In this Article
- Do You Know What Does HITRUST Stands For?
- What is the difference between HITRUST and HIPAA?
- How Many Control Domains HITRUST Contains?
- HITRUST CSF Domains
- 1. Information Protection Program
- 2. Endpoint Protection
- 3. Portable Media Security
- 4. Mobile Device Security
- 5. Wireless Security
- 6. Configuration Management
- 7. Vulnerability Management
- 8. Network Protection
- 9. Transmission Protection
- 10. Password Management
- 11. Access Control
- 12. Audit Logging & Monitoring
- 13. Education, Training and Awareness
- 14. Third-Party Assurance
- 15. Incident Management
- 16. Business Continuity and Disaster Recovery
- 17. Risk Management
- 18. Physical and Environmental Security
- 19. Data Protection and Privacy
Do You Know What Does HITRUST Stands For?
Nothing to worry about if you don’t, there are many folks out there who don’t know either. HITRUST stands for Health Information Trust Alliance. Many people feel that it is a security or compliance framework. Let us tell you this is not a framework at all, but an organization consists of healthcare industry leaders who regard information security (InfoSec) as a fundamental component to data systems security and data exchanges.
In collaboration with InfoSec, business technology, and healthcare leaders, HITRUST developed the HITRUST Common Security Framework (CSF). The HITRUST CSF consists of information from various standards, such as HIPAA, NIST, HITECH, and others, as a certified framework of controls mapped to these standards designed to aid organizations to achieve complete compliance and run their business more confidently.
HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.
|Image Credit: Hitrustalliance.net
Now the question arises, What is HIPPA? and How HITRUST is associated with HIPPA?
What is the difference between HITRUST and HIPAA?
HIPAA vs HITRUST:- While HIPAA is a law created by lawyers and lawmakers, HITRUST is a framework created by security industry experts which contains aspects of HIPAA.
The HITRUST common security framework gives organizations a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.
According to U.S. Department of Health and Human Services (HHS), “The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form.. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”
HITRUST can also help provide measurable criteria and objectives for applying “appropriate administrative, technical, and physical security controls. HITRUST does not replace HIPAA compliance or prove that an entity is HIPAA compliant, but it is widely accepted as a good approach for evaluating operational risk.
How Many Control Domains HITRUST Contains?In contrast to HIPAA, the HITRUST Common Security Framework doesn’t create broad buckets like Administrative and Security controls. The HITRUST Common Security Framework is divided into 19 different control domains as follow below:
HITRUST CSF Domains
Information Protection Program
Portable Media Security
Mobile Device Security
Audit Logging & Monitoring
Education, Training and Awareness
Third Party Assurance
Business Continuity & Disaster Recovery
Physical & Environmental Security
Data Protection & Privacy
1. Information Protection Program
Information protection (or information security as defined by the NIST): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
Integrity – Which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.
Confidentiality – Which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information and,
Availability – Which means ensuring timely and reliable access to and use of information
Information protection employs security solutions, encryption, and other technologies, as well as policies and processes, to secure information.
The information protection program is specifically focused on achieving Data integrity, confidentiality and availability through information security.
2. Endpoint Protection
Endpoint protection program is the endpoint security is the practice of securing entry points of end-user devices such as laptops, desktops, and mobile devices from being exploited by malicious actors and viruses. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats. Endpoint security has evolved from traditional antivirus software to providing comprehensive protection from sophisticated malware and evolving zero-day threats.
Irrespective of size of the organization there are risk from hacktivists, organized crime, and malicious and accidental insider threats. Endpoint security is often seen as cybersecurity’s frontline, and represents one of the first places organizations look to secure their enterprise networks.
3. Portable Media Security
Portable media security is nothing but the security of data stored on the portable media such as USB keys, flash memory, CDs/DVDs, etc. Portable media is easily lost or stolen and may cause a security breach.
Because portable media can be stolen or compromised easily, Organizations puts some guidelines for the users to take precautions when using it to transfer or store Confidential information.
4. Mobile Device Security
Mobile Device Security refers to the controls designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, and other portable devices. At the root of mobile device security is the goal of keeping unauthorized users from accessing the enterprise network.
5. Wireless Security
Wireless security is nothing but protecting computers, smartphones, tablets, laptops and other portable devices along with the networks they are connected to, from threats and vulnerabilities associated with wireless computing.The wireless security can be delivered through different ways such as:
Hardware-based: Where routers and switches are fabricated with encryption measures protects all wireless communication. So, in this case, even if the data gets compromised by the cybercriminal, they will not be able to decrypt the data or view the traffic’s content.
Wireless setup of IDS and IPS: Helps in detecting, alerting, and preventing wireless networks and sends an alarm to the network administrator in case of any security breach.
Wireless security algorithms: Such as WEP, WPA, WPA2, and WPA3.
6. Configuration Management
Configuration management is the discipline of ensuring that all software and hardware assets which a company owns are known and tracked at all times, any future changes to these assets are known, approved and tracked. It can be assumed as the inventory list which is being kept up-to-date at all times.
7. Vulnerability Management
The world is a witness to increasing cases of cybersecurity threats currently meaning organizations have to have a vulnerability management process to control information security risks.
Even after the vulnerabilities have been identified, it’s important to check whether appropriate remediation is done and implemented. This can be tackled by the vulnerability management program. The vulnerability management program ensures that as soon as the vulnerability is fixed and the patch is implemented in priority and is re-scanned, it eliminates any path for the hackers to breach prior to the attack surface is patched up.
