Five Key HITRUST Developments To Monitor In 2020

Cybersecurity incidents continue to place immense pressure on healthcare organizations globally, jeopardizing not just patient data and the reputations of leading healthcare companies, but more importantly, patient safety. In each of the past two years, three-quarters of healthcare organizations experienced a significant security incident, according to the 2019 HIMSS Cybersecurity Survey. Organizations certified under HITRUST (Health Information Trust Alliance), the most widely adopted security framework in the U.S. healthcare industry, provide their patients and partners peace of mind, representing they have established a control environment to safeguard patient information.

Cybersecurity threats continue to evolve, so the HITRUST CSF must evolve as well. Here are five key HITRUST developments that healthcare organizations and other companies should monitor in 2020.
 

1.       COVID-19’s Impact on the HITRUST CSF

During times of rapid change, internal controls and information security requirements often must adapt to the new circumstances. The COVID-19 pandemic certainly qualifies as one of these times. On March 5, HITRUST released an advisory waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. “In situations where assessors choose to leverage alternative approaches such as video conferencing to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used,” the announcement said. On March 19, HITRUST issued a separate advisory stating that it isn’t currently issuing a blanket extension of timing-related requirements tied to assessments, although extensions are possible on a case-by-case basis. We will be closely monitoring the situation to see if HITRUST announces any additional COVID-19-related advisories that directly affect the certification process. HITRUST advisories on can be found on its CSF Assurance & Implementation Bulletin.
 

2.       HITRUST CSF Version 10

HITRUST CSF version 10 is expected to be released in December 2020. Although the timing of this release could still change, a few things are fairly certain. HITRUST CSF Version 10 is expected to continue HITRUST’s efforts to be more industry-agnostic and accommodate the needs of industries such as travel, tourism and financial services, as HITRUST expands its focus beyond healthcare. This is expected to be accomplished through a combination of changes. These include the establishment of a “core” or baseline set of implementation requirements and controls for all organizations and a new focus on choosing additional relevant regulatory factors to determine the scope of assessments. These changes will be supported by providing clearer and more consistent language and syntax for implementation requirements and further use and leverage of the new shared responsibility matrix (more on this below).
 

3. PRISMA Weighting Updates

HITRUST CSF’s PRISMA weighting scale previously gave equal importance to policies (25%), procedures (25%), and implementation (25%), with measurement and management making up the remaining 25%. In 2020, those weightings have shifted to emphasize the importance of effective implementation of the controls necessary to obtain HITRUST CSF certification. The new weightings will be 15% for policies, 20% for procedures, 40% for implementation, 10% for measurement, and 15% for management. See HITRUST’s recent webinar for more information.

The message from these PRISMA weighting updates is clear: having well-documented policies and procedures is not enough; strong implementation of internal controls is essential to HITRUST CSF certification.
 

4. New Shared Responsibility Program and Matrix

Continued growth in cloud computing has spurred other changes to the HITRUST CSF assessment and certification processes. In addition to meeting its own requirements, HITRUST CSF-certified cloud providers working with healthcare organizations are encouraged to operate within HITRUST’s new shared responsibility matrix. This shared responsibility matrix is designed to avoid misunderstandings about who owns and is responsible for various sharable and inheritable controls when a healthcare organization is working with cloud computing vendors. This is particularly important when healthcare organizations use applications that reside in different cloud environments that must communicate and share data. The shared responsibility matrix was developed with input from the top 20 cloud providers in the market to ensure its effectiveness and relevance. Over the next 12 to 18 months, HITRUST will continuously release guidance on how the Shared Responsibility Program can be best utilized.
 

5. Additional HITRUST Tools and Resources

Several HITRUST resources are being updated or have seen more robust usage:

  • The HITRUST Threat Catalogue, which was initially published in late 2018, is designed to provide organizations with greater visibility into the threats they face and how those threats tie to appropriate HITRUST CSF control requirements. The catalogue is continually updated to ensure that healthcare organizations have the latest information about relevant threats and can continue to meet their control responsibilities and HIPAA compliance requirements.
  • A growing number of healthcare IT startups have begun using the HITRUST RightStart Program to establish their compliance and risk management programs. This is part of an increasing trend throughout the healthcare ecosystem to find innovative solutions through startups, which now join providers, hospital systems, and insurance companies in seeking HITRUST CSF certification.
  • More healthcare organizations are now using the HITRUST Assessment Exchange to obtain and manage information on vendors’ risk management practices and information security and privacy programs in a cost-effective way.

Insight: Assesor Quality Matters

In addition to these more recent developments, HITRUST has significantly increased its emphasis on the importance of assessor organization quality. As the HITRUST CSF has grown in acceptance, the organization has seen a widening range in the quality of the companies delivering those assessments.

This divergence highlights the importance of working with assessors that bring the professionalism and standards of a CPA and auditing firm to the HITRUST CSF assessment and certification process.