“HiTRUST: Burdensome, But Worth It if You Have the Resources”
For the past few months the challenges facing the country’s medical infrastructure has been all over the news. Mostly these issues have focused on medical supplies and capacity, but as with any organization the IT needs of these medical facilities are also of the utmost criticality.
The ultimate guiding goal of cybersecurity is “CIA,” Confidentiality, Integrity and Availability. While confidentiality of patient information is always a top priority, during this pandemic it is crucial that systems are up and available (Availability,) and that the data on them is reliable (Integrity).
The gold standard for cybersecurity certification in the medical industry is HiTRUST.
HiTRUST maintains a gigantic and ever-evolving standard called the HiTRUST CSF. It contains hundreds of controls grouped by category that cover every aspect of cybersecurity. Furthermore, the controls are mapped to other standards and regulations that may be applicable to organizations implementing the framework. All controls will fall into one of 19 domains that encompass all areas of cybersecurity.
At first glance, HiTRUST seems daunting, and nearly impossible to implement. In truth however, HiTRUST, while difficult to implement, is not nearly as daunting as it seems at first. This is because HiTRUST has a proprietary portal application called myCSF which customizes the particular controls needed on a case by case basis. Most organizations will only be required to comply with a fraction of the entire standard.
However, even the fraction of controls required of an organization will be very broad, powerful, and yes, very burdensome. Besides the required technical implementations (organizations will likely need disk encryption, web proxies, and a fully functional IDS in place), it is typical to have over 20 different types of mandatory reviews over the course of a year to keep in compliance! HiTRUST compliance will require both the compliance officer and every staff member to remain highly committed and occupied with HiTRUST mandates every single day of the year. An organization that considers itself “lean and mean” will no longer be that with HiTRUST in place.
The upside is that an organization who implements HiTRUST will have an extremely powerful information security management program that grows with the organization, and is very well respected and trusted. I personally am impressed by what HiTRUST offers, and I would recommend it to any organization that can handle the load.