As the future of health becomes increasingly linked to digital technologies and cloud computing, organizations across the healthcare industry aggregate, generate and share a tremendous volume of data. At the same time, cyberattacks are on the rise.  In just a decade, reports the HIPAA Journal, the number of healthcare industry data breaches of 500 records or more climbed from 218 in 2012 to 707 in 2022—a 224% jump. As a result, healthcare providers and payers need a clear way to see how entities you do business with—including your prior authorization software provider—handle data security. 

What Is HITRUST CSF?

HITRUST stands for the Health Information Trust Alliance and CSF standards for Common Security Framework. Established in 2007, the HITRUST Alliance aggregates rules, regulations and expert guidance from more than 40  international bodies, Federal and State agencies, industry organizations  and others. It then consolidates and normalizes the disparate rules into a unified, consistent framework. This enables organizations to more effectively manage data, information risk, and compliance. Some of the aggregated sources include: 

• Organisation for Economic Co-Operation and Development (OECD) Privacy Framework 
• Asia-Pacific Economic Cooperation (APEC) Privacy Framework
• General Data Protection Regulation (GDPR) European Union 
• HIPAA Security Rule, Breach Notification Rule, and Privacy Rule 
• Health Industry Cybersecurity Practices (HICP) 
• CMS Minimum Security Requirements for High Impact Data 
• California Consumer Privacy Act
• State of Nevada: Security and Privacy of Personal Information
• State of Texas Standards Relating to the Electronic Exchange of Health Information  
• Numerous ISO/IEC Standards related to  Information Technology, Security and Privacy

The HITRUST CSF simplifies requirements into a single framework. The framework can scale to meet evolving security and privacy requirements based on your organization’s risk considerations and exposures. Categories within the framework include: 

• Information Security Management Program
• Access Control
• Human Resources Security
• Risk Management
• Security Policy
• Organization of Information Security
• Compliance
• Asset Management
• Physical and Environmental Security
• Communications and Operations Management
• Information Systems Acquisition, Development, and Maintenance 
• Information Security Incident Management 
• Business Continuity Management
• Privacy Practices

The HITRUST Alliance explains, “It should be noted that the order of the control categories does not imply importance; all security and privacy controls should be considered important. However, the full implementation of an information security management program (Control Category 0) will allow an organization to better identify, define, and manage the processes and resources that are necessary for proper data protection, which can be measured with the CSF.” 

How Does Certification Work?

HITRUST is the only standards development organization with a framework, an assessment platform, and an independent assurance program. While designed to address the needs of organizations in highly regulated industries like healthcare, it remains flexible for varying needs and risk exposures. The HITRUST Alliances notes, “The HITRUST CSF allows organizations in any sector globally to create, access, store, or transmit information safely and securely—with confidence.” 

The certification includes: 

• A readiness assessment using the HITRUST MyCSF tool that compares existing data security and privacy controls against the HITRUST framework. 
• A remediation stage where you address gaps or weaknesses in practices and policies.
• A validation assessment, conducted by a trained assessor, typically includes interviews with key personnel, vulnerability scans, as well as the review of controls and supporting documents. 
• A quality assurance review of the validation assessment by HITRUST rounds out the process, after which an organization is “Certified”. A 12-month interim assessment is required to ensure that data security and privacy processes remain compliant.

The HITRUST Alliance offers three levels of certification to meet the needs of different organizations:  

• e1 Certification: This one-year certification focuses on basic cybersecurity hygiene and HITRUST-identified critical cybersecurity practices. It is the lightest lift, making it most appropriate to organizations with low risk exposure who want to demonstrate a commitment to basic security. (Uses less than 50 controls.) 
• i1 Certification: Also a one-year certification, the i1 encompasses all e1 controls, plus additional controls that reflect leading cybersecurity practices and threats. (Uses 180 controls.) 
• r2 Certification: As the most rigorous certification level, it includes all e1 and i1 controls, plus controls tailored to the organization’s specific risk profile. (Uses 400 controls on average.) 

What Are the Benefits of a HITRUST CSF-Certified Prior Authorization Software?  

When the HIPAA Journal tallied up the results of hacking incidents, ransomware attacks, and other cyberthreats, it noted that more than 382 million healthcare records have been exposed since 2009, equating to 1.2X the population of the United States. Maintaining up-to-date security and privacy standards is critical given the constant cybersecurity threats. 

As we all know, big problems tend to generate big publicity, so data security (or lack of it) has become a hot topic with regulators and healthcare consumers alike.  Ensuring the confidentiality, integrity, and availability of all forms of Protected Health Information (PHI, ePHI) is crucial to keeping the trust of healthcare consumers and avoiding costly compliance failures and reputational damage. 

Working with a HITRUST CSF-Certified partner offers peace of mind. Certification attests that the solution meets regulatory requirements around protection of data and other digital assets. Plus, you gain the confidence of working with a technology partner that is alert to the changing nature of security threats and compliance expectations. 

As a HITRUST r2 CSF-Certified provider of prior authorization software, Myndshft automates secure data exchange, so you can focus on patients, not paperwork. Ready to learn more? Let’s talk.