Blog   |   Compliance   |   March 26, 2018

HITRUST: Data Security Controls for the Healthcare Industry

Are You HITRUST Compliant?

As the healthcare industry becomes more and more IT-driven, keeping our personal medical information private and secure is paramount. To this end, government bodies around the globe have established mandatory data security regulations for healthcare organizations, with severe penalties for non-compliance. Among the best-known regulations are HIPAA (Health Insurance Portability and Accountability Act) in the U.S., and the GDPR (General Data Protection Regulation), which came into effect in the EU in May 2018 and has special provisions for personal health information.

One of the first things that healthcare organizations look for when evaluating healthcare IT solutions is robust compliance with all relevant health data protection regulations. Achieving comprehensive compliance, however, is not always easy in a fragmented global regulatory environment. In this article, we take a look at HITRUST, a healthcare industry initiative that has put forward a harmonized, scalable, and certifiable framework of data protection controls.


Industry Self-Regulation at its Best

HITRUST (Health Information Trust Alliance) is a privately-held company that was established by healthcare industry leaders to provide a harmonized, certifiable framework for all organizations that create, access, store, or exchange sensitive and/or regulated health data. The global healthcare players who stand behind HITRUST include top-tier HMOs, private payers, providers, vendors, and distributors/retailers such as Kaiser Permanente, Humana, IMS Health, Hospital Corporation of America, McKesson, and Walgreens.

The HITRUST Common Security Framework (CSF), which is already in Version 9, is a comprehensive, risk-oriented framework of data security controls based on globally recognized standards, regulations and business requirements including ISO, NIST, PCI, HIPAA, and state laws. In order to achieve maximum clarity, the CSF is carefully divided into 19 different domains such as Endpoint Protection, Mobile Device Security, Network Protection, Audit Logging & Monitoring, and Data Protection & Privacy. It provides 135 specific controls, each one with several implementation levels so that the controls can be scaled dynamically according to the type, size, complexity, and risk profile of the healthcare organization.

Like PCI in the payments industry, HITRUST compliance by healthcare vendors is voluntary, but it is quickly becoming a standard expected by covered entities such as hospitals and payers. HITRUST certification is tiered into three degrees of assurance: self-assessment, CSF Validated, and CSF Certified. The latter two require a third-party CSF assessor, with large companies such as AT&T, BDO, and the Big Four auditing firms (PWC, Deloitte, KPMG and EY) being active in this field, along with many lesser known entities.


CloudCheckr and HITRUST

In addition to its cost and asset management benefits, CloudCheckr’s enterprise-grade Cloud Management Platform helps healthcare organizations monitor, audit and maintain compliance with many underlying data security controls across their cloud infrastructure, including multi-cloud deployments. CloudCheckr’s 600+ Best Practice Checks detect access control and other data security misconfigurations, with automated fixes that can be adapted to each organization’s hierarchy and workflow.

Many of CloudCheckr’s Best Practice Checks have a one-to-one relationship with various security standards, such as the Center for Internet Security. Indeed their CIS Benchmarks are directly integrated into CloudCheckr, so enterprises can check their CIS “Score” without leaving the app, and fix issues from within the CloudCheckr console.

With ever more stringent regulatory scrutiny and with cloud-based solutions becoming the norm, the healthcare industry is embracing management platforms like CloudCheckr CMx as essential tools to achieve optimal business outcomes.


Total Compliance with 35 Major Regulatory Standards

By following compliance best practices, healthcare organizations stay audit-ready with a reliable “paper trail.” Schedule a demo to see how CloudCheckr can keep your cloud secure and compliant.