What is HITRUST? Introduction to HITRUST Domains

Do You Know What Does HITRUST Stands For?

Nothing to worry about if you don’t, there are many folks out there who don’t know either. HITRUST stands for Health Information Trust Alliance. Many people feel that it is a security or compliance framework. Let us tell you this is not a framework at all, but an organization consists of healthcare industry leaders who regard information security (InfoSec) as a fundamental component to data systems security and data exchanges.
In collaboration with InfoSec, business technology, and healthcare leaders, HITRUST developed the HITRUST Common Security Framework (CSF). The HITRUST CSF consists of information from various standards, such as HIPAA, NIST, HITECH, and others, as a certified framework of controls mapped to these standards designed to aid organizations to achieve complete compliance and run their business more confidently.
HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.
what are hitrust domains
Image Credit: Hitrustalliance.net
Now the question arises, What is HIPPA? and How HITRUST is associated with HIPPA?

What is the difference between HITRUST and HIPAA?

HIPAA vs HITRUST:- While HIPAA is a law created by lawyers and lawmakers, HITRUST is a framework created by security industry experts which contains aspects of HIPAA.

The HITRUST common security framework gives organizations a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.
According to U.S. Department of Health and Human Services (HHS), “The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form.. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”
HITRUST can also help provide measurable criteria and objectives for applying “appropriate administrative, technical, and physical security controls. HITRUST does not replace HIPAA compliance or prove that an entity is HIPAA compliant, but it is widely accepted as a good approach for evaluating operational risk.

How Many Control Domains HITRUST Contains?

In contrast to HIPAA, the HITRUST Common Security Framework doesn’t create broad buckets like Administrative and Security controls. The HITRUST Common Security Framework is divided into 19 different control domains as follow below:  


Information Protection Program
Endpoint Protection
Portable Media Security
Mobile Device Security
Wireless Security
Configuration Management
Vulnerability Management
Network Protection
Transmission Protection
Password Management
Access Control
Audit Logging & Monitoring
Education, Training and Awareness
Third Party Assurance
Incident Management
Business Continuity & Disaster Recovery
Risk Management
Physical & Environmental Security
Data Protection & Privacy

Also read :- How to Earn Microsoft Certifications Exam for Free in 2022

In addition to the domains above, HITRUST also has 75 control objectives and 156 specific controls.

1. Information Protection Program

Information protection (or information security as defined by the NIST): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
Integrity – Which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.
Confidentiality – Which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information and,
Availability – Which means ensuring timely and reliable access to and use of information
Information protection employs security solutions, encryption, and other technologies, as well as policies and processes, to secure information.
The information protection program is specifically focused on achieving Data integrity, confidentiality and availability through information security.

2. Endpoint Protection

Endpoint protection program is the endpoint security is the practice of securing entry points of end-user devices such as laptops, desktops, and mobile devices from being exploited by malicious actors and viruses. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats. Endpoint security has evolved from traditional antivirus software to providing comprehensive protection from sophisticated malware and evolving zero-day threats.
Irrespective of size of the organization there are risk from hacktivists, organized crime, and malicious and accidental insider threats. Endpoint security is often seen as cybersecurity’s frontline, and represents one of the first places organizations look to secure their enterprise networks.

3. Portable Media Security

Portable media security is nothing but the security of data stored on the portable media such as USB keys, flash memory, CDs/DVDs, etc. Portable media is easily lost or stolen and may cause a security breach.
Because portable media can be stolen or compromised easily, Organizations puts some guidelines for the users to take precautions when using it to transfer or store Confidential information.

4. Mobile Device Security

Mobile Device Security refers to the controls designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, and other portable devices. At the root of mobile device security is the goal of keeping unauthorized users from accessing the enterprise network.

5. Wireless Security

Wireless security is nothing but protecting computers, smartphones, tablets, laptops and other portable devices along with the networks they are connected to, from threats and vulnerabilities associated with wireless computing.The wireless security can be delivered through different ways such as:
Hardware-based: Where routers and switches are fabricated with encryption measures protects all wireless communication. So, in this case, even if the data gets compromised by the cybercriminal, they will not be able to decrypt the data or view the traffic’s content.
Wireless setup of IDS and IPS: Helps in detecting, alerting, and preventing wireless networks and sends an alarm to the network administrator in case of any security breach.
Wireless security algorithms: Such as WEP, WPA, WPA2, and WPA3.

6. Configuration Management

Configuration management is the discipline of ensuring that all software and hardware assets which a company owns are known and tracked at all times, any future changes to these assets are known, approved and tracked. It can be assumed as the inventory list which is being kept up-to-date at all times.

7. Vulnerability Management

The world is a witness to increasing cases of cybersecurity threats currently meaning organizations have to have a vulnerability management process to control information security risks.
Even after the vulnerabilities have been identified, it’s important to check whether appropriate remediation is done and implemented. This can be tackled by the vulnerability management program. The vulnerability management program ensures that as soon as the vulnerability is fixed and the patch is implemented in priority and is re-scanned, it eliminates any path for the hackers to breach prior to the attack surface is patched up.

