Unique Challenge
To protect data properly, it must be managed properly. Founded in 2007, the Health Information Trust Alliance (HITRUST) was created to help organizations from all sectors – especially healthcare – effectively manage data, risk, and compliance. The healthcare industry created HITRUST to do the heavy lifting by integrating multiple international, federal, state and industry legislation, regulations, standards, and best practice frameworks.
The HITRUST Common Security Framework (CSF) is a certifiable security and privacy framework that features a list of prescriptive controls and requirements used to meet HIPAA expectations to protect sensitive data. As there is no official compliance designation associated with the HIPAA Security Rule, HITRUST often fills this role.
Additionally, Electronic Personal Health Information (ePHI) doesn’t live exclusively in a locked-down database. To fully protect ePHI, we must understand where all ePHI is located, which requires data inventory and data-flow mapping.
Failure to protect sensitive data could result in a range of HIPAA violations, including:
- A Tier 1 violation is simply being unaware of the HIPAA violation if it is found that the enterprise did not exercise reasonable due diligence, a $25,000 fine.
- A Tier 2 violation is not acting on a known violation, or by exercising reasonable diligence, would have known about the violation, a $100,000 fine.
- A Tier 3 violation involves addressing a willful neglect issue within 30 days, a $250,000 fine.
- A Tier 4 violation is willful neglect of HIPAA rules where no effort was made to correct the violation in a timely manner, a $1.5 million fine.
Apply Data Governance Principles
The most robust approach to HITRUST starts with data governance: Identifying how sensitive data is created, used, and deleted throughout the organization. This helps ensure the HITRUST review is comprehensive and complete.
Implementing data governance will aid all other security and privacy efforts as well, including GDPR, CPRA, protection against ransomware and other malware, and more.
Data Governance Best Practices
An organization has a much better opportunity to meet the expectations of HIPAA regulations when a datacentric culture is in place.
The following mindset best positions an organization to begin the HITRUST journey:
- Use data encryption, both at-rest and in-transit – a key data security best practice.
- Practice data-flow mapping and inventory management.
- Identify and classify sensitive data.
- Establish a data usage policy to control access to sensitive data.
- Know which vendors manage what data and understand their data protection policy.
- Practice minimal data collection.
- Establish robust data security.
- Encourage education and awareness.
Risk-Based Approach
Many enterprises formulate their security posture based on available resources. This is dangerous, because it can lead to omitting critical aspects of security from the plan and goals, rather than advocating for the necessary resources to protect critical resources.
HITRUST uses a risk-based data protection approach, which enables companies to analyze threats, prioritize all critical security activities, fosters an organization-level discussion of risk tolerance, and leads to a more complete and mature security posture.
The HITRUST Risk Management Framework (RMF) streamlines the risk and compliance process by providing a comprehensive, prescriptive, and scalable framework for protecting sensitive healthcare information by providing a lexicon (vocabulary) and taxonomy (classification/structure) for information security risk management. This methodology guides an enterprise when it comes to evaluating and treating information security risks. Structured on ISO/27001 and NIST SP 800-53, HITRUST RMF provides an authoritative resource for enterprises to meet compliance needs. The HITRUST RMF is aligned to HIPAA’s Security Rule categories: Administrative, Technical and Physical, which employs a four-step process:
- Identify risks and define protection requirements
- Classify information ePHI assets
- Inventory and categorize ePHI assets
- Identify anticipated threats
- Assess potential vulnerabilities
- Determine impact
- Assess and rank potential risks
- Develop risk strategy and formulate plan of action
- Specify compensating controls based on the risk analysis process
- Controls are selected by completing the control-based risk analysis, which is accomplished when the level of impact is specified: Low, Medium or High
- Implement and manage controls
- The HITRUST RMF provides an overlay of the HITRUST CSF, which builds on the NIST control framework. This helps organizations dealing with ePHI achieve standardized security capabilities, consistency of implementation and cost-effective security solutions
- Assess and report
- Review the resulting overlay assessment periodically
Proven Impact
Unify helps organizations meet HIPAA requirements by utilizing the HITRUST frameworks. Success is building a datacentric culture that creates long-lasting compliance.
Want to learn more about how your organization can best utilize the HITRUST frameworks? Contact Unify Consulting where we’ll equip your organization to build an actionable plan to properly protect and manage data.