HITRUST

Last updated

HITRUST is a privately held for-profit company located in Frisco, Texas, United States. It is solely owned by Daniel S. Nutkis who is the President and CEO. HITRUST in collaboration with healthcare, technology and information security organizations, established the HITRUST CSF. The company claims CSF is a comprehensive, prescriptive, and certifiable framework, that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.

Contents

HITRUST originally served as an acronym for "Health Information Trust Alliance", but the company has since rebranded as simply HITRUST. HITRUST includes a for-profit division (HITRUST Services Corp) and a not-for-profit division (HITRUST Alliance).

The HITRUST CSF

The HITRUST CSF (created to stand for "Common Security Framework", since rebranded as simply the HITRUST CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards. [1] [2] The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA. [3] [4] Since the HITRUST CSF incorporates various security, privacy, and other regulatory requirements from existing frameworks and standards, some organizations utilize this framework to demonstrate their security and compliance in a consistent and streamlined manner. [5] Organizations can complete a self-assessment using the HITRUST framework, or they can engage with a HITRUST assessor for an external, third-party engagement.

HITRUST CSF has garnered criticism for being "cumbersome, expensive, arbitrary, unnecessarily complex", and using "outdated data". [6] [4]

Current version 11.3 of the HITRUST Framework (HITRUST CSF®) was released on April 16, 2024. [7]

Executive Council

HITRUST is led by a management team and governed by an Executive Council made up of leaders from across a variety of industry. These leaders represent the governance of the organization, but other founders also comprise the leadership to ensure the framework meets the short- and long-term needs of the entire industry.

Executive Council members represent the following organizations:

Related Research Articles

<span class="mw-page-title-main">Audit</span> Independent examination of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The Agreement on Technical Barriers to Trade, commonly referred to as the TBT Agreement, is an international treaty administered by the World Trade Organization. It was last renegotiated during the Uruguay Round of the General Agreement on Tariffs and Trade, with its present form entering into force with the establishment of the WTO at the beginning of 1995, binding on all WTO members.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:

An environmental audit is a type of evaluation intended to identify environmental compliance and management system implementation gaps, along with related corrective actions. In this way they perform an analogous (similar) function to financial audits. There are generally two different types of environmental audits: compliance audits and management systems audits. Compliance audits tend to be the primary type in the US or within US-based multinationals.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

The Global Food Safety Initiative (GFSI) is a private organization that works as a "coalition of action" from the Consumer Goods Forum (CGF) and brings together retailers and brand owners (manufacturers) from across the CGF membership. The GFSI operates under multi-stakeholder governance, with the objective to create "an extended food safety community to oversee food safety standards for businesses and help provide access to safe food for people everywhere". GFSI's work in benchmarking and harmonization aims to foster mutual acceptance of GFSI-recognized certification programs across the industry, with the ambition to enable a "once certified, accepted everywhere" approach.

<span class="mw-page-title-main">Cloud Security Alliance</span>

Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.”

Lockpath is a governance, risk management, and compliance and information security software platform based in Overland Park, Kansas. Its Keylight platform integrates business processes to simplify risk management and regulatory compliance challenges. Common business areas Lockpath target are policy and procedure management, risk assessment, incident management, vulnerability management, vendor management, business continuity planning and internal audit preparation.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

<span class="mw-page-title-main">International Certification Accreditation Council</span>

The International Certification Accreditation Council (ICAC) is an alliance of organizations dedicated to assuring competency, professional management, and service to the public by encouraging and setting standards for licensing, certification, and credentialing programs.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

Hixny is a not-for-profit, health information exchange (HIE) serving the Hudson Valley, Capital, Southern Tier, and North Country regions of New York State. A health information exchange connects fragmented personal health information between different organizations for improved overall healthcare.

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

ISO/IEC 5230 is an international standard on the key requirements for a high-quality open source license compliance program. The standard was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in late 2020. The standard is based on the Linux Foundation OpenChain Specification 2.1. It focuses on software supply chains, easier procurement and license compliance. Organizations that meet the requirements of the standard can self-certify to ISO/IEC 17021, from an accredited certification body or after successfully completing an audit.

References

  1. Bosworth, Seymour; Kabay, M. E.; Whyne, Eric (2014). Computer Security Handbook, Set. John Wiley & Sons. ISBN   9781118851746 . Retrieved 16 May 2019.
  2. Snedaker, Susan (2013). Business Continuity and Disaster Recovery Planning for IT Professionals. Newnes. ISBN   9780124114517 . Retrieved 17 May 2019.
  3. "What is HITRUST CSF Certification?". Datica Health. Retrieved 17 May 2019.
  4. 1 2 Schreider, Tari (2017). Building Effective Cybersecurity Programs: A Security Manager's Handbook. Rothstein Publishing. ISBN   9781944480509 . Retrieved 16 May 2019.
  5. "Microsoft Compliance. Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) (2019)".
  6. "Delaware Health Information Network Pursues HITRUST Certification". www.govtech.com. Retrieved 20 August 2019. In an open letter to the HITRUST Alliance written and posted to LinkedIn last year, a network security professional named Kamal Govindaswamy questioned the usefulness of the HITRUST CSF, describing it as "cumbersome, expensive, arbitrary, unnecessarily complex" and using "outdated data."
  7. "HITRUST Announces CSF v11.3.0". HITRUST Alliance. Retrieved 22 April 2024.