The Health Information Trust Alliance (HITRUST), security and privacy standards development and accreditation organization, announced this week a certification program for the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (Framework).
Through the HITRUST CSF Assurance Program and assessment scorecard for the NIST Framework, HITRUST offers security teams an effective and efficient means to report on their implementation of the framework to upper management, business partners, and regulators and to assure their compliance with the NIST Framework’s objectives, according to the organization. HITRUST CSF is a controls-based risk management framework that aligns with and supports the NIST Framework.
The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework.
“There has been much discussion recently around the development of NIST industry-specific guidance for various industry sectors to help organizations implement the NIST Framework in a way that addresses their specific needs efficiently and effectively, similar to what HITRUST has done in the HPH sector. HITRUST CSF assessments, together with the NIST Framework subcategory reporting format, are being used broadly to communicate information privacy and security programs to boards of directors,” Ken Vander Wal, HITRUST Chief Compliance Officer, said in a statement.
“The controls framework-based approach to specifying NIST Framework Target Profiles described in the healthcare sector’s implementation guide also helps one determine an industry-acceptable level of due care for the protection of sensitive health information, as required under the HIPAA Security Rule, as well as address the coming GDPR [General Data Protection Regulation] requirements,” Dr. Bryan Cline, VP standards and analysis, HITRUST, and an author of the HPH sector guide, said.
A HITRUST CSF scorecard of the NIST Framework provides compliance ratings for each NIST Framework Core Subcategory, guidance for approximating NIST Framework Implementation Tiers based on the compliance ratings, and consistent reporting across all critical infrastructure industries.
The HITRUST CSF Assurance Program can also help organizations understand and report their effectiveness against many other standards and leading practice frameworks. With just one assessment, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Framework, GDPR, International Organization for Standardization (ISO) 27001, Payment Card Industry (PCI) and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, and can even obtain a Service Organization Control (SOC) 2 report.
According to the organization, HITRUST CSF is the most widely adopted controls framework in healthcare. “And our next release, version 10, will further streamline the HITRUST CSF to help organizations outside of healthcare and the United States more easily leverage the framework and achieve the same benefits for NIST Cybersecurity Framework implementation,” Cline said.
Organizations can obtain a HITRUST certification of their cybersecurity program’s implementation against the NIST Framework by submitting an assessment through the current HITRUST CSF Assurance Program.