The Health Information Trust Alliance (HITRUST) is a standards development organization that develops and maintains a healthcare compliance framework called the HITRUST Common Security Framework (CSF).
The goal of the HITRUST Cybersecurity Framework is to set a baseline for healthcare security controls. HITRUST and HIPAA are related but are not interchangeable. HITRUST is one of many security frameworks that can be used to evaluate an organization’s security profile.
HIPAA vs HITRUST
HIPAA (Health Insurance Portability and Accountability Act of 1996) is US legislation that requires covered entities (BA) and business associates (BA) such as hospitals, healthcare vendors, and digital health companies to implement administrative, technical, and physical safeguards. HIPAA is enforced by Health and Human Services (HHS) Office of Civil Rights (OCR) and does not have an official certification.
HITRUST is proprietary security framework validated via a privately held company and encompasses a set of security frameworks including HIPAA. HITRUST includes PCI DSS, Control Objectives for Information and Related Technologies (COBIT) and International Organization for Standardization (ISO) security frameworks. These security frameworks can make the HITRUST CSF heavier solution for smaller covered entities (CEs) and business associates (BAs).
Becoming HITRUST Certified On AWS
Organization’s must follow the following process to achieve HITRUST compliant:
- Utilize the HITRUST CSF to identify applicable HITRUST Controls
- Determine controls related to AWS services per the Shared Responsibility Model and compliance policies
- Complete HITRUST CSF assessment and engage a third-party HITRUST auditor to test controls
- Organization and auditor both submit their assessment to HITRUST for review via the MyCSF Portal
- Achieve HITRUST certification
After certification, organizations must continue to maintain security standards to continue meeting HITRUST requirements. Like HIPAA Compliance, HITRUST is not a once and done process, it is an ongoing process. Becoming HITRUST certified is a long and dubious process.
Is A HITRUST Certification Necessary?
For startups and digital health organizations focused on getting to market quickly, the cost and administrative overhead for HITRUST can be unfeasible. Without a designated Security Team it can be difficult to continually manage HITRUST certification. There are a number of AWS Security Certifications and Security Programs, and it should be noted that HITRUST is a proprietary compliance framework, and at the end of the day HIPAA may not be officially verified.
It is recommended that smaller teams not equipped to manage a compliance framework such as NIST, ISO, or HITRUST, focus on creating strong administrative and technical controls. More importantly, organizations should build HIPAA administrative policies that are understandable and can be followed. Healthcare providers place higher priority on the general security profile and an awareness and maintenance of compliance standards healthcare vendors.
Compliance In Amazon Web Services
As an AWS Advanced Technical Partner, Dash Solutions makes it easy to set technical and administrative controls and Security Plan. Dash maps custom compliance policies, and constant compliance monitoring to HIPAA safeguards and NIST safeguards, meaning that your organization is able to get a view of your compliance state.
Amazon Web Services customers are able to take advantage of the numerous certifications from the established cloud provider. In following client security responsibilities, A number of HIPAA eligible services can be configured and used in a compliant manner. By addressing responsibilities under the shared responsibility model, organization’s can build a strong security profile and manage compliance for multiple security frameworks. Dash ComplyOps provides organizations with administrative policies, security controls and monitoring for building a robust security program in AWS.