Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

HITRUST requirements are what?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF).  

RELATED:  Get your complementary copy of the condensed guide to the What, Why, and How of HITRUST; HITRUST Explained for Everyone

In contrast to HIPAA, the CSF does not create broad buckets like Administrative and Security controls. The HITRUST Common Security Framework is divided into 19 different control domains:

1. Information Protection Program

2. Endpoint Protection

3. Portable Media Security

4. Mobile Device Security

5. Wireless Protection

6. Configuration Management

7. Vulnerability Management

8. Network Protection

9. Password Management

10. Access Control

11. Audit Logging & Monitoring

12. Education, Training & Awareness

13. Third Party Security

14. Incident Management

15. Business Continuity & Disaster Recovery

16. Risk Management

17. Physical & Environmental Security

18. Data Protection & Privacy

19. Transmission Protection


In addition to the above domains, HITRUST has 135 specific controls.

For each of the 135 controls defined by HITRUST, three distinct implementation levels exist. Each implementation level builds on the one below - level 2 includes all of level 1 plus additional requirements, level 3 includes all of level 2 plus additional requirements. Therefore, level 3 has the most stringent set of requirements. Implementation levels in the CSF are determined for each organization based on their risk profile, accounting for aspects like the size of an organization and the number of stored health records. Most organizations have varied levels of implementation for their 135 controls from level 1, 2 or 3.

Why does HITRUST matter? Well, as healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state and third party security mandates has become a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all of the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious that the industry is in need of a system that is clear, standard and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology brings great value to our customers. We’re ecstatic because our HITRUST CSF Certification is helping our customers prove their applications and data are secure by being an even more compelling proof than our HIPAA audits.

If you’re already a Datica customer, there’s nothing you need to do; the infrastructure you’re hosting on is HITRUST CSF Certified. If you’re not a Datica customer and still want to learn why this is so valuable, or simply have questions about what it takes to complete a HIPAA audit or HITRUST assessment, please don’t hesitate to reach out, as our team of experts wants to be your trusted resource.

Visit the Datica blog or the Datica Academy to learn more about HITRUST.