The HITRUST CSF™ is growing in popularity — it’s used by 26.4% of healthcare companies as their cybersecurity framework for HIPAA compliance, according to the 2018 HIMSS Cybersecurity Survey.
While HITRUST certification is a competitive differentiator for healthcare software and services companies in 2018, it will likely be table stakes in the next 1-3 years. The big health insurance companies are asking all of their vendors for proof of HITRUST certification, and it’s wise to begin thinking about it now — before lack of HITRUST certification hurts your business.
Last week, VP of Product Steve Zeller gave a information-packed webinar on the topic of HITRUST on Amazon Web Services (AWS), through the story of a healthcare SaaS company that Logicworks recently helped to build a HITRUST-compliant cloud.
Watch the Webinar Replay:
Highlights from the Webinar:
- In June 2015, several of the largest adopting organizations announced that in roughly two years, they would only work with Business Associates that had achieved HITRUST CSF™ certification. This has caused a dramatic rise in interest in the HITRUST CSF, particularly for software and digital health companies who sell services to these companies.
- The HITRUST CSF integrates the requirements of the HIPAA Security Rule with the standards of NIST, HITECH, PCI DSS, and other controls, facilitating a unified control rationalization.
- The HITRUST CSF is a cybersecurity framework that can be used (like NIST, ISO, etc.) as a foundation for your HIPAA assessment
- According to HITRUST, the HITRUST CSF is equal to “credible HIPAA compliance”
- HITRUST states that the HITRUST CSF certification has been previously accepted by the OCR as supplementary evidence of compliance with HIPAA
- HIPAA addresses compliance only; HITRUST promotes security while addressing compliance
The HITRUST Assessment Process
- Begin with a Self-Assessment so that you can work out kinks prior to formal Assessment
- You must be audited by a CSF Assessor
- The Assessment is scored from 0% – 100% across five levels: Policy, Procedure, Implemented, Measured, and Managed
- Must get a score of 71.00 or greater in each control in order to pass Assessment without a Corrective Action Plan
- Corrective Action Plans must be accomplished by Interim Assessment
Real-Life Example: A Population Health SaaS Company
- A subsidiary of a major health insurance company that provides online diabetes and weight loss support had existing relationship with AWS + Logicworks
- Desire to rebuild environment to HITRUST standards in <6 months
- Company chose CSF Assessor (Coalfire), got access to MyCSF Portal (starts at $12,500 for yearly subscription)
- Process starts by identifying set of controls that apply to your organization — company determined that they would need to satisfy about 375 separate controls
- Of those 375 controls, they were responsible for about 200, and Logicworks and AWS for about 175
- AWS takes care of physical security controls, Logicworks takes care of all infrastructure-level security configurations, company takes care of application and personnel controls
- The company realized that most of the effort of HITRUST certification is in collecting, managing, and updating documentation related to controls already in place
- Most of the infrastructure-level controls that were implemented by Logicworks were related to the following CSF domains: Information Protection Program, Vulnerability Management, Network Protection, Password Management, and Data Protection & Privacy.
- Automation is key to continuous compliance; Logicworks uses services like AWS CloudFormation, Puppet, Chef, Ansible, and AWS’ deployment services like AWS CodeDeploy to ensure that IT controls are maintained even as cloud environments change.
- Rearchitect process lasted 6 months, and company passed their HITRUST audit in March 2017.
- Logicworks reduced their time-to-compliance by 6-8 months