8. Network Protection

Network security is an organization’s planning that enables the security of its assets including all network traffic. It contains both software and hardware technologies. Access to the network is managed by effective network security, which targets a wide range of threats and then encounters them from spreading or entering in the connected network.
Network security is a combination of multiple layers of defenses in the network and at the network. Security policies and controls are implemented by each network security layer. Access to networks is granted by authorized users, whereas, malicious actors are indeed blocked from executing exploits and threats. There are various types of network security out there are as follows.

Types of Network Security

  • Antivirus and Antimalware Software
  • Application Security
  • Behavioral Analytics
  • Data Loss Prevention (DLP)
  • Email Security
  • Firewalls
  • Mobile Device Security
  • Network Segmentation
  • Security Information and Event Management (SIEM)
  • Virtual Private Network (VPN)
  • Web Security
  • Wireless Security
  • Endpoint Security
  • Network Access Control (NAC)

9. Transmission Protection

Data Transmission security is the capability to send a message (data packets) electronically from one computer system to another computer system. It is intended for the authorized recipient to receive and reads the message and the message received is identical to the message sent. The message would not be identical if it was altered in any way, whether transmitted over faulty channels or intercepted by an eavesdropper. Transmission security translates into secure networks.
Transmission protection can be attained by various methods but not limited to described below.


– Public Key Encryption
– Private Key Encryption

10. Password Management

Password management is the management of your different password as you can not remember multiple passwords and there are more chances that you will get forget the password over a period of time, here the password manager comes into the picture which takes your pain and does the rest and never runs out of your locked account. let’s better understand by the below example.
Your password is like a lock that protects your identity from unwanted access to your accounts. In combination with your user name, your password verifies who you are and also grants you access to protected systems or resources.
If you use the same password for every account you have, whether it’s Facebook, Twitter, email, or sensitive computer systems, and it gets compromised then the “bad guys” have gained access to everything. If you have a different password for each account then the “bad guys” don’t get a free pass into the rest of your accounts out there.

11. Access Control

Access control is a method of limiting access to sensitive data. Only those having their identity verified can access company data through an access control gateway.

How does access control work?

Access control can be divided into two groups to cover physical security or cybersecurity:
Physical access control: Restricted access to campuses, buildings, and other physical assets, e.g. a proximity access card to unlock a door.
Logical access control: Restricted access to computers, networks, files, and other sensitive data, e.g. a username and password, VPN token, etc.

Why is access control important?

Access control mitigates the risk of authorized access to physical and computer systems, forming a foundational part of information security, data security, and network security. 
Access control may be a regulatory compliance requirement, it may differ from organization to organization.
  • PCI DSS: Requirement 9 mandates organizations to restrict physical access to their buildings for onsite personnel, visitors, and media, as well as having adequate logical access controls to mitigate the cybersecurity risk of malicious individuals stealing sensitive data. Requirement 10 requires organizations to deploy security solutions to track and monitor their systems periodically.
  • HIPAA: The HIPAA Security Rule requires Covered Entities and their business associates to prevent the unauthorized disclosure of protected health information (PHI), this includes the usage of physical and electronic access control.  
  • SOC 2: The auditing procedure enforces third-party vendors and service providers to manage sensitive data to prevent data breaches, protecting employee and customer privacy. Companies who wish to gain SOC 2 assurance must use a form of access control with 2 -factor authentication and data encryption. SOC 2 assurance is particularly vital for an organization that processes personally identifiable information (PII).
  • ISO 27001: An information security standard that requires management to systematically vetting an organization’s attack vectors and audits all cyber threats and vulnerabilities. It also requires a comprehensive set of risk mitigation controls or transfer protocols to ensure continuous information security and business continuity. 

12. Audit Logging & Monitoring

Security event logging and monitoring are two parts of a singular process that’s integral to the upkeep of a secure infrastructure.
Every activity on your environment, from emails to logins to firewall updates, is taken into account a security event. All of those events are, (or should be,) logged so as to stay tabs on everything that’s happening in your technology landscape.
When it involves monitoring those logs, organizations will examine the electronic audit log files of tip for signs of unauthorized activities.
If unauthorized activities (or attempts thereof) are found, the info is going to be moved to a central database for extra investigations and necessary action.
In a time where digital threats are widespread and ever-changing, the info gleaned from these log files is significant to keep the infrastructure agile and responsive.

13. Education, Training and Awareness

Security education, training, and awareness programs are designed to scale back the incidence of accidental security breaches. Through the readings, you’ll study the planning and delivery of those programs also as various training techniques.
Protecting your business’ most sensitive data takes quite just having the proper cybersecurity tools—it takes having well-educated, cyber-aware employees in the least levels of the organization. In fact, consistent with data cited by CNBC, “47 percent of business leaders said human error like accidental loss of a tool or document by an employee had caused a knowledge breach at their organization.” This statistic simply highlights how important it’s to coach employees in network security to stop the sorts of basic mistakes that cause data breaches.
This is where a Security Education, Training, and Awareness (SETA) program comes into play. SETA programs help businesses to teach and inform their employees about basic network security issues and expectations—helping to stop commonplace cybersecurity mistakes that lead to damaging data breaches.

14. Third-Party Assurance

Organizations depend upon third parties to handle everything from logistics to human resources, software development to financial record keeping, and physical security to cybersecurity. Those third parties, especially those who have access to the organization’s network and sensitive data, offer an opportunity to improve services, lower costs and allow for organizations to focus on their core competencies. This is the only reason why organizations look towards third parties.
Each third-party also represents potential security and privacy risk to any and all sensitive information, which could present compliance risk. If a third-party is  negligent, or ill-prepared to protect the organization’s assets, the organization is impacted financially, reputationally, and, many times, legally.

15. Incident Management

Incident Management is a critical component in the HITRUST certification process, playing a pivotal role in the overall cybersecurity strategy of healthcare organizations. It involves the systematic approach of identifying, responding to, mitigating, and learning from security incidents. In the context of HITRUST certification, Incident Management is essential for ensuring the confidentiality, integrity, and availability of sensitive healthcare data. By having robust incident response procedures in place, organizations can effectively minimize the impact of security breaches, safeguard patient information, and maintain compliance with HITRUST standards. Timely and efficient incident management not only demonstrates an organization’s commitment to cybersecurity but also helps in fostering a resilient and secure healthcare environment, which is paramount in the ever-evolving landscape of healthcare information security.

16. Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery (BCDR) are integral aspects of achieving and maintaining HITRUST certification for healthcare organizations. BCDR planning involves establishing strategies and procedures to ensure that critical business functions can continue in the face of unforeseen disruptions, such as natural disasters or cyberattacks. In the context of HITRUST certification, the implementation of robust BCDR measures is crucial for protecting sensitive healthcare data and maintaining operational resilience. With healthcare systems relying heavily on the availability and integrity of data, having comprehensive BCDR plans not only safeguards patient information but also helps organizations swiftly recover from disruptions, minimizing downtime and potential data loss. By emphasizing BCDR as part of the HITRUST certification process, healthcare entities demonstrate their commitment to maintaining a secure and resilient environment that prioritizes the uninterrupted delivery of critical healthcare services.

17. Risk Management

Risk management is a fundamental component of the HITRUST certification framework, playing a crucial role in safeguarding sensitive healthcare data. The healthcare industry faces various risks, including cyber threats, regulatory changes, and operational challenges. HITRUST certification emphasizes the importance of proactive risk management practices to identify, assess, and mitigate these potential risks effectively. By implementing a robust risk management program, organizations can demonstrate their commitment to ensuring the confidentiality, integrity, and availability of patient information. This approach not only aligns with HITRUST standards but also contributes to the overall resilience of healthcare systems in the face of evolving threats. Through comprehensive risk management, organizations can foster a culture of continuous improvement and compliance, essential elements in achieving and maintaining HITRUST certification.

18. Physical and Environmental Security

Physical and environmental controls are vital aspects of achieving HITRUST certification in the healthcare sector. Ensuring the physical security of facilities and the environmental protection of IT systems and data storage is paramount in safeguarding sensitive healthcare information. HITRUST emphasizes the implementation of stringent measures to prevent unauthorized access, theft, or damage to physical assets housing patient data. By addressing physical and environmental controls, organizations can significantly reduce the risk of breaches and unauthorized disclosures. Adequate safeguards include secure access controls, surveillance systems, and environmental controls to protect against natural disasters or accidents. Compliance with these controls not only aligns with HITRUST standards but also contributes to building a robust security posture that safeguards patient privacy and confidentiality.

19. Data Protection and Privacy

Data protection and privacy hold paramount importance in the context of HITRUST certification for healthcare organizations. HITRUST certification places a strong emphasis on safeguarding patient information, requiring stringent measures to ensure the confidentiality and integrity of sensitive healthcare data. Adherence to data protection and privacy standards not only meets regulatory requirements but also helps build trust with patients and stakeholders. Robust data protection practices include encryption, access controls, and monitoring mechanisms to prevent unauthorized access or data breaches. By prioritizing data protection and privacy, organizations not only align with HITRUST criteria but also demonstrate a commitment to maintaining the highest standards of patient confidentiality, an integral aspect of earning and maintaining HITRUST certification.

0 thoughts on “What is HITRUST? Introduction to HITRUST Domains”

  1. Good write up to summarize the HITRUST and its associated controls. Can we get the in well compare article for what has changed in the latest framework?


Leave a Comment