HITRUST Now Offers NIST Cybersecurity Framework Certification

The security and privacy standards development and accreditation organization HITRUST has started offering certification for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The certification program makes it easier for healthcare organizations to report progress to management, business partners, and regulators and verify they have met NIST cybersecurity framework controls.

The NIST Cybersecurity Framework is a set of standards and best practices that help organizations improve security, manage cybersecurity risk, and protect critical infrastructure. Many healthcare organizations have adopted the NIST cybersecurity framework but are unsure how they are doing in the cybersecurity categories.

Through the HITRUST CSF Assurance Program, healthcare organizations can assess whether they have met the requirements in each of the NIST categories.

The HITRUST CSF now includes a scorecard that allows organizations to check how their security program maps to the core subcategories of the NIST Cybersecurity Framework and provides compliance ratings for each core subcategory. HITRUST also provides certification to confirm that organizations are meeting all requirements of the NIST Cybersecurity Framework. If an organization achieves a certain score, certification will be issued against the NIST Cybersecurity Framework.

The Government Accountability Office (GAO) has confirmed that the HITRUST CSF aligns with the NIST Cybersecurity Framework and allows organizations to demonstrate compliance.

NIST has also developed guidance for healthcare organizations to help them implement the various controls detailed in the NIST Framework. The implementation guidance can be used even if organizations choose not to go through the assessment process.

“The HITRUST CSF’s integration and harmonization of multiple industry-relevant statutory, regulatory and best practice requirements into a single, prescriptive, yet highly tailorable framework makes it extremely easy for organizations to determine an appropriate Target Profile and subsequently implement and report their progress towards a cybersecurity program that fulfills the goals and objectives of the NIST Framework”

HITRUST CSF Assurance Program has been adopted by approximately 80% of hospitals and insurance companies. Through a single assessment, healthcare organizations can assess compliance with the HIPAA Security and Privacy Rules, the NIST Cybersecurity Framework, GDPR, ISO 27001, PCI and other leading standards and frameworks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.