HITRUST Certification: What Is It and Why Is It Important For Data Protection?

By Paul Banco, CEO and co-founder, etherFAX.  

Paul Banco

As a data protection standards and development certification organization, HITRUST helps organizations safeguard sensitive data and manage IT risk across all industries and throughout the third-party supply chain. Since it was founded in 2007, the HITRUST Common Security Framework (CSF) has become the gold standard for compliance framework in the healthcare industry as it addresses the requirements of existing standards and regulations including HIPAA, PCI, COBIT, NIST, ISO, FTC, and state laws.

To become HITRUST certified, an organization must first complete a HITRUST CSF Readiness assessment to determine if the current alignment of its security and privacy controls relates to the requirements defined in the HITRUST CSF. The organization can then select a certified HITRUST CSF Assessor Firm that will perform several risk assessments, audits, and quality assurance procedures over the course of two to four months.

The HITRUST CSF has 19 different domains including healthcare data protection and privacy, endpoint protection, mobile device security, incident management, and disaster recovery. An organization will be scored on these assessments and must meet a minimum compliance level to become HITRUST certified.

Research has shown 97 percent of organizations that pursue a HITRUST Certified Security Framework certification rapidly improve their information security posture to meet certification and, most importantly, maintain their security posture. Furthermore, with a mature information protection program in place, organizations are less likely to suffer a breach and are more likely to be able to contain and minimize the impact of a breach, should one occur.

Organizations that implement a robust information security continuous monitoring (ISCM) program such as HITRUST to continually assess the state of their information security controls not only achieve higher levels of maturity, but also make better and more timely decisions.

Additional benefits include on-demand, real-time insight into organizational security and compliance risk posture, better prioritization of remediation activities, and a higher level of assurance. Forrester Consulting also found that organizations with identity and access management (IAM) practices generate 90% more productivity, save 40% in technology costs, and save an average of $5 million in breach costs.

While the HITRUST CSF can be used by all organizations that create, access, store, or exchange sensitive and/or regulated data, it is ideal for healthcare because of its prescriptive framework for managing the security requirements inherent in the Health Insurance Portability and Accountability Act. HITRUST offers providers a trusted benchmark from which they can measure and manage their own compliance, while offering proven protection to their patients and partners.

As cybersecurity threats and data breaches show no signs of slowing down, healthcare organizations must mitigate any potential vulnerabilities from the tools and technology utilized within their practice. Fax is a perfect example. When choosing a fax service provider, it’s important for healthcare organizations to take HITRUST certification into consideration to ensure that all regulatory compliance standards for data protection are met.

The ideal fax service provider should also provide HIPAA and SOC compliance to protect the integrity of protected health information (PHI) as well as multiple defense-in-depth strategies, including two-factor authentication and end-to-end encryption, to guarantee that patient data and business-critical information remain secure while in transit and at rest. Ultimately, utilizing a HITRUST certified fax provider will allow physicians to deliver more a personalized, higher quality healthcare experience to patients as they will no longer be preoccupied with the remediation activities and regulatory inquiries that stem from data breaches and disrupt hospital services.


Write a Comment

Your email address will not be published. Required fields are marked *