Updated: HITRUST launches new cybersecurity certification for NIST framework
HITRUST has launched a certification program for the NIST Cybersecurity Framework. Through the HITRUST CSF Assurance Program and assessment scorecard for the NIST Framework, hospitals and health systems can deploy a more effective and efficient way to ensure security compliance.
HITRUST harmonized multiple industry-relevant statutory, regulatory and best practice requirements into a single framework that is both prescriptive and for healthcare organizations to get a handle on their security posture and work toward building a cybersecurity program that aligns with goals of the NIST Framework.
"There has been much discussion recently around the development of NIST industry-specific guidance for various industry sectors to help organizations implement the NIST Framework in a way that addresses their specific needs efficiently and effectively, similar to what HITRUST has done in the HPH sector," said Ken Vander Wal, chief compliance officer of HITRUST, in a statement. "HITRUST CSF assessments, together with the NIST Framework subcategory reporting format, are being used broadly to communicate information privacy and security programs to boards of directors.”
The NIST Cybersecurity Framework is useful for health systems trying to safeguard themselves from an array of cyber threats, and could also be helpful as they tackle other vulnerabilities and risks enterprise-wide, as healthcare attorney Barry Herrin told Healthcare IT News recently. The NIST framework can be expanded "to set expectations about how we're going to use it to manage enterprise security – not just data security, but all kinds of security," said Herrin.
A HITRUST CSF scorecard of the NIST Framework provides compliance ratings for each NIST Framework Core Subcategory; guidance for approximating NIST Framework Implementation Tiers based on the compliance ratings and consistent reporting across all critical infrastructure industries, officials say.
The HITRUST CSF Assurance Program can help organizations understand and report their effectiveness against many other standards and leading practice frameworks. With just one assessment, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Framework, ISO 27001, PCI and AICPA Trust Services Criteria, and more.
"The controls framework-based approach to specifying NIST Framework Target Profiles described in the healthcare sector’s implementation guide also helps one determine an industry-acceptable level of due care for the protection of sensitive health information, as required under the HIPAA Security Rule, as well as address the coming GDPR requirements,” said Bryan Cline, vice president of standards and analysis at HITRUST.
Experts will address security frameworks and other pressing infosec topics at the HIMSS Healthcare Security Forum in San Francisco, June 11-12.
This story has been updated to clarify that NIST does not have a joint program with HITRUST.