sector cybersecurity framework.

2. Budget Appropriate Resources for Policy and Procedure Writing

This upgrade in the HITRUST security framework is significant and most organizations will need to invest time and energy to update their security frameworks. In addition, it is important to plan for the necessary investment in writing and as well as any changes to your policies and procedures needed to meet certification requirements.

Organizations can expect a 75% increase in the number of requirements they will need to meet in their HITRUST environments. Every year, HITRUST assesses the security landscape and then reviews CSF controls to make sure security risks are mitigated and compliance is met for certified organizations. Organizations can expect ongoing increases in certification controls as security threats become more sophisticated. Plan ahead by allocating sufficient resources to write new policies and procedures.

3. Use an Experienced Assessor Firm

Choose a senior assessor firm with significant proven experience to assist you in conducting a thorough gap analysis, planning out your certification requirements and helping you develop an implementation strategy for version 9. At Tevora, we follow a proven four-step process to compliance starting with a gap analysis and moving on to preparation, self-assessment assistance and certification.

4. Develop a Requirement Implementation Strategy

After your company has completed a gap analysis, allocated funds for policy and procedure in writing and chosen an experienced assessor firm, it’s time to fully develop your requirement implementation strategy. This strategy is unique to your organization as each organization functions differently and has its own processes. Your assessor firm can assist you with the development of this strategy.  Effectively choosing which requirements to fully implement and which requirements to pass on for the time being can greatly impact your HITRUST engagement’s efficiency and timeliness.

5. Use Effective Project Management for the Remediation of Gaps

You may discover several gaps in your cybersecurity protocols and other areas of your business operations as you aim to meet the new comprehensive version 9 requirements that consider additional aspects of your organization such as financial transactions, civil rights, electronic signatures and cybersecurity requirements. This can be challenging particularly for an organization with many established processes. However, effective planning through project management can break down this large endeavor into manageable tasks to address each area that needs to be updated for compliance.

About the Author

John Huckeby is the managing director of healthcare and life sciences at Tevora.