8. Network Protection
Network security is an organization’s planning that enables the security of its assets including all network traffic. It contains both software and hardware technologies. Access to the network is managed by effective network security, which targets a wide range of threats and then encounters them from spreading or entering in the connected network.
Network security is a combination of multiple layers of defenses in the network and at the network. Security policies and controls are implemented by each network security layer. Access to networks is granted by authorized users, whereas, malicious actors are indeed blocked from executing exploits and threats. There are various types of network security out there are as follows.
Types of Network Security
- Antivirus and Antimalware Software
- Application Security
- Behavioral Analytics
- Data Loss Prevention (DLP)
- Email Security
- Mobile Device Security
- Network Segmentation
- Security Information and Event Management (SIEM)
- Virtual Private Network (VPN)
- Web Security
- Wireless Security
- Endpoint Security
- Network Access Control (NAC)
9. Transmission Protection
Data Transmission security is the capability to send a message (data packets) electronically from one computer system to another computer system. It is intended for the authorized recipient to receive and reads the message and the message received is identical to the message sent. The message would not be identical if it was altered in any way, whether transmitted over faulty channels or intercepted by an eavesdropper. Transmission security translates into secure networks.
Transmission protection can be attained by various methods but not limited to described below.
– Public Key Encryption
– Private Key Encryption
10. Password Management
Password management is the management of your different password as you can not remember multiple passwords and there are more chances that you will get forget the password over a period of time, here the password manager comes into the picture which takes your pain and does the rest and never runs out of your locked account. let’s better understand by the below example.
Your password is like a lock that protects your identity from unwanted access to your accounts. In combination with your user name, your password verifies who you are and also grants you access to protected systems or resources.
If you use the same password for every account you have, whether it’s Facebook, Twitter, email, or sensitive computer systems, and it gets compromised then the “bad guys” have gained access to everything. If you have a different password for each account then the “bad guys” don’t get a free pass into the rest of your accounts out there.
11. Access Control
Access control is a method of limiting access to sensitive data. Only those having their identity verified can access company data through an access control gateway.
How does access control work?
Access control can be divided into two groups to cover physical security or cybersecurity:
Physical access control: Restricted access to campuses, buildings, and other physical assets, e.g. a proximity access card to unlock a door.
Logical access control: Restricted access to computers, networks, files, and other sensitive data, e.g. a username and password, VPN token, etc.
Why is access control important?
Access control mitigates the risk of authorized access to physical and computer systems, forming a foundational part of information security, data security, and network security.
Access control may be a regulatory compliance requirement, it may differ from organization to organization.
- PCI DSS: Requirement 9 mandates organizations to restrict physical access to their buildings for onsite personnel, visitors, and media, as well as having adequate logical access controls to mitigate the cybersecurity risk of malicious individuals stealing sensitive data. Requirement 10 requires organizations to deploy security solutions to track and monitor their systems periodically.
- HIPAA: The HIPAA Security Rule requires Covered Entities and their business associates to prevent the unauthorized disclosure of protected health information (PHI), this includes the usage of physical and electronic access control.
- SOC 2: The auditing procedure enforces third-party vendors and service providers to manage sensitive data to prevent data breaches, protecting employee and customer privacy. Companies who wish to gain SOC 2 assurance must use a form of access control with 2 -factor authentication and data encryption. SOC 2 assurance is particularly vital for an organization that processes personally identifiable information (PII).
- ISO 27001: An information security standard that requires management to systematically vetting an organization’s attack vectors and audits all cyber threats and vulnerabilities. It also requires a comprehensive set of risk mitigation controls or transfer protocols to ensure continuous information security and business continuity.
12. Audit Logging & Monitoring
Security event logging and monitoring are two parts of a singular process that’s integral to the upkeep of a secure infrastructure.
Every activity on your environment, from emails to logins to firewall updates, is taken into account a security event. All of those events are, (or should be,) logged so as to stay tabs on everything that’s happening in your technology landscape.
When it involves monitoring those logs, organizations will examine the electronic audit log files of tip for signs of unauthorized activities.
If unauthorized activities (or attempts thereof) are found, the info is going to be moved to a central database for extra investigations and necessary action.
In a time where digital threats are widespread and ever-changing, the info gleaned from these log files is significant to keep the infrastructure agile and responsive.
13. Education, Training and Awareness
Security education, training, and awareness programs are designed to scale back the incidence of accidental security breaches. Through the readings, you’ll study the planning and delivery of those programs also as various training techniques.
Protecting your business’ most sensitive data takes quite just having the proper cybersecurity tools—it takes having well-educated, cyber-aware employees in the least levels of the organization. In fact, consistent with data cited by CNBC, “47 percent of business leaders said human error like accidental loss of a tool or document by an employee had caused a knowledge breach at their organization.” This statistic simply highlights how important it’s to coach employees in network security to stop the sorts of basic mistakes that cause data breaches.
This is where a Security Education, Training, and Awareness (SETA) program comes into play. SETA programs help businesses to teach and inform their employees about basic network security issues and expectations—helping to stop commonplace cybersecurity mistakes that lead to damaging data breaches.
14. Third-Party Assurance
Organizations depend upon third parties to handle everything from logistics to human resources, software development to financial record keeping, and physical security to cybersecurity. Those third parties, especially those who have access to the organization’s network and sensitive data, offer an opportunity to improve services, lower costs and allow for organizations to focus on their core competencies. This is the only reason why organizations look towards third parties.
Each third-party also represents potential security and privacy risk to any and all sensitive information, which could present compliance risk. If a third-party is negligent, or ill-prepared to protect the organization’s assets, the organization is impacted financially, reputationally, and, many times, legally.