HITRUST Common Security Framework Compliance – more than just HIPAA

Published on June 5, 2019 by Robert Ramsay in SOC Reports, Technology

As Barnes Dennig added another CCSFP this month, we wanted to reflect on the evolution of the Common Security Framework.

Although the HITRUST Alliance was started by a consortium of healthcare industry leaders, the Common Security Framework (CSF) continues to address a number of criteria beyond HIPAA.  It will be interesting to see how markets outside of healthcare adopt this framework.

Because HIPAA is a series of laws, and not necessarily an industry standard framework, practitioners sought a common set of rules that could be standardized.  Why is that important?  To understand the importance of HITRUST, it can be beneficial to contrast HIPAA with PCI DSS (Payment Card Industry Data Security Standards).

PCI DSS are the data security standards that the PCI Security Standards Council agreed to follow to be able to consistently measure security practices at all merchants and processors in the credit card acceptance supply chain.  This is generally seen as a successful implementation of a set of rules for all to follow.

HIPAA on the other hand, is a set of laws, which can be debated and interpreted by lawyers.  For companies that wanted to follow HIPAA, there was originally no industry standard comparable to PCI DSS.  This is what the HITRUST Alliance set out to achieve.

Perhaps because the credit card industry is lead by a small number of brands (i.e. VISA, Mastercard, American Express), the industry was able to establish a standard with rapid acceptance.  HITRUST on the other hand, does not have the same level of adoption or market share as PCI.

One thing HITRUST has done, however, is to broaden its reach, to encompass other security standards.  HITRUST claims to leverage “nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.”   Some call this the “one ring to rule them all” strategy.

At Barnes Dennig, we are impressed with the progress of both PCI DSS and HITRUST’s Common Security Framework.  Cybersecurity and data privacy are difficult propositions.  They deal with high risk technical details that require judgement of costs and benefits that can be difficult to measure.  Additionally, they apply to one of the most rapidly changing fields in technology.  Cybersecurity is sometimes proactive but is often reactive to the constant innovations of the bad actors that make up the broadly defined hacking community.  We applaud every effort to provide predictability and stability to technology services.  This is why we constantly train on PCI and HITRUST (and many other frameworks) and provide PCI consulting and HITRUST consulting.

---