Navigating the HITRUST CSF

by Sarah Harvey / July 28th, 2017

In this webinar, Jessie Skibbe discusses one of the most important steps in the certification journey: scoping. She will cover how to scope your environment for a HITRUST CSF assessment and how to define the risk factors related to your scope.

Scoping is the very first step in your certification journey. Before you even contact an assessor, you must determine what your scope is. The controls of the HITRUST CSF are designed to apply to all information systems irrelevant of classification or function; however, for the purposes of HITRUST CSF Validation/Certification, only those systems that store, process or transmit PHI or support the storing, processing, or transmission of PHI should be included. The scope of the assessment should cover the following:

  • Patient care systems, applications, and devices that store and process ePHI (e.g., pharmacy, infection control, cancer registry, MRI, CTI, Ultrasound), whether they are standalone systems or connected to the network
  • Business systems and applications that store, process, or transmit ePHI to support billing, customer service, and general administrative operations, (e.g., supply chain, state submissions, credentialing)
  • Infrastructure components, such as routers and firewalls, that are connected to or facilitate the transmission of ePHI to/from the types of systems described above

The HITRUST CSF is scalable. The organizational, system, regulatory, and information system risk factors will determine the total number of control requirements that will apply to your assessment scope. In this webinar, we give examples of questions you should be asking during the scope determination process:

  • How many records does your organization store?
  • Does the system store, process, or transmit sensitive information?
  • Is the system accessible by a third-party?
  • What is the number of interfaces to other systems?
  • How many transactions per day does the system process?
  • Is your organization subject to PCI compliance?
  • Is your organization subject to the State of Massachusetts Data Protection Act?
  • Is your organization subject to the State of Texas Medical Records Privacy Act?

More about HITRUST

HITRUST is a not-for-profit organization found in 2007, “born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST partners with public and private healthcare technology, privacy, and information security leaders. HITRUST develops, maintains, and provides broad access to its common risk and compliance management frameworks. The HITRUST CSF is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a healthcare industry standard that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, NIST 800-53…just to name a few. It was also built on risk management principles. It aligns with existing, relative controls and requirements.

Have questions about HITRUST CSF requirements? Contact our team today to have them answered. KirkpatrickPrice can assist you with SOC 2, SOC 2 +, SOC 2 + HITRUST CSF Certification, HITRUST CSF Certification, Assisted HITRUST CSF Self-Assessment, Policy and Procedure drafting, guided Risk Analysis, and general guidance/consulting.

Additional Resources

Contact us today to get started on your HITRUST journey.