HITRUST, the security and privacy standards development and accreditation organization, is now providing certification for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). With the certification program, healthcare providers can easily submit reports of progress to management, business partners, and regulators to verify that they have met NIST cybersecurity framework controls.
The NIST Cybersecurity Framework refers to a set of standards and best practices that guide healthcare organizations in enhancing security, managing risks in cybersecurity, and protecting critical infrastructure. This framework has been adopted by a lot of healthcare organizations, but there is uncertainty on their status when it comes to the cybersecurity categories.
The HITRUST CSF Assurance Program allows healthcare providers to evaluate if they are meeting the requirements in the NIST categories. There is a scorecard that makes it easy for organizations to see if their security program satisfies the core subcategories of the NIST Cybersecurity Framework with compliance ratings available for each of the core subcategory. Upon meeting all requirements and achieving a certain score, HITRUST will give the corresponding certification against the NIST Cybersecurity Framework.
The Government Accountability Office (GAO) confirmed that the HITRUST Cybersecurity Framework supports the NIST Cybersecurity Framework and can be used by healthcare organizations to demonstrate compliance. NIST also created guidelines that help healthcare organizations to implement the various controls that the NIST Framework details. Even if organizations did not go through the assessment process, they can still use the implementation guidelines.
“The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework”
About 80% of hospitals and insurance companies have been using the HITRUST CSF Assurance Program. By using only this program, healthcare organizations can get certification of compliance with different standards and framework including the HIPAA Security and Privacy Rules, ISO 27001, the NIST Cybersecurity Framework, PCI and GDPR.