by Jonathan Slaughter
Director of Risk and Compliance
In this post, we will share what the HITRUST Common Security Framework (CSF) is, the assurances it provides, the expectations that must be met to be a HITRUST-certified company, and ways that your organization can benefit by partnering with an organization that is HITRUST certified, including HITRUST inheritance which can speed your time and reduce your costs on your own journey to HITRUST certification.
What is the HITRUST CSF?
CSF stands for Common Security Framework. HITRUST is a security, privacy, and risk certification. It is provided by the HITRUST Alliance[i], which is made up of major healthcare organizations – many of them are ClearDATA customers.
The CSF provides a common set of specific security and privacy controls that organizations can put in place to help them protect the PHI/PII that they have responsibility for collecting, storing, or processing. This framework is used by both Covered Entities and Business Associates.
HITRUST was created in the late 2000’s as a way to help organizations struggling to effectively meet and/or understand the HIPAA Security, Privacy and Breach Notification rules. HIPAA is a standard, and law that healthcare organizations must conform to, but cannot be certified against. It was put into force in 1996, before much of today’s healthcare technology was even in “pipe dream” status. As with many laws, HIPAA struggled to keep pace with technological advances. Even the inclusion of the Security Rule (2002), Privacy Rule (2003) and Breach Notification Rule (2007) were done in a way that was often addressing technology that had long been replaced or improved upon. This reactive nature created significant concerns within healthcare organizations on using technology to improve patient outcomes, and a need to have a more defined expectation became critical – thus HITRUST CSF was born.
And while HIPAA compliance is something an organization declares it adheres to, and proves via audit when called to, HITRUST certification is earned by passing rigorous scrutiny from external 3rd party auditors who require the recertification process to happen every two years. Learn more about the differences between HIPAA and HITRUST in this blog post.
At its core, HITRUST uses a standardized risk methodology to define an organization’s expected behaviors when collecting, processing, and protecting PHI/PII. HITRUST uses three (3) primary levels based on a company’s size, complexity, and the amount of PHI they hold and/or have access to. Smaller, less complex organizations will have fewer controls than larger, more complex operations. Additionally, HITRUST CSF has evolved to incorporate many other national and global standards (EU GDPR, Title 23 NYC RR Part 500, Center for Medicaid and Medicare Services (or CMS), NIST, etc.) which may have unique control requirements above and beyond HIPAA for organizations subject to these standards and laws.
The ClearDATA HITRUST Advantage
ClearDATA first achieved HITRUST certification in 2014. Since then, our organization has successfully completed four full certifications (HITRUST CSF 6.0, 8.0, 9.1, and 9.3). Despite the exponentially more complex landscape of 2020, ClearDATA continues to prove our ability to deliver world-class levels of security and compliance to our customers, allowing them to focus on delivering world-class healthcare technology and services to patients all over the globe. Like our groundbreaking 9.1 certification in 2018, ClearDATA’s HITRUST CSF 9.3 certification covers specific ClearDATA services on all three of the major cloud platforms: Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
HITRUST CSF certified status demonstrates that ClearDATA’s Healthcare Security and Compliance Platform (and solutions Comply™, Assess™, and Locate®) meets key regulatory requirements and industry-defined requirements to appropriately manage risk. This achievement places ClearDATA in an elite group of organizations worldwide that have earned this certification.
The HITRUST CSF is divided into nineteen different domains, including end point protection, mobile device security, and access control. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, system, and regulatory factors. Since a public cloud serves many industries, their HITRUST certification will usually be limited to the cloud’s scope of services – that is the Infrastructure as a Service (laaS), Platform as a Service (PaaS) or in some cases even Software as a Service (SaaS). In contrast, ClearDATA exclusively serves healthcare organizations and the solution providers that support healthcare; therefore, our scope of assessment is much more comprehensive.
About the ClearDATA HITRUST Inheritance Program
The HITRUST CSF Inheritance Program[ii] simplifies the process of gaining HITRUST Certification for our customers. By working with a platform, solutions, and services partner such as ClearDATA, customers can reduce the required testing and associated costs for inherited controls in a fully automated manner.
Why HITRUST Inheritance?
Since its launch in 2017, the HITRUST Inheritance program has evolved significantly, and continues to drive value for many of ClearDATA’s customers seeking their own HITRUST certification. Healthcare organizations can leverage ClearDATA with HITRUST to simplify their own CSF Assessments in order to manage the daunting task of securing their sensitive data (PHI).
While each certification is unique, many of ClearDATA’s customers are able to inherit some controls from almost all of the 19 Domains, thus significantly reducing their time and costs to certification.
How Does Inheritance Impact the HITRUST Certification Audit Process?
Inheritance can save customers both time and money in the HITRUST certification process. In some cases, our clients have been able to shorten their time to certification by over 2 months.
ClearDATA partners with customers from the very start of this process. Once a customer has selected their assessor and started their HITRUST certification process, ClearDATA personnel are available to meet with the assessors and discuss the scope and boundaries of the assessment. We provide our insight as to what is potentially inheritable, which provides the assessor valuable information they need to focus their efforts on those control objectives the customer will own. This availability remains throughout the process, ensuring the customer and ClearDATA are always current on the expectations.
During the evidence gathering process, a ClearDATA customer would typically upload artifacts to the HITRUST MyCSF portal for each control, demonstrating their compliance with the control requirements. With Inheritance, the assessor selects the controls in question, assigns to ClearDATA, and submits to our team through the portal for review and approval.
The request is reviewed by ClearDATA’s Risk & Compliance team. If the request is applicable to the solution provided to their organization by ClearDATA, then approval is given. Response and approvals are generally within 24 hours.
Once approved by ClearDATA, the inherited controls are ready to be applied to the customer’s report by their assessor and submitted to HITRUST.
Learn more about the ClearDATA HITRUST Inheritance program here.
To learn more about how your organization can benefit from HITRUST, or speed your time to certification via HITRUST Inheritance, contact us.