According to a 2017 Ponemon study on data risk, 50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident. If you store, transfer, and manage sensitive data, the importance of data security cannot be underestimated. In order to focus on your core business, many of you outsource all or some of your IT needs to vendors. And as a result, both you and your vendors share the responsibility of data security. Let’s explore how the HITRUST common security framework (CSF) facilitates data integrity, availability, and confidentiality across your network.
Why the Need for Secure Hosting?
In 2017, 85% of CEOs said cyber threats posed the greatest threat to the growth of their organization1, and 90% of healthcare organizations have had 1-5 data breaches in the past 2 years2. It’s clear that despite best efforts, organizations find it difficult to defend their critical data against evolving cyber threats. Lack of resources, guidance, and expertise are often to blame. Nevertheless, with the average data breach in the U.S. reaching $7.35 million this year, hoping for the best is no longer a viable option3.
Trend Micro conducted a 10-year study to find out which industries were the most targeted victims of data breaches. It’s no coincidence that those with valuable, sensitive data are top targets—and healthcare, education, and government at the top of the list. These industries have the most to lose from data breaches, and the most to gain from HITRUST’s framework.
Source: Trend Micro 2005-2015 Data Breach Study
Breaches originate from many sources—from weak infrastructures to malicious insiders to organized cyber criminals—but developing a comprehensive risk management strategy greatly reduces the chances of an incident.
How Does HITRUST Facilitate Security and Compliance?
The Health Information Trust Alliance Common Security Framework (HITRUST CSF) is a standardized security framework, assessment, and certification process for organizations in the healthcare industry—but is also beneficial for other industries that have sensitive data requirements.
When your organization is required to be compliant, you strive to follow certain standards because it’s the law. However, compliance offers no guarantee that policies and procedures adequately address risks associated with sensitive data, specifically as they relate to your unique business. Certifications offer the only true method for validation. Compliance regulations provide a minimum standard, while the HITRUST certification goes beyond compliance to employ best practices in information security.
There are compliance frameworks, like HIPAA, that offer no certification or standardization. This is because of the wide variety of healthcare organizations that use the HIPAA Security Rule and Privacy Rule. No two healthcare organizations are alike, so its difficult to create a single set of security requirements that can be applied across the entire industry.
HITRUST offers a prescriptive way to achieve security and compliance for your technology, policies, and processes.
How Can You Benefit from HITRUST?
You save considerable time and money when developing your information security policies and procedures and can expedite your compliance audits when working with an HITRUST-certified IT provider. The controls that are in place help you secure your infrastructure, your assets, and prevent issues before they occur. These top benefits are passed on to you:
- Alignment with national standards/requirements
- Supports assessment of your current and targeted cybersecurity posture
- Helps identify gaps in programs and resources
- Supports standardized audits and reporting documentation
- Identifies opportunities to improve management processes for cybersecurity risk
- Facilitates business continuity
The HITRUST CSF addresses controls that overlap with multiple regulatory requirements, so with a single assessment, you can demonstrate how your security program meets all regulations, and simplifies your own company’s certification. For instance, a healthcare SaaS provider that also captures payment information must comply with both HIPAA and PCI requirements.
What Are HITRUST’s Controls and Standards?
HITRUST builds on HIPAA, NIST, PCI, ISO 27001/2 by creating a standardized compliance framework, assessment, and certification process. As previously mentioned some guidelines are often elastic and use phrases such as “reasonable and appropriate” protection, whereas HITRUST provides actionable guidance. It incorporates regulations and standards from international, federal, state and third-party organizations to create a gold standard for data security and compliance.
Source: HITRUST Alliance
The CSF is designed and maintained by HITRUST—a collection of healthcare industry leaders who collaborate with technology and security experts—to improve information security in data systems and exchanges.
The HITRUST CSF is comprehensive, featuring 13 control categories and 3 levels of implementation,
from network protection to physical and environmental security and everything in between.
Control Categories Examples:
- Physical and Environmental Security
- Access Control
- Risk Management
- Security Policy
- Business Continuity
To achieve the HITRUST CSF certification, an organization must demonstrate it has met all the controls outlined in the CSF at the appropriate level. The company must achieve a rating of 3 or higher on HITRUST’s 1 to 5 scale for each control domain, and the audit must be conducted by a third-party.
Learn More About HITRUST and The Importance of a Secure Hosting for Sensitive Data
You and your customers rely on the integrity of the provider’s data systems and their standards for information security. It is critical to choose a provider with strict security controls to help guarantee the protection of your data.
If you’re interested in learning more about how HITRUST can help keep your valuable data secure, it’s a good idea to talk to the experts. OnRamp has a dedicated compliance team specializing in secure, compliant solutions that meet your strict regulatory mandates. We’re happy to help—contact us today.
1“PwC 2017 CEO Survey”
2 “Ponemon 6th Annual Study on Privacy of Healthcare Data”
Additional Resources on this Topic: