In May of 2017, HITRUST released version 9 of their CSF.  This framework is recognized as ‘suitable criteria’ for producing an American Institute of Certified Public Accountants (AICPA) SOC 2 report.  It also integrates information security requirements from the Federal Financial Institutions Examination Council (FFIEC).  Version 9.1, which went into effect in February of 2018, integrates General Data Protection Regulation (GDPR) and New York State Cyber Security Requirements for Financial Services Companies (23 NCYRR 500.) It also incorporates mapping the HITRUST CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy. These changes increased applicability of the HITRUST CSF for privacy programs across multiple industries nationally.

These changes have prompted more organizations, both internal and external of the healthcare industry, to accept HITRUST in the place of other third-party reports. This is due to the fact that HITRUST is a more comprehensive, generalized, and certifiable framework.  It rationalizes healthcare-relevant regulations, standards, best practices and risk related events (such as cyber threats and breach data) into a single overarching security framework. Because the CSF is both risk and compliance based, organizations can tailor the security control baselines around a variety of factors. These factors include organization type, size, systems, and regulatory requirements.

Pondurance is a certified HITRUST CSF Assessor.  We have a considerable team of Certified Common Security Framework Practitioners (CCSFPs) who are able to collaborate with clients and work through both the preparation and validation phases of the CSF certification process.  We also have an extensive understanding of security and compliance risks/requirements making us readily available to assist clients in working through the tough issues they encounter during the road to control compliance. Our well-rounded consultants also have years of HIPAA and PCI DSS experience.

Pondurance offers various solutions that can assist in meeting specific HITRUST control requirements:

  • Pondurance has partnered with a CPA Firm to issue combined HITRUST plus SOC2 reports. HITRUST has collaborated with the American Institute of CPAs (AICPA) to develop an illustrative SOC2 report, which will assist CPAs with reporting on the suitability of design and operating effectiveness of controls relevant to meet the applicable trust services criteria and the HITRUST Common Security Framework (CSF) requirements.
  • Pondurance’s Threat Hunting & Response solutions can assist in not only collecting, but also live monitoring of log data from virtually any source to meet logging control requirements.
  • Our endpoint detection and response (EDR) solutions allow greater visibility at the host level to allow our analysts to detect malicious processes, registry entries and static files, helping to meet malware control requirements.
  • Pondurance’s Security Testing team provides penetration testing solutions that can simulate a real-world attack on internal and external environments. In addition, Pondurance performs vulnerability scans that help identify and eliminate network vulnerabilities. These solutions can assist in meet penetration testing and scanning control requirements.

The Health Information Trust Alliance (HITRUST) is a not-for-profit and privately held organization that was founded in 2007. According to their official site, HITRUST “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” It has established a Common Security Framework (CSF) that can be used by all organizations.

This CSF creates, accesses, stores, and exchanges sensitive or regulated data. It also includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards, including HIPAA, PCI, ISO, and NIST. Both the HITRUST CSF and CSF Assurance programs are the most widely adopted methodologies for organizations that process protected health information (PHI.)