HITRUST Provides NIST Cybersecurity Framework Certification | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST Provides NIST Cybersecurity Framework Certification

May 23, 2018
by Heather Landi
| Reprints

The Health Information Trust Alliance (HITRUST), security and privacy standards development and accreditation organization, announced this week a certification program for the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (Framework).

Through the HITRUST CSF Assurance Program and assessment scorecard for the NIST Framework, HITRUST offers security teams an effective and efficient means to report on their implementation of the framework to upper management, business partners, and regulators and to assure their compliance with the NIST Framework’s objectives, according to the organization. HITRUST CSF is a controls-based risk management framework that aligns with and supports the NIST Framework.

The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework.

“There has been much discussion recently around the development of NIST industry-specific guidance for various industry sectors to help organizations implement the NIST Framework in a way that addresses their specific needs efficiently and effectively, similar to what HITRUST has done in the HPH sector. HITRUST CSF assessments, together with the NIST Framework subcategory reporting format, are being used broadly to communicate information privacy and security programs to boards of directors,” Ken Vander Wal, HITRUST Chief Compliance Officer, said in a statement.

“The controls framework-based approach to specifying NIST Framework Target Profiles described in the healthcare sector’s implementation guide also helps one determine an industry-acceptable level of due care for the protection of sensitive health information, as required under the HIPAA Security Rule, as well as address the coming GDPR [General Data Protection Regulation] requirements,” Dr. Bryan Cline, VP standards and analysis, HITRUST, and an author of the HPH sector guide, said.

A HITRUST CSF scorecard of the NIST Framework provides compliance ratings for each NIST Framework Core Subcategory, guidance for approximating NIST Framework Implementation Tiers based on the compliance ratings, and consistent reporting across all critical infrastructure industries. 

The HITRUST CSF Assurance Program can also help organizations understand and report their effectiveness against many other standards and leading practice frameworks. With just one assessment, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Framework, GDPR, International Organization for Standardization (ISO) 27001, Payment Card Industry (PCI) and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, and can even obtain a Service Organization Control (SOC) 2 report.

According to the organization, HITRUST CSF is the most widely adopted controls framework in healthcare. “And our next release, version 10, will further streamline the HITRUST CSF to help organizations outside of healthcare and the United States more easily leverage the framework and achieve the same benefits for NIST Cybersecurity Framework implementation,” Cline said.

Organizations can obtain a HITRUST certification of their cybersecurity program’s implementation against the NIST Framework by submitting an assessment through the current HITRUST CSF Assurance Program.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



White House Proposes Restructuring, Renaming HHS as Part of Broad Reorganization Plan

A sweeping government reorganization plan released by the White House Thursday proposes restructuring and renaming HHS, including moving many public assistance programs from USDA to HHS.

CMS Introduces Data Element Library

The Centers for Medicare & Medicaid Services (CMS) has announced the launch of its Data Element Library (DEL), with the overarching goal to support the exchange of electronic health information.

Data Breach at Health Billing Company Exposes PHI of 270,000 People

A healthcare data breach at Med Associates, a Lathan, N.Y.-based health billing company, that may have exposed the protected health information (PHI) of 270,000 people, according to local media reports.

CMS to Host Blue Button 2.0 Developer Conference

The Centers for Medicare & Medicaid Services will host the first Blue Button 2.0 Developer Conference at the General Services Administration national headquarters in Washington, D.C., on Monday, Aug. 13, 2018.

House Passes Bill to Align HIPAA, 42 CFR Part 2

The U.S. House of Representatives recently passed a bill designed to align 42 CFR Part 2 with HIPAA for the purposes of health care treatment, payment, and operations. One goal of the change is so that care can be better coordinated and providers can have appropriate access to all of a patient’s medical record, including information about substance use disorders.

MedStar Health Awarded Grant to Pilot Apps for Patient-Reported Outcome Data

A team of researchers from Maryland-based MedStar Health has been awarded an 18-month contract from AHRQ to support the development and testing of technical tools and apps that can be used to collect patient-reported outcome